Tom Eastep escribió el 31/03/09 11:40: > Tom Eastep wrote: > >> Mariano Absatz wrote: >> >> >>> The connection hangs and eventually times out. While waiting for it to >>> timeout, in the server, I execute: >>> $ sudo /sbin/shorewall dump > dump-01.txt >>> >>> >> The Netfilter ruleset at this point is clearly wrong. Please: >> >> a) sudo /sbin/shorewall show -f capabilities > /etc/shorewall/caps >> b) sudo tar -zcf shorewall.tgz /etc/shorewall >> c) Send shorewall.tgz as an attachment to [email protected] >> >> > > Looking at this some more, I believe that when libvirt starts, it is > inserting rules into the FORWARD chain. I'm quite certain that the extra > rules I'm seeing in the first two dumps are not being created by > Shorewall. I wish that these virtualization products would keep their > hands off of the Netfilter configuration.... > > I suggest that you check the libvirt documentation to see if there isn't > a way to stop it from inserting these rules. > Boy are you right!!!
libvirt is so adding iptables rules... it does have some merit... it tries to be an easy interface to adding virtual machines and it tries to solve networking problems easily even when you don't have a clue about routing, nating or firewalling. I already defined a new isolated network in libvirt but can't convince it not to add some rules... I'll post to libvirt list, if I come with a reasonable answer, I'll try to summarize it in the wiki. Thanx again for all your help, Tom. -- Mariano Absatz - "El Baby" [email protected] www.clueless.com.ar -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- All syllogisms contain three lines. Therefore this is not a syllogism. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- * TagZilla 0.066 * http://tagzilla.mozdev.org ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
