Hristo Benev wrote:
This is not my first setup of Shorewall, but first involving XENTrying to implement FW at routed Dom0. I did not find similar problem in the FAQ or mailing list, but if somebody knows similar thread let me know. My setup is following ISP--non routed--(eth0)x.x.x.173 FW--LAN(eth1)10.10.0.2 ----DMZ LAN (eth2)x.x.x.164 ----DMZ Xen DomU (vif1.0) x.x.x.165 The problem is that even I drop all connections on DMZ I can still connect to DomU machine Dump attached Os is CentOS 5.1 xen 3.0.3 How to troubleshoot further?
Start by telling us what you are trying to accomplish with this setup. From looking at the dump, I have no clue. You have absurd features like a bridge (virbr0) with an IP address (192.168.122.1) but no ports.
And when you say 'I can still connect to the DomU machine', where can you still connect from? Don't you think that might be important?
Because if you can still connect from the Lan to the DomU system, both are in the same zone. And intra-zone connections are accepted by default. And you have no dmz->dmz rules or policies.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
