Hello I have recently started using Shorewall to manage my firewall. I'm very impressed so far.
Yesterday I installed it on 2 machines which run KVM (kernel virtual machine) virtualization. When a virtual machine starts, a virtual network interface(s) is created for the VM - vnetX. These in turn are connected to a bridge which uses a physical interface (eth1). What I need to do: a) Filter traffic on the management interface - eth0. b) Allow all traffic on the bridge - br0 - which in turn uses physical interface eth1. Each VM will handle traffic by running their own firewall. I'm using Shorewall 4.2.10. I spent ages using the "bport" option but I was getting nowhere. I could not get the traffic inside the VMs to route. So I changed the bridge interface to the same as eth0 - ipv4 - and it now works OK. Here is my setup: Zones fw firewall lan ipv4 kvm ipv4 Interfaces lan eth0 detect dhcp kvm br0 detect dhcp,bridge,routeback Policy fw all ACCEPT lan fw REJECT kvm fw ACCEPT all all DROP Rules ACCEPT lan fw icmp ACCEPT lan fw tcp ssh,https where "lan" is the local area network and "kvm" is the zone for the bridge which handles the VMs and their virtual network interfaces. As you can see, for the management interface I'm allowing icmp traffic for ping and SSH and HTTPS. I must stress that this machine is not connected directly to the internet but lives inside a secure LAN. So why bother running a firewall? Well this is a test for a machine that will be hosted in a data centre and will be connected directly to the internet. Now it's working but have I simply taken the easy route here when setting this up? Or should I try to get the kvm zone working as "bport"? Has anyone else setup a machine running a bridge for virtual machines? I've searched the documentation and this mailing list, but documentation is inconsistent for this setup. Thank you ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
