Werner van Staden wrote:
Thanks for the reply, Tom. Your critique of this routed Xen network has shown me the fatal error in my thinking:So eth7 has IP address 196.168.2.169. From The routing table: 192.168.192.252 dev eth7 scope link src 192.168.2.169So apparently, you have a VM with IP address 192.168.192.252 running on the VM associated with VIF eth7. Is that correct?I assumed (from previous standalone Bering firewalls) that the DMZ needs to be on its own subnet. Hence I have Dom0's eth0 (192.168.2.169) in the loc zone and eth7 (192.168.192.252) associated with DomU in the dmz zone. Because Xen configures eth7 to have the same address as eth0 my configuration is wrong.
Your previous Bering firewalls probably used the simple three-interface sample (http://www.shorewall.net/three-interface.htm). Xen's routed configuration uses Proxy ARP (see http://www.shorewall.net/ProxyARP.htm) and assumes that the network associated with eth0 is the one that you want to use for all of your routed VMs.
eth7 should have an address in the same subnet (192.168.2.0) as eth0, right?
Yes. Yet, having the loc and dmz zones on the same subnet seems
counter intuitive and insecure...
As Andrew has stated multiple times, address/routing and firewalling are two different things. You will notice that Shorewall zone names only appear in those configuration files having to do with security. They cannot be used in those files that deal with address manipulation and routing. There's a reason for that -- the two are totally independent.
I will update these DNAT rules with eth7's new IP address.I don't think there is anything correct about this IP configuration.The truth hurts! Thanks for your honest appraisal of my network. I based my configuration on your routed Dom0 example at http://www.shorewall.net/XenMyWay-Routed.html but got confused by the fact that you have multiple public IP addresses associated with various physical and virtual interfaces. The paradigm shift to Xen networking is not trivial and your help is greatly appreciated.
If you look at the Proxy ARP documentation, hopefully things will become clearer. Just look at what is happening from an IP point of view -- don't be confused by the fact that the picture is labled pubnet and privnet. In your case, the two will be loc and dmz respectively.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
