[Shorewall-users] XEN (routed Dom0) and domu - VM's can't talk to each other.

Sun, 04 Sep 2011 22:00:50 -0700 

I've set up something similar to http://www.shorewall.net/XenMyWay-Routed.html

Shorewall runs on the Dom0 host, and the VM's are in my DMZ.

As far as I can tell, I Shorewall is working as I'd expect, with one 
exception: I can't get the DomU machines to connect to each other.

I see the following in dmesg/kern.log

Sep  4 22:20:41 pilot kernel: [427181.381412] 
Shorewall:sfilter1:DROP:IN=eth3 OUT=eth4 
MAC=fe:ff:ff:ff:ff:ff:00:16:3e:7f:a0:b9:08:00 SRC=192.168.2.2 
DST=192.168.2.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP 
TYPE=8 CODE=0 ID=10893 SEQ=2

The thing that's stumping me is the "sfilter" - I don't have anything 
named that in my shorewall config - it's not a typical zone2zone 
message, nor does it seem to be coming from the rules.

I get a log message similar to the above message anytime I try to 
connect from one DomU to the other (within the same zone - the DMZ).

My config is below.

My Zones:
fw              firewall
net     ipv4                            # Raw Internet (Cable Modem)
gige    ipv4                            # Gigabit Ethernet on the Home Network.
dmz     ipv4                            # DMZ

Interfaces:
gige    eth0            detect          dhcp # Internal network; 192.168.1.1
net     eth1            detect          dhcp # Raw internet.
dmz     eth2            detect          dhcp # DMZ; 192.168.2.1
# eth[3,4] are mapped to Xen DomU vif's
dmz     eth3            detect          optional # 192.168.2.2
dmz     eth4            detect          optional # 192.168.2.3

Masq:
eth1        192.168.1.0/24,\
            192.168.2.0/24

Policy: (The only entries that affect the DMZ zone)
dmz     net             ACCEPT
all     all             DROP

Proxyarp:
192.168.2.2             eth3            eth2            yes
192.168.2.3             eth4            eth2            yes

Rules: (again, only ones that affect the DMZ Zone)
dropNotSyn net  dmz     tcp
# Debian apt-cacher-ng
ACCEPT          dmz:192.168.2.2 $FW tcp 3142
ACCEPT          dmz:192.168.2.3 $FW tcp 3142
# ZNC IRC Bouncer
DNAT:info       net     dmz:192.168.2.3 tcp 6667
DNAT:info       net     dmz:192.168.2.3 udp 6667
DNAT            gige    dmz:192.168.2.3 tcp 6667
DNAT            gige    dmz:192.168.2.3 udp 6667
# SSH
ACCEPT          $FW     dmz tcp ssh
ACCEPT          gige    dmz tcp ssh

I'd appreciate knowing what I've not configured properly - as I've said 
- I seem to have the firewall working as I'd expect with the exception 
of DMZ->DMZ communication between Xen DomU's.
-- 
Troy Telford



------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to