From: Tom E. <te...@sh...> - 2008-10-16 13:53:00
|
Simon Hobson wrote: > Not sure what you mean by 'hardware nat'. The problem with Xen, NAT, > and firewalling is that Xen makes the networking environment very > complicated. I really am a loooong way from understanding it, but > from comments made by people (liek Tom) who know more than I do it > could be that the way the traffic passes through the various bits of > networking system means that it does not pass though the right places > in the right order to also support NAT in a meaningful way. I've completely given up on trying to run Shorewall in a Xen Dom0. The last straw was when the latest and greatest Xen network start script started blowing away all firewall rules (kind of) and installing its own. It didn't totally undo what Shorewall had done so it was impossible to communicate with the box at all if Shorewall started before Xen. In my view, that indicates that the Xen developers are dead set against running any kind of firewall in Dom0. -Tom (who has switched to KVM and no longer runs Xen at all) -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ |