Re: [Shorewall-users] kvm with brided network

Farkas Levente Mon, 30 May 2011 00:39:23 -0700

On 04/29/2011 04:08 PM, Tom Eastep wrote:
> On 04/29/2011 04:43 AM, Farkas Levente wrote:
> 
>> yes. it's one physical ethernet card and running 4 guest (and the host)
>> while br0 has one valid public ip address.
>>
>> it's the setup:
>> # brctl show
>> bridge name  bridge id               STP enabled     interfaces
>> br0          8000.6cf049b9800a       no              eth0
>>                                                      vnet0
>>                                                      vnet1
>>                                                      vnet2
>>                                                      vnet3
>> # ifconfig
>> br0       Link encap:Ethernet  HWaddr 6C:F0:49:B9:80:0A
>>           inet addr:1.2.3.4  Bcast:1.2.3.255  Mask:255.255.255.0
>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>           RX packets:78537495 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:13333536 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:0
>>           RX bytes:7250322026 (6.7 GiB)  TX bytes:58699652446 (54.6 GiB)
>>
>> eth0      Link encap:Ethernet  HWaddr 6C:F0:49:B9:80:0A
>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>           RX packets:141686837 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:114685992 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:1000
>>           RX bytes:32429824910 (30.2 GiB)  TX bytes:120019867392 (111.7 GiB)
>>           Interrupt:35 Base address:0xe000
>>
>> lo        Link encap:Local Loopback
>>           inet addr:127.0.0.1  Mask:255.0.0.0
>>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>>           RX packets:220184 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:220184 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:0
>>           RX bytes:316739812 (302.0 MiB)  TX bytes:316739812 (302.0 MiB)
>>
>> vnet0     Link encap:Ethernet  HWaddr FE:54:00:B5:A9:34
>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>           RX packets:5623576 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:61595953 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:500
>>           RX bytes:15444682121 (14.3 GiB)  TX bytes:11060142699 (10.3 GiB)
>>
>> vnet1     Link encap:Ethernet  HWaddr FE:54:00:09:71:2B
>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>           RX packets:22643389 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:75916886 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:500
>>           RX bytes:31250603040 (29.1 GiB)  TX bytes:7726089254 (7.1 GiB)
>>
>> vnet2     Link encap:Ethernet  HWaddr FE:54:00:1F:F7:5D
>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>           RX packets:15754986 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:67798786 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:500
>>           RX bytes:11375672734 (10.5 GiB)  TX bytes:15335707117 (14.2 GiB)
>>
>> vnet3     Link encap:Ethernet  HWaddr FE:54:00:14:E8:B9
>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>           RX packets:244377 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:3603432 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:500
>>           RX bytes:20385018 (19.4 MiB)  TX bytes:833931605 (795.2 MiB)
> 
> Okay; here is how I would do it (assuming that the Windows box is vnet3):
> 
> shorewall.conf:
> 
> ...
> IMPLICIT_CONTINUE=No
> ...
> 
> zones:
> 
> fw            firewall
> world         ipv4
> net:world     bport
> dmz:world     bport
> win:dmz               bport
> 
> policy:
> 
> net   dmz     ACCEPT
> net   all     DROP    info
> dmz   net     ACCEPT
> win   net     ACCEPT          #You might want to change this
> fw    world   ACCEPT
> all   all     REJECT  info
> 
> interfaces:
> 
> world br0             -       bridge
> net   br0:eth0
> win   br0:vnet3
> dmz   br0:vnet+


before this setup i've this in the rules:
SSH(ACCEPT)     net:$ADMIN_NET  fw
which was working, but after that i'm no longer able to access to the
host:-(
so in this case what is the right rule? net should have to be world or?
and what's the reason of the:
net     all     DROP    info
in the middle of the policy file when there is a reject at the end?
thanks.

-- 
  Levente                               "Si vis pacem para bellum!"

------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery, 
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now. 
http://p.sf.net/sfu/quest-d2dcopy1
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] kvm with brided network

Reply via email to