Xen & SHorewall - routed vs bridged

I've now had chance to experiment with both bridges and routed setups 
(copying Toms example on the web site) for Xen, here are a few 
observations :

Bridged:

Default setup, easy to get the network going.
Shorewall works but has some limitations in a bridged environment, 
but in dom-u's works just like a real single interface machine.

Routed:

Harder to set up the networking
Removes limitations of firewalling in a bridge
Dom-U's don't get broadcasts from parent network

One issue took a bit of sorting out :

The environment I'll be wanting to run will involve a variable number 
of guest machines, and some of them may not be started automatically. 
This caught me out this morning when I switched on my test server and 
couldn't access it. Shorewall failed to start at bootup because all 
the interfaces weren't present.

I tried setting the interfaces file to use a wildcard (ethx+), but 
that still left the proxyarp stetting where
>#ADDRESS        INTERFACE       EXTERNAL        HAVEROUTE       PERSISTENT
>192.168.1.181   ethx1           eth0            no              yes

produced this error

Re: Xen & SHorewall - routed vs bridged

Simon Hobson wrote:
> I've now had chance to experiment with both bridges and routed setups 
> (copying Toms example on the web site) for Xen, here are a few 
> observations :
> 
> Bridged:
> 
> Default setup, easy to get the network going.
> Shorewall works but has some limitations in a bridged environment, 
> but in dom-u's works just like a real single interface machine.
> 
> 
> Routed:
> 
> Harder to set up the networking
> Removes limitations of firewalling in a bridge
> Dom-U's don't get broadcasts from parent network
> 
> 
> 
> One issue took a bit of sorting out :
> 
> The environment I'll be wanting to run will involve a variable number 
> of guest machines, and some of them may not be started automatically. 
> This caught me out this morning when I switched on my test server and 
> couldn't access it. Shorewall failed to start at bootup because all 
> the interfaces weren't present.
> 

I developed the 'optional' interface option exactly to take care of this

Talking about port knocking

I was implementing the port knocking changes for my conversion to the perl
version of shorewall and found the example on the site to have some
errors.

Here is the diff I have for that.

--- SSHKnock.orig       2007-08-01 16:34:00.000000000 -0400
+++ SSHKnock    2007-08-01 16:33:00.000000000 -0400
 <at>  <at>  -8,12 +8,12  <at>  <at> 
                     '',
                     $tag,
                     'add',
-                    '-p tcp --dport 22   -m recent --rcheck --name SSH );
+                    '-p tcp --dport 22 -m recent --rcheck --name SSH' );

     log_rule_limit( $level,
                     $chainref,
-                    'SSHKnock'
-                    'DROP'
+                    'SSHKnock',
+                    'DROP',
                     '',
                     $tag,
                     'add',

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.

Re: Talking about port knocking

Philip S. Hempel wrote:
> I was implementing the port knocking changes for my conversion to the perl
> version of shorewall and found the example on the site to have some
> errors.
> 
> Here is the diff I have for that.

Thanks,
-Tom

--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: Xen & SHorewall - routed vs bridged

On Wed, Aug 01, 2007 at 11:50:17AM +0100, Simon Hobson wrote:
> I've now had chance to experiment with both bridges and routed setups 
> (copying Toms example on the web site) for Xen, here are a few 
> observations :
> 
> Bridged:
> 
> Default setup, easy to get the network going.
> Shorewall works but has some limitations in a bridged environment, 
> but in dom-u's works just like a real single interface machine.
> 
What I really like about bridged is that (from a networking perspective)
each domU is indistinguishable from a physical host on the same network
as the dom0.  Depending on your needs, that may be good or bad.
However, I tend to think of it as a very good thing.

Regards,

-Roberto

--

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.

Re: Xen & SHorewall - routed vs bridged

On Wed, Aug 01, 2007 at 06:46:30PM -0400, Roberto C. S?nchez wrote:
> On Wed, Aug 01, 2007 at 11:50:17AM +0100, Simon Hobson wrote:
> > I've now had chance to experiment with both bridges and routed setups 
> > (copying Toms example on the web site) for Xen, here are a few 
> > observations :
> > 
> > Bridged:
> > 
> > Default setup, easy to get the network going.
> > Shorewall works but has some limitations in a bridged environment, 
> > but in dom-u's works just like a real single interface machine.
> > 
> What I really like about bridged is that (from a networking perspective)
> each domU is indistinguishable from a physical host on the same network
> as the dom0.  Depending on your needs, that may be good or bad.
> However, I tend to think of it as a very good thing.

It basically reduces to the question of:

Is your purpose in using Xen just to segregate some virtual hosts as
an alternative to buying several boxes, or to create hosts with more
restricted capabilities than a normal one?

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: Xen & SHorewall - routed vs bridged

Andrew Suffield wrote:
> On Wed, Aug 01, 2007 at 06:46:30PM -0400, Roberto C. S?nchez wrote:
>> On Wed, Aug 01, 2007 at 11:50:17AM +0100, Simon Hobson wrote:
>>> I've now had chance to experiment with both bridges and routed setups 
>>> (copying Toms example on the web site) for Xen, here are a few 
>>> observations :
>>>
>>> Bridged:
>>>
>>> Default setup, easy to get the network going.
>>> Shorewall works but has some limitations in a bridged environment, 
>>> but in dom-u's works just like a real single interface machine.
>>>
>> What I really like about bridged is that (from a networking perspective)
>> each domU is indistinguishable from a physical host on the same network
>> as the dom0.  Depending on your needs, that may be good or bad.
>> However, I tend to think of it as a very good thing.
> 
> It basically reduces to the question of:
> 
> Is your purpose in using Xen just to segregate some virtual hosts as
> an alternative to buying several boxes, or to create hosts with more
> restricted capabilities than a normal one?
>

I agree. And if you need more restricted capabilities than a normal one
then you should consider running a firewall in front of the Xen host or
you should consider switching to a configuration other than one where
you run Shorewall in your bridged Dom0.

exim4 behind a firewall

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: exim4 behind a firewall

On Thu, Aug 02, 2007 at 11:24:16AM +0200, P?l Cs?nyi wrote:
> DNAT:debug   net   loc:192.168.1.10-192.168.1.98   tcp   smtp

> What is the solution for this situation?
> 
> Any advices will be appreciated!

Lay off the crack. I can't imagine what you expected that to
accomplish.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: exim4 behind a firewall

2007/8/2, Andrew Suffield <asuffield <at> suffields.me.uk>:
>  On Thu, Aug 02, 2007 at 11:24:16AM +0200, P?l Cs?nyi wrote:
> > DNAT:debug   net   loc:192.168.1.10-192.168.1.98   tcp   smtp
>
> Lay off the crack. I can't imagine what you expected that to
> accomplish.

OK
Now the rules are:
SECTION NEW
ACCEPT       pptp  fw                              icmp
ACCEPT       fw    net                             tcp   smtp
DNAT         net   loc:192.168.1.100               tcp   80
DROP         net   fw                              udp   1026:1029

The port 25 is still closed from the internet. :(

Any advices?

--

-- 
Regards,
Paul

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/