Re: [Shorewall-users] Shorewall and xen

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

 >-------- Оригинално писмо --------
 >От:  Tom Eastep <te...@sh...>
 >Относно: Re: [Shorewall-users] Shorewall and xen
 >До: Shorewall Users <sho...@li...>
 >Изпратено на: Понеделник, 2008, Март 24 04:16:58 EET
 >----------------------------------
 >
 >Hristo Benev wrote:
 >> This is not my first setup of Shorewall, but first involving XEN
 >> 
 >> Trying to implement FW at routed Dom0.
 >> 
 >> I did not find similar problem in the FAQ or mailing list, but if somebody knows similar thread let me know.
 >> 
 >> My setup is following
 >> 
 >> ISP--non routed--(eth0)x.x.x.173 FW--LAN(eth1)10.10.0.2
 >> ----DMZ LAN (eth2)x.x.x.164
 >> ----DMZ Xen DomU (vif1.0) x.x.x.165
 >> 
 >> The problem is that even I drop all connections on DMZ I can still connect to DomU machine
 >> 
 >> Dump attached
 >> 
 >> Os is CentOS 5.1
 >> 
 >> xen 3.0.3
 >> 
 >> How to troubleshoot further?
 >> 
 >
 >Start by telling us what you are trying to accomplish with this setup. 
 > From looking at the dump, I have no clue. You have absurd features like 
 >a bridge (virbr0) with an IP address (192.168.122.1) but no ports.
 >
 >And when you say 'I can still connect to the DomU machine', where can 
 >you still connect from? Don't you think that might be important?
 >
 >Because if you can still connect from the Lan to the DomU system, both 
 >are in the same zone. And intra-zone connections are accepted by 
 >default. And you have no dmz->dmz rules or policies.
 >
 >-Tom
 >-- 
 >Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
 >Shoreline,     \ http://shorewall.net
 >Washington USA  \ te...@sh...
 >PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
 >
 >
Sorry I was not really clear.

I'm little bit confused by Xen Networking, so I may have some interfaces that are not used.

Basically I'm trying to limit the access from net to DMZ to certain ports only. Initially my DomU machine (lets call it Mail) with IP x.x.x.165 was bridged and I have direct access to it from internet. I modified config file to routing and tried to follow your guide, maybe I did something wrong because I still had access from internet to "Mail" even I have "net to all drop" in policy.

How I can troubleshoot it?

Thank you