Tom Eastep wrote: > This information is indeed important -- in Xen FAQs and HOWTOs. > So I suggest that you post to those folks.
Don't worry, I did. (I thought it might be relevant here too, since
you do have material on the Shorewall site about using Shorewall with
Xen . . . but whatever . . . .)
Now that I've got both SNAT and DNAT working in my configuration, I'm
trying to tighten up the firewall so that clients outside my Xen box
cannot contact the domU's directly, but can access services ONLY by
connecting to the dom0 and being DNAT'ed to the appropriate domU. In
other words, my Xen box should look like a single host (the dom0) to
all outsiders; the internal structure (with multiple domU's) should be
invisible and inaccessible from the outside.
I started with my HTTP server (on "wonttell", 172.31.53.5). I tried to
modify my Shorewall rules for HTTP so that hosts on my LAN can access
the HTTP server only via DNAT from the dom0 ("whodunit", 172.29.0.53).
However, the extra attempt at security doesn't seem to be working --
connections from my LAN directly to the domU (wonttell) are NOT being
blocked -- they are still getting through.
The attached Shorewall dump should be capturing what happened when I
did "telnet 172.31.53.5 http" (and successfully connected) from a host
on my LAN (172.29.0.29). I'm confused that the dump doesn't seem
to show ANY PACKETS AT ALL being processed for port 80 on the domU
(172.31.53.5). Is it possible that something is still broken with the
networking in my Xen configuration, and that traffic between my LAN and
my domU's is completely bypassing Shorewall?
I'd be more than willing to settle for some solution that would make
my DMZ network (172.31.53.0/24, containing my domU's) completely off
limits from the outside for all services (even SSH -- meaning that I
would need to SSH to the dom0 first and use it as a bastion host to
get to the domU's). I know Xen has a NAT networking configuration
(an alternative to vanilla routing or bridging), though I haven't tried
it and suspect that since it seems to use iptables, it's probably not
compatible with Shorewall anyway.
--
Rich Wales === Palo Alto, CA, USA === [EMAIL PROTECTED]
http://www.richw.org === http://en.wikipedia.org/wiki/User:Richwales
status.txt.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
