Re: [Shorewall-users] virtual machine 2 virtual machine rules (was Re: restarting shorewall after libvirt-bin starts)

Thu, 02 Apr 2009 13:45:57 -0700 

Tom Eastep escribió el 02/04/09 14:17:
> Tom Eastep wrote:
>   
>> Please read http://www.shorewall.net/bridge-Shorewall-perl.html
>>     
Thanx... I skimmed over it and I started 2 understand... anyway it does
not refer to my case since I'm not firewalling the bridge using 2
interfaces in my host...
>
> If you just want to allow all traffic between the VMs:
>
> a) Delete all of those silly rules.
> b) Remove the 'bridge' option from vnet0 in /etc/shorewall/interfaces
> c) Add the 'routeback' option to vnet0 in /etc/shorewall/interfaces
>
> If you only want to allow DNS and SSH:
>
> a) Add a vms->vms REJECT policy to /etc/shorewall/interfaces.
> b) Remove the 'bridge' option from vnet0 in /etc/shorewall/interfaces
> c) Add the 'routeback' option to vnet0 in /etc/shorewall/interfaces
>   
Now, this is (I think) precisely what I needed...

In this case I _do_ need the silly rules, don't I?

I already had the REJECT policy, but I have it in 'policies' rather than
'interfaces'... is there a difference?



Now I think I understand what libvirt is doing:

It inserts rules at the top of INPUT to allow dns/bootp requests from
vnet0 to anywhere

 Chain INPUT (policy DROP 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source              
destination
    0     0 ACCEPT     udp  --  vnet0  *       0.0.0.0/0           
0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  vnet0  *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:53
    0     0 ACCEPT     udp  --  vnet0  *       0.0.0.0/0           
0.0.0.0/0           udp dpt:67
    0     0 ACCEPT     tcp  --  vnet0  *       0.0.0.0/0           
0.0.0.0/0           tcp dpt:67


It inserts rules at the top of FORWARD rules to allow any trafic from
vnet0 to vnet0 and blocks all other trafic to/from it (I guess this is
because I defined it as an "isolated" network hoping it would insert
nothing at all):

 Chain FORWARD (policy DROP 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source              
destination
-    0     0 ACCEPT     all  --  vnet0  vnet0   0.0.0.0/0           
0.0.0.0/0          
-    0     0 REJECT     all  --  *      vnet0   0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable
-    0     0 REJECT     all  --  vnet0  *       0.0.0.0/0           
0.0.0.0/0           reject-with icmp-port-unreachable


-- 
Mariano Absatz - "El Baby"
[email protected]
www.clueless.com.ar


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Is sloppiness in speech caused by ignorance or apathy?
I don't know and I don't care.
        William Safire
        US columnist & speechwriter (1929 - )
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
* TagZilla 0.066 * http://tagzilla.mozdev.org


------------------------------------------------------------------------------

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to