[Shorewall-users] Xen & SHorewall - routed vs bridged

[Simon Hobson]

I've now had chance to experiment with both bridges and routed setups 
(copying Toms example on the web site) for Xen, here are a few 
observations :

Bridged:

Default setup, easy to get the network going.
Shorewall works but has some limitations in a bridged environment, 
but in dom-u's works just like a real single interface machine.


Routed:

Harder to set up the networking
Removes limitations of firewalling in a bridge
Dom-U's don't get broadcasts from parent network



One issue took a bit of sorting out :

The environment I'll be wanting to run will involve a variable number 
of guest machines, and some of them may not be started automatically. 
This caught me out this morning when I switched on my test server and 
couldn't access it. Shorewall failed to start at bootup because all 
the interfaces weren't present.

I tried setting the interfaces file to use a wildcard (ethx+), but 
that still left the proxyarp stetting where
>#ADDRESS        INTERFACE       EXTERNAL        HAVEROUTE       PERSISTENT
>192.168.1.181   ethx1           eth0            no              yes

produced this error
>Setting up Proxy ARP...
>Cannot find device "ethx1"
>    ERROR: Command "ip route replace 192.168.1.181 dev ethx1" Failed

But since the vif-route script creates the route, I don't think the 
haveroute=no setting is required, so I've set that to yes and now 
Shorewall will start (with a warning if the guest using ethx1 is not 
running). Next step was to add a "shorewall restart" command to the 
vif-route script - actually I wrote a wrapper script called 
vif-route-shorewall containing :
>#!/bin/bash
>dir=$(dirname "$0")
>${dir}/vif-route $@
>shorewall restart



So in proxyarp I have :
>#ADDRESS        INTERFACE       EXTERNAL        HAVEROUTE       PERSISTENT
>192.168.1.181   ethx1           eth0            yes
>192.168.1.182   ethx2           eth0            yes

and in interfaces I have :
>#ZONE   INTERFACE       BROADCAST       OPTIONS
>net     $EXT_IF         -               logmartians,tcpflags,nosmurfs
>xen     ethx+           192.168.1.255   tcpflags,nosmurfs,routeback


Anything I've missed here ?

Is there any problem with multiple processes calling "shorewall 
restart" - ie if multiple guests are shutdown simultaneously ? I 
assume the answer is "they'll just block and execute in turn" as 
Shorewall uses a lockfile, and that is what appears to happen.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users