Re: [Shorewall-users] (no subject)

Bram Jansen Sat, 03 Nov 2012 04:37:15 -0700












Hi,
















In my editing process I accidentally deleted the mentioning that this all is
done with KVM/libvirt
















Bram



















From:


 Bram Jansen 


Sent:
 Saturday, November 03, 2012 12:25


To:
 shorewall-users@lists.sourceforge.net


Subject:
 [Shorewall-users] (no subject)

















Hi,












I'm trying to configure shorewall 4.5.8.2 on a debian squeeze box with the
latest backport kernel together with. I like to filter traffic but for some
reason my rules get ignored. 





Kernel+iptables have physdev match support and bridge-nf-call-iptables is
set to 1 aswell as ip_forward.
 












I cannot find a way to restrict access to the vnet+ devices. The host (ip is
on br0) and the vm's (ip's are set inside vm, the vnet+ devices on the host
have no ip) all are in the same public subnet. I'm still able to ping and
telnet to the vm's attached to the vnet+ interfaces with the configs I'll
post below. This is done from a machine outside the kvm host on the
internet. 






My goal is that I can filter some ports for each individual vm. But first I
need all traffic to get dropped to the vm's so that I can open the ports
that
 I need. 












I hope someone can shine a light for me on this one. 
Thx.





Bram












----





This is what brctl shows:





bridge name



 bridge id













 STP enabled



 interfaces





br0











 8000.3c4a92dbc2c0





 no








 














 eth0




























































 






















 














 vnet0




























































 






















 














 vnet1












/etc/shorewall/interfaces:





net



 br0



















 -





 bridge





vmnet

 br0:eth0





vmkin

 br0:vnet0





vmbso

 br0:vnet1












/etc/shorewall/zones:





fw












 firewall





net











 ipv4





vmnet:net





 bport4





vmkin:net





 bport4





vmbso:net





 bport4












/etc/shorewall/policy:





fw












 all











 ACCEPT





net











 all











 DROP





vmnet









 all











 DROP





all











 all








 


REJECT



















----------------------------------------------------------------------------
--





LogMeIn Central: Instant, anywhere, Remote PC access and management.





Stay in control, update software, and manage PCs from one command center





Diagnose problems and improve visibility into emerging IT issues





Automate, monitor and manage. Do more in less time with Central






http://p.sf.net/sfu/logmein12331_d2d






_______________________________________________





Shorewall-users mailing list






Shorewall-users@lists.sourceforge.net







https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] (no subject)

Reply via email to