Hristo, how is your Xen + Shorewall configuration coming along? Werner
On Mon, 2008-03-24 at 18:49 +0200, Hristo Benev wrote: > > > > >-------- Оригинално писмо -------- > >От: Tom Eastep <[EMAIL PROTECTED]> > >Относно: Re: [Shorewall-users] Shorewall and xen > >До: Shorewall Users <[email protected]> > >Изпратено на: Понеделник, 2008, Март 24 04:16:58 EET > >---------------------------------- > > > >Hristo Benev wrote: > >> This is not my first setup of Shorewall, but first involving XEN > >> > >> Trying to implement FW at routed Dom0. > >> > >> I did not find similar problem in the FAQ or mailing list, but if > somebody knows similar thread let me know. > >> > >> My setup is following > >> > >> ISP--non routed--(eth0)x.x.x.173 FW--LAN(eth1)10.10.0.2 > >> ----DMZ LAN (eth2)x.x.x.164 > >> ----DMZ Xen DomU (vif1.0) x.x.x.165 > >> > >> The problem is that even I drop all connections on DMZ I can still > connect to DomU machine > >> > >> Dump attached > >> > >> Os is CentOS 5.1 > >> > >> xen 3.0.3 > >> > >> How to troubleshoot further? > >> > > > >Start by telling us what you are trying to accomplish with this setup. > > From looking at the dump, I have no clue. You have absurd features like > >a bridge (virbr0) with an IP address (192.168.122.1) but no ports. > > > >And when you say 'I can still connect to the DomU machine', where can > >you still connect from? Don't you think that might be important? > > > >Because if you can still connect from the Lan to the DomU system, both > >are in the same zone. And intra-zone connections are accepted by > >default. And you have no dmz->dmz rules or policies. > > > >-Tom > >-- > >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > >Shoreline, \ http://shorewall.net > >Washington USA \ [EMAIL PROTECTED] > >PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > > Sorry I was not really clear. > > I'm little bit confused by Xen Networking, so I may have some interfaces that > are not used. > > Basically I'm trying to limit the access from net to DMZ to certain ports > only. Initially my DomU machine (lets call it Mail) with IP x.x.x.165 was > bridged and I have direct access to it from internet. I modified config file > to routing and tried to follow your guide, maybe I did something wrong > because I still had access from internet to "Mail" even I have "net to all > drop" in policy. > > How I can troubleshoot it? > > Thank you > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
