On Friday 04 April 2014 08.44:39 Tom Eastep wrote: > On 4/3/2014 6:00 AM, Bruno Friedmann wrote: > > Dear shorewall users, I'm at a point I need a bit of help on the following > > configuration > > > > A main host directly connected to internet with one physical interface eth0 > > use a bridge > > I've setup libvirtd/qemu-kvm on it with one vhost using br0/vnet0 > > > > The vm has also a public ipv4 address (see k* config in zip) > > > > I'm using shorewall from long time now, in 3 interfaces modes or 1 > > interface from years. > > But even after digging in documentation, ml archives or google. It seem I > > miss something. > > > > Can an hawk expert eyes have a look, and give me feedback about what I've > > build (but not work as expected) > > > > Summary of what should be working : > > pub/net should only be allowed on specific protocol to fw (main host) or > > dmz (the vm) > > fw and dmz have free access to internet out. > > > > I've certainly lost myself in the different approach, and finally have > > choose the wrong one. > > > > At the end I will also have ipv6 (but should be able to adapt the v4 to v6) > > > > Thanks for any pointers, or advise you could offer. > > Your Shorewall configuration has eth0 as a port on the bridge. But your > bridge has no eth0 port (in fact, you don't have such a device). > > -Tom >
Meeee, I will never find a small enough hole to hide myself in it!!! My feeling of missing something evident confirmed, a big thanks Tom. After fixing the failure, I've tried the configuration. But I'm a bit puzzle by the log I get I'm seeing a lot of DROP for traffic in net2dmz but that shouldn't normally concern my vhost Apr 7 11:42:10 obione SHw4:net2dmz:DROP: IN=br0 OUT=br0 MAC=00:25:90:50:af:3c:6c:9c:ed:bb:bd:80:08:00 SRC=24.25.227.67 DST=176.31.224.27 LEN=59 TOS=00 PREC=0x00 TTL=238 ID=38975 DF PROTO=UDP SPT=62600 DPT=53 LEN=39 MARK=0 Apr 7 11:42:11 obione SHw4:net2dmz:DROP: IN=br0 OUT=br0 MAC=02:00:00:11:69:43:6c:9c:ed:bb:bd:80:08:00 SRC=37.59.224.97 DST=176.31.32.135 LEN=123 TOS=00 PREC=0x00 TTL=61 ID=61237 DF PROTO=UDP SPT=40642 DPT=1200 LEN=103 MARK=0 Apr 7 11:42:11 obione SHw4:net2dmz:DROP: IN=br0 OUT=br0 MAC=02:00:00:89:d7:f2:6c:9c:ed:bb:bd:80:08:00 SRC=193.57.110.171 DST=5.135.101.211 LEN=60 TOS=00 PREC=0x00 TTL=56 ID=23071 PROTO=TCP SPT=34510 DPT=80 SEQ=2564968756 ACK=0 WINDOW=65535 SYN URGP=0 MARK=0 Apr 7 11:42:11 obione SHw4:net2dmz:DROP: IN=br0 OUT=br0 MAC=00:25:90:50:af:3c:6c:9c:ed:bb:bd:80:08:00 SRC=178.255.84.39 DST=176.31.224.27 LEN=74 TOS=00 PREC=0x00 TTL=52 ID=23876 PROTO=UDP SPT=30851 DPT=53 LEN=54 MARK=0 Apr 7 11:42:11 obione SHw4:net2dmz:DROP: IN=br0 OUT=br0 MAC=00:25:90:50:af:3c:6c:9c:ed:bb:bd:80:08:00 SRC=212.54.41.229 DST=176.31.224.27 LEN=75 TOS=00 PREC=0x00 TTL=57 ID=36903 PROTO=UDP SPT=55191 DPT=53 LEN=55 MARK=0 Apr 7 11:42:11 obione SHw4:net2dmz:DROP: IN=br0 OUT=br0 MAC=00:25:90:53:4d:e4:6c:9c:ed:bb:bd:80:08:00 SRC=188.165.253.24 DST=176.31.224.190 LEN=60 TOS=00 PREC=0x00 TTL=62 ID=27903 DF PROTO=TCP SPT=39169 DPT=6767 SEQ=732529407 ACK=0 WINDOW=5840 SYN URGP=0 MARK=0 The main ip (fw/br0 is 176.31.224.222/24) and for the vm the provider want the setup to be 46.105.242.147/32 Look like I'm still missing one piece. -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch openSUSE Member & Board GPG KEY : D5C9B751C4653227 irc: tigerfoot ~~~Don't take Life too serious. Nobody gets out alive anyway!~~~ ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees_APR _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
