Re: [Shorewall-users] Xen & SHorewall - routed vs bridged

[Tom Eastep]

Simon Hobson wrote:
> I've now had chance to experiment with both bridges and routed setups 
> (copying Toms example on the web site) for Xen, here are a few 
> observations :
> 
> Bridged:
> 
> Default setup, easy to get the network going.
> Shorewall works but has some limitations in a bridged environment, 
> but in dom-u's works just like a real single interface machine.
> 
> 
> Routed:
> 
> Harder to set up the networking
> Removes limitations of firewalling in a bridge
> Dom-U's don't get broadcasts from parent network
> 
> 
> 
> One issue took a bit of sorting out :
> 
> The environment I'll be wanting to run will involve a variable number 
> of guest machines, and some of them may not be started automatically. 
> This caught me out this morning when I switched on my test server and 
> couldn't access it. Shorewall failed to start at bootup because all 
> the interfaces weren't present.
> 

I developed the 'optional' interface option exactly to take care of this
issue. List each interface in /etc/shorewall/interfaces as 'optional'.

> So in proxyarp I have :
>> #ADDRESS        INTERFACE       EXTERNAL        HAVEROUTE       PERSISTENT
>> 192.168.1.181   ethx1           eth0            yes
>> 192.168.1.182   ethx2           eth0            yes

Which is what I do.

> 
> and in interfaces I have :
>> #ZONE   INTERFACE       BROADCAST       OPTIONS
>> net     $EXT_IF         -               logmartians,tcpflags,nosmurfs
>> xen     ethx+           192.168.1.255   tcpflags,nosmurfs,routeback
> 
> Anything I've missed here ?

For Shorewall-perl, the address in the BROADCAST column is bogus.

> 
> Is there any problem with multiple processes calling "shorewall 
> restart" - ie if multiple guests are shutdown simultaneously ? I 
> assume the answer is "they'll just block and execute in turn" as 
> Shorewall uses a lockfile, and that is what appears to happen.

That's why there is a lockfile.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users