[Shorewall-users] Xen routed Dom0 - DMZ issue

Werner van Staden Mon, 24 Mar 2008 17:20:22 -0700

Dear list,

I have several years' experience with Bering Firewall and have configured 
Shorewall a
dozen times in different setups. The issue I am facing has to do with
the Xen routed context as outlined at 
http://www.shorewall.net/XenMyWay-Routed.html


I have a similar working setup without the wifi and vpn zones. 

two physical interfaces:
------------------------
eth0 connects to loc zone switch
eth1 is in the net zone and connects to an ADSL modem

virtual interfaces:
-------------------
4 virtual interfaces (eth3-6) are in the loc zone attaching domU guests
1 virtual interface (eth7) is in the dmz zone and associated with a domU
public webserver

the attached .svg shows my network setup. below are the zones,
interfaces, masq and proxyarp files.
                        

With the introduction of virtual interfaces I lost my common sense: the
DMZ domU interface (eth7) has address 192.168.192.252 but what should be
its gateway? I have arbitrarily assigned 192.168.192.27 in the host's
/etc/network/interfaces file, yet this cannot be correct? With my
current setup users on the web can connect to the DMZ host, but the
machine cannot initiate connections to the web (e.g. apt-get update or
wget) because (I assume) it cannot find a gateway route.

core files:

/etc/shorewall/zones
fw      firewall        #The firewall itself.
net     ipv4            #Internet
loc     ipv4            #Local wired Zone
dmz     ipv4            #DMZ

/etc/shorewall/interfaces
net     eth1            detect               dhcp,logmartians,blacklist
dmz     eth7            detect               logmartians
loc     eth0            detect               logmartians,routeback
loc     eth3            detect                  
loc     eth4            detect                  
loc     eth5            detect
loc     eth6            detect

/etc/shorewall/masq (not sure about this)
eth1                    eth0           62.24.195.87
eth1                    eth3
eth1                    eth4
eth1                    eth5
eth1                    eth6
eth1                    eth7           62.24.195.87

/etc/shorewall/proxyarp (not sure about this)
192.168.2.169    eth0         eth1         yes
192.168.1.27     eth1         eth0         yes
192.168.2.11     eth3         eth0         yes
192.168.2.12     eth4         eth0         yes
192.168.2.10     eth5         eth0         yes
192.168.2.18     eth6         eth0         yes
192.168.192.252  eth7         eth1         yes


hope someone can help.
Werner

<<attachment: soho_diagram1.svg>>

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Xen routed Dom0 - DMZ issue

Reply via email to