Rich Wales wrote: >In an attempt to avoid having to use the multi-ISP stuff, I tried an >experiment this evening in which I set up Xen on my firewall and created >a domU to handle one of my external IP addresses. The domU was bridged >(using two separate bridges, of course) to both the internal and external >interfaces of the dom0, and Shorewall was used both on the dom0 and >the domU. I tried setting up one machine in my local net with the domU >(instead of the dom0) as its default Internet gateway. > >I ran into some bizarre interactions between the two firewalls, however. >When I did outbound connections from the domU to the Internet, the >external IP address of the domU was affected by lines in the "masq" file >on the dom0.
Take a piece of advice : Don't try to run a firewall, especially using masq, in Dom0. I'm not sure anyone in teh world truly understands networking under Xen, and even Tom himself has effectively said "don't do it" (in previous threads). It's possible to use the pci-back driver to hide a PCI device from Dom0 and make it available to a DomU - which is useful to make a network card appear natively to a firewall 'appliance' running in a DomU. Obviously this won't work if you want multiple DomUs to share the device. Where I've got a Xen host that has to be on an accessible network, I've knocked up some iptables rules to simply block all inbound traffic just to the Dom0 and ignore (pass) the rest. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
