Re: [Shorewall-users] bridge2bridge no target and 0 references

Wed, 19 Mar 2008 17:01:09 -0700 

Daniele Pizzolli wrote:
> Hi All,
> 
> I'm trying to use shorewall to manage the firewall of a xen dom0
> installation but not for the bridges.
> 
> I'm using shorewall-perl 4.0.8-1 on a Debian testing.
> 
> Basically I want to allow all traffic between the virtual interfaces
> connected to the bridge called "lan" in the zone "lan".
> 
> Because the virtual interfaces are added at runtime to the bridge I
> can't enumerate them in the shorewall configuration following the
> tutorial available at
> http://www.shorewall.net/bridge-Shorewall-perl.html
> 
> Also the release notes /usr/share/doc/shorewall-perl/releasenotes.txt.gz
> states that:
> 
>      Bridge ports must now be defined in /etc/shorewall/interfaces.
> 
> So, if I understand correctly currently there isn't a way to allow the
> traffic in the bridge in an implicit way.
> 
> A little extract from my configuration.
> 
> $ sudo brctl show
> bridge name     bridge id               STP enabled     interfaces
> lan             8000.feffffffffff       no              xen1fw.0
>                                                          aptproxy.0
>                                                          [and so on]
> 
> $ sudo cat /etc/shorewall/zones | grep lan
> lan   ipv4
> 
> $ sudo cat /etc/shorewall/policy | egrep 'lan|all'
> lan   lan     ACCEPT  info
> all   all     DROP    info
> 
> $ sudo cat /etc/shorewall/interfaces | grep lan
> lan  lan          detect          routefilter,bridge
> n

Not that I have tried this with a bridge, but the in/out traffic below 
is on the same interface, might want to try "routeback" as an option here.

> $ sudo dmesg | grep DROP | head -n1
> Mar 19 23:01:53 xen1 kernel: Shorewall:FORWARD:DROP:IN=lan OUT=lan 
> PHYSIN=xen1fw.0 PHYSOUT=aptproxy.0 SRC=10.200.0.254 DST=10.200.0.1 
> LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 
> ID=52487 SEQ=4
> 
> Shorewall seems to block all traffic inside the bridge because it goes
> in the FORWARD chain (default DROP), which has no target lan2lan and
> the lan2lan chain hasn't any reference...
>

hope that helps,

Jerry

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to