-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
An Ubuntu 10.04 server running Shorewall 4.4.6.1 hosts three KVM
virtual servers on the default libvrt virbr0 bridge at the default
vnet+ bridge ports. The bridge and ports are on a separate private
subnet (192.168.122.0/24). Each bridge port and the bridge itself are
in the dmz, there are two physical interfaces and private local
subnets in loc, and one interface in net that handles a block of 5
public IP addresses. DNAT rules accept web, imap, smtp, etc. traffic
originating on net per dest IP and forward it to the appropriate server.
The setup works quite well with one problem: when starting the host
server it's necessary to restart Shorewall once the bridge and KVM
systems are up. Not a huge problem except that if there's an extended
power failure (such that the UPS gets drained and the server shuts
itself down), no one is there to log on and restart Shorewall after
power recovery & automatic server startup.
Two questions then, the first being the more important.
Q1: Is it possible to use the existing setup with privately-subnetted
libvrt bridge virbr0 yet not have to restart Shorewall? Or, using an
explicitly declared bridge instead it should be possible to manage the
startup so that a Shorewall restart is unnecessary, perhaps with a
script similar to what's linked on the Shorewall-KVM documentation
page. But I don't quite understand how to set up such a script for
proper startup execution; place the reference in the appropriate
/etc/rc<n>.d runlevel folders?
Q2: Such an explict bridge might be on the existing private subnet
but, as in the brouter setup in the Shorewall 4.4 documentation pages,
using a explicitly declared bridge in a 'pubic' zone along with public
addresses for the servers on each bridge port in the dmz zone and a
bridge port tied to the physical eth0 external public interface might
be faster or better. I've tried some possibilities but so far I
haven't been so successful in getting this alternate setup to work.
Here's one example of what I tried. The KVM servers each were moved to
their respective fixed public IPs.
/etc/network/interfaces. Also tried this without declaring eth0:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet manual
auto br0
iface br0 inet static
address 71.245.97.170
netmask 255.255.255.0
network 71.245.97.0
broadcast 71.245.97.255
gateway 71.245.97.1
bridge_ports eth0
bridge_fd 0
bridge_stp off
bridge_maxwait 0
up ip addr add 71.245.97.171 dev br0
up ip addr add 71.245.97.172 dev br0
up ip addr add 71.245.97.174 dev br0
[standard local interfaces eth1 & eth2 / private subnet declarations...]
Shorewall zones:
fw firewall
loc ipv4
pub ipv4
net:pub bport4
dmz:pub bport4
Shorewall interfaces. Maybe this is incorrect. should the net and dmz
zones include the bridge option, and what about routeback? This bit is
the least understood by myself.
pub br0 detect bridge,routefilter
net br0:eth0 -
dmz br0:vnet+ -
loc eth1 detect
tcpflags,dhcp,nosmurfs,routefilter,logmartians
loc eth2 detect
tcpflags,dhcp,nosmurfs,routefilter,logmartians
Shorewall params. This seems to do what it should when expanding rules
etc, but does the bridge IP (...170) go in here too?
SERVERS=71.245.97.171,71.245.97.172,71.245.97.174
DMZ=pub:$SERVERS
NET=pub:!$SERVERS
Shorewall policy:
loc pub ACCEPT
loc $FW REJECT info
loc all REJECT info
$FW pub REJECT info
$FW loc REJECT info
$FW all REJECT info
dmz net REJECT info
dmz $FW REJECT info
dmz loc REJECT info
dmz all REJECT info
net dmz DROP info
net $FW DROP info
net loc DROP info
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
Shorewall rules:
# host server serves DNS for the local subnets
DNS(ACCEPT) $FW $NET
DNS(ACCEPT) loc $FW
#dmz servers get DNS from the outside
DNS(ACCEPT) $DMZ $NET
SSH(ACCEPT) loc $FW
Ping(DROP) $NET $FW
Ping(ACCEPT) loc $FW
Ping(ACCEPT) $DMZ $FW
Ping(ACCEPT) loc $DMZ
Ping(ACCEPT) $DMZ loc
Ping(ACCEPT) $DMZ $NET
ACCEPT $FW $NET icmp
ACCEPT $FW loc icmp
ACCEPT $FW $DMZ icmp
# host server runs ntpd for all
NTP(ACCEPT) $FW $NET
NTP(ACCEPT) $DMZ $FW
NTP(ACCEPT) loc $FW
Web(ACCEPT) $NET $DMZ
Web(ACCEPT) $DMZ $NET
Web(ACCEPT) $FW $NET
Web(ACCEPT) loc $FW
ACCEPT loc $FW tcp 81
Mail(ACCEPT) $NET $DMZ
Mail(ACCEPT) $DMZ $NET
Mail(ACCEPT) $FW $NET
Mail(ACCEPT) $FW $DMZ
IMAP(ACCEPT) $NET $DMZ
IMAPS(ACCEPT) $NET $DMZ
Any comments on the above configuration would be very much appreciated.
It's a little involved to switch configurations because the host
network, Shorewall, and KVM all have to change, and then we're are
down for testing, but no problem to do that at night and then I can
post more detailed info. Would be nice to have another, test, server
but the other physical server here is too old to support KVM...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJMwIv/AAoJEFJ3a0HNXtk2hCUIAIp+R/7kD2Yh2NA3U+wV+4WW
nmeYDx7Yntrc4udOXhn72qyiIjqA/C17yyF0ogkPR0ig8DHm5HR24YQWpHbHT3qP
QW8yiKlb20BKoZeKCN08hK0FV6tzPbxG4F9i1YxUooFROEq4L3jjUbD0wOMnKz/H
+Iaahc2tEdzSIBRi7OAfQTmp8FgFuuX1Y5lKvFRXqY4BDUY03l/Tz/yciQbVmltW
xaNPsNeu+SgjE2O2Fus4/N7WCqrpx8ssYWwUg+kweWI1rhAzBsW2PO1KQmV/Aj3L
VgFNNj4RXajV5kCauaApra+xcnUMzCpPy7qCzDg0Kt+A2G6SBdlNwQs9x+Wfsps=
=5zc8
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
