Hi Simon,
Thanks for your reply. The following is the setup I have:
|-eth1 Mail (domU) (10.0.0.1)
WAN <---> eth0-GW (Dom0) ---|-eth2 WWW (domU) (10.0.0.2)
(62.235.222.227) (10.0.0.128) |-eth1 test (domU) (10.0.0.3)
I only have one external IP for eth0 and I'd like my DomUs to be available on
the WAN. From what I can tell by Tom's documentation, is that he managed to do
this using Xen-routed, so what is the difference between the two and can I
implement the above in a routed environment?
Thanks.
--
eco
----- Original Message -----
From: "Simon Hobson" <[EMAIL PROTECTED]>
To: "Shorewall Users" <[email protected]>
Sent: Thursday, October 16, 2008 10:40:09 AM GMT +01:00 Amsterdam / Berlin /
Bern / Rome / Stockholm / Vienna
Subject: Re: [Shorewall-users] Shorewall and a natted Xen setup
>I am running Debian etch with shorewall 4.0.14-1 and Xen 3.2-1 on a
>2.6.18-6-xen-686 kernel. Xen is running natted and I'm trying to
>setup shorewall. I read the documentation that came closer to it
>(http://www.shorewall.net/XenMyWay-Routed.html) but I just can't get
>it to work.
>
>I have been using Shorewall for a while now and I though that it
>would be the same as any natted environment I have setup but it's
>not. Is there any documentation floating around on the net
>regarding Shorewall and Xen natted?
Are you trying to do this in the Dom0 or a DomU ?
The bridging environment in the Dom0 is not friendly to firewalling,
and I think common advice is not to try. In fact, I think Tom has
previously said that he doesn't know of anyone who has managed to get
firewalling+nat working in a Dom0 !
I have put my firewall/router/nat in a DomU and made the external
ethernet port available to it exclusively (by hiding the PCI device
from Dom0). The DomU router then works 'normally', and the Dom0
(which is internal only) has no firewalling at all.
I have another Xen box (without NAT) I manage, and on that I've
had-crafted a bare minimum of iptables rules that simply protect the
Dom0 itself and permit all other traffic. Each DomU is treated like a
standalone box and does it's own firewalling (with Shorewall).
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
