On 9/8/12 2:06 PM, Steve Thompson wrote:
>
> Shorewall 4.5.6, CentOS 6.3. The shorewall box runs several KVM virtual
> machines, each of which has an interface attached to the two "internal"
> bridges br1 and br2 (and each thus has two IP's; one on 192.168.0.0/22 and
> one on 192.168.4.0/22):
>
> Internet ("net")
> ^
> |
> +---------------+
> | br0 |
> net1=192.168.4.0/22 | | net2=192.168.0.0/22
> -----------------------+ br1 br2 +---------------------------------
> | | | |
> | | | |
> Client A +---------------+ Client B
> (hosts KVM1, KVM2, etc)
>
> There are no shorewall rules that prohibit net1 <-> net2 traffic. I have:
>
> /etc/shorewall/interfaces:
> net br0 -
> tcpflags,routefilter,nosmurfs,logmartians,blacklist,arp_filter
> net1 br1 - tcpflags,nosmurfs,maclist
> net2 br2 - tcpflags,nosmurfs,maclist
>
> /etc/shorewall/zones:
> fw firewall
> net ipv4
> net1 ipv4
> net2 ipv4
>
> /etc/shorewall/policy:
> net1 net ACCEPT
> net1 net2 ACCEPT
> net2 net ACCEPT
> net2 net1 ACCEPT
> net all DROP info
> all all REJECT info
>
> Client A can ldapsearch (for example) to a KVM machine by IP address by
> using the KVM machine's net1 IP address. Client B can likewise communicate
> using the KVM machine's net2 IP address. However, neither client can
> communicate by using the address on the opposing segment (eg, Client A
> using KVM1_net2_IP); the packets are rejected by shorewall with the
> appropriate log message:
>
> Sep 8 16:13:05 gw-2 kernel: Shorewall:br1_rec:REJECT:IN=br1 OUT=br2
> SRC=192.168.5.204 DST=192.168.0.14 LEN=64 TOS=0x00 PREC=0x00 TTL=63
> ID=10716
> DF PROTO=TCP SPT=55536 DPT=389 WINDOW=65535 RES=0x00 SYN URGP=0
>
> I would have expected the "net1 net2 ACCEPT" and "net2 net1 ACCEPT"
> policies to allow this, since the KVM machine is logically attached to
> both networks. Since it doesn't work, I am missing something. I have tried
> using the bridge option in the interfaces file to no effect. I'd
> appreciate it if someone can give me a clue.Shorewall FAQ 17 and look for <interface>_rec -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
