On Sun, 2011-09-04 at 22:57 -0600, Troy Telford wrote: > I've set up something similar to http://www.shorewall.net/XenMyWay-Routed.html > > Shorewall runs on the Dom0 host, and the VM's are in my DMZ. > > As far as I can tell, I Shorewall is working as I'd expect, with one > exception: I can't get the DomU machines to connect to each other. > > I see the following in dmesg/kern.log > > Sep 4 22:20:41 pilot kernel: [427181.381412] > Shorewall:sfilter1:DROP:IN=eth3 OUT=eth4 > MAC=fe:ff:ff:ff:ff:ff:00:16:3e:7f:a0:b9:08:00 SRC=192.168.2.2 > DST=192.168.2.3 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP > TYPE=8 CODE=0 ID=10893 SEQ=2 > > The thing that's stumping me is the "sfilter" - I don't have anything > named that in my shorewall config - it's not a typical zone2zone > message, nor does it seem to be coming from the rules. >
This is actually a bug in the compiler's rule promotion logic. You can work around it by specifying 'routefilter' on eth3 and eth4 in /etc/shorewall/interfaces. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
