Thanks for the reply, Tom. Your critique of this routed Xen network has shown me the fatal error in my thinking:
> So eth7 has IP address 196.168.2.169. From The routing table: > > 192.168.192.252 dev eth7 scope link src 192.168.2.169 > > So apparently, you have a VM with IP address 192.168.192.252 running on > the VM associated with VIF eth7. Is that correct? I assumed (from previous standalone Bering firewalls) that the DMZ needs to be on its own subnet. Hence I have Dom0's eth0 (192.168.2.169) in the loc zone and eth7 (192.168.192.252) associated with DomU in the dmz zone. Because Xen configures eth7 to have the same address as eth0 my configuration is wrong. eth7 should have an address in the same subnet (192.168.2.0) as eth0, right? Yet, having the loc and dmz zones on the same subnet seems counter intuitive and insecure... > Your /etc/shorewall/masq file makes no sense: It appears to look like: > > eth2 192.168.2.0/24 > eth2 192.168.2.11 > eth2 192.168.2.12 > eth2 192.168.2.18 62.24.195.87 > > a) All but the first rule are useless since they are masked by the first > rule (remember that the first match determines the outcome except in the > tcrules file). So, the first rule will be sufficient if eth7 has an address in the 192.168.2.0 subnet. > b) You are not masquerading/SNATting 192.168.192.252. > > I see that you have a couple of DNAT rules: > > 0 0 DNAT tcp -- * * 0.0.0.0/0 > 192.168.1.27 tcp dpt:18080 to:192.168.192.252:80 > 0 0 DNAT tcp -- * * 0.0.0.0/0 > 192.168.1.27 tcp dpt:22252 to:192.168.192.252:22 I will update these DNAT rules with eth7's new IP address. > I don't think there is anything correct about this IP configuration. The truth hurts! Thanks for your honest appraisal of my network. I based my configuration on your routed Dom0 example at http://www.shorewall.net/XenMyWay-Routed.html but got confused by the fact that you have multiple public IP addresses associated with various physical and virtual interfaces. The paradigm shift to Xen networking is not trivial and your help is greatly appreciated. Werner ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
