-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package: shorewall
Version: 3.2.6-2
Distribution: Etch
Type: generic bug
Severity: medium
################
# Background
################
I use shorewall on a Xen machine; the firewall runs on the Dom0 while
the services runs on several DomU.
All the DomU machine have a corresponding interface on the Dom0 named
vethX (where X is an integer number), that is virtually cross-cabled
with the interface of the virtual server; the addresses of the links are
all /30 subnets.
+--------+.1 .2+-------+
| veth0+----------+ DomU1 |
| | +-------+
Internet -------|eth1 |.5 .6+-------+
| veth1+----------+ DomU1 |
+---------|eth0 | +-------+
| | |.9 .10+-------+
| | veth2+----------+ DomU2 |
LAN | | +-------+
.... ....
I defined in shorewall 4 zones (one is firewall):
/etc/shorewall/zones
#ZONE TYPE
fw firewall
net ipv4
srv ipv4
lan ipv4
Defined in this way:
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth1 - blacklist
lan eth0 - routeback,dhcp
srv veth+ -
The zone names *srv* is the zone of the virtual servers and refers to
*all* the interfaces whose name starts with "veth"
######################
# Problem description
######################
If I create a rule that regulates the traffic inside the zone srv, such
as the following (/etc/shorewall/rules):
SMTP/ACCEPT srv srv:$MAIL
HTTP/ACCEPT srv srv:$WEB
(Where $MAIL and $WEB are the IP Address of two different DomU)
The chain "srv2srv" is generated correctly:
xen-dom0:~# iptables -L srv2srv
Chain srv2srv (0 references)
target prot opt source destination
ACCEPT tcp -- anywhere mail tcp dpt:smtp
ACCEPT tcp -- anywhere www tcp dpt:http
But is not referenced anywhere.
xen-dom0:~# iptables -L veth_fwd
Chain veth_fwd (1 references)
target prot opt source destination
dynamic 0 -- anywhere anywhere state INVALID,NEW
veth_dynf 0 -- anywhere anywhere
srv2net 0 -- anywhere anywhere policy match dir out pol none
all2all 0 -- anywhere anywhere policy match dir out pol none
all2all 0 -- anywhere anywhere policy match dir out pol none
The chain srv2srv should be called in the chain veth_fwd, since veth+
refers to more than one interface.
##############
# Workaround
##############
Actually the simpler workaround is to add the following iptables command
in /etc/shorewall/start:
iptables -I veth_fwd 3 -o veth+ -j srv2srv
Which corrects the behaviour.
##############
# Conclusions
##############
Unfortunately I don't know enough about shorewall's internals and I
don't have so much free time to study it, so I prefer not to submit
patches if not required. Anyway the solution should be quite simple.
If you need more information (such as the complete shorewall
configuration) feel free to contact me by mail; I prefer to not put the
details of my firewall configuration on a public server :-)
The shorewall-devel mailing list is CCed; probably this bug is not
Debian Specific :-)
- --
Flavio Visentin
GPG Key: http://www.zipman.it/gpgkey.asc
There are only 10 types of people in this world:
those who understand binary, and those who don't.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFu6ykusUmHkh1cnoRAgsuAJ9lPJu4ntYODDIdzeCgWHXir2A9CQCfd5Nj
e20pJSIzXoU3Vbqb301XVFI=
=AECa
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
