Well, this certainly is a humbling experience, Andrew.
May I just reassure readers that I have several years experience of
Shorewall in the context of the Bering firewall and that I have
configured working 3-interface firewalls in the past.
> When I looked it over, I thought "either I'm reading this wrong, or
> it's complete nonsense".
My setup is a Shorewall configuration in a routed Xen Dom0 with 3
physical interfaces:
eth0, 192.168.2.169, loc zone
eth1, disabled Prism card ("one step at a time" goes the saying)
eth2, 192.168.1.27, net zone (connects to ADSL modem)
Then several DomU's (virtual machines) with virtual interfaces ranging
from eth3 through eth8. Each of these is seen by the Xen host (DomU) as
associated with eth0 (192.168.2.169). Shorewall starts and all
networking is as expected, except for:
eth7, 192.168.192.252, dmz zone
This is my error. I assigned this DomU virtual interface an address in a
different subnet in the mistaken assumption that the DMZ cannot possibly
be in the same subnet as the local zone... consequently I was stumped
when I had to specify a gateway in that DomU's /etc/network/interfaces
file.
> I also couldn't find any trace of a problem. Packets are passing
> through the firewall rules in all the described directions. They just
> aren't being sent anywhere meaningful.
packets from 192.168.192.252, right? they have no meaningful gateway -
just like my thinking in this case!
Your comments are appreciated. Must say, I am still confused... how can
I have a DomU in the DMZ on the same subnet as the local zone?
Werner
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
