WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] Network issues with SuSE firewall

from [Torne Wuff] [Permanent Link][Original]
To: xen-devel@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] Network issues with SuSE firewall
From: Torne Wuff <torne-xendevel@xxxxxxxxxxxxxxxx>
Date: Tue, 11 Nov 2003 00:56:03 +0000
Delivery-date: Tue, 11 Nov 2003 00:57:19 +0000
Envelope-to: steven.hand@xxxxxxxxxxxx
In-reply-to: <E1AJIi7-0005ZY-00@xxxxxxxxxxxxxxxxxxxx>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum=xen-devel>
List-help: <mailto:xen-devel-request@lists.sourceforge.net?subject=help>
List-id: List for Xen developers <xen-devel.lists.sourceforge.net>
List-post: <mailto:xen-devel@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/xen-devel>, <mailto:xen-devel-request@lists.sourceforge.net?subject=unsubscribe>
References: <20031110184852.GA2799@xxxxxxxxxxxxxxxxxxx> <E1AJIi7-0005ZY-00@xxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-admin@xxxxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.3.28i 
On Mon, Nov 10 03 at  8:32:30PM +0000, Ian Pratt wrote:
> > I don't understand this - reality seems to the be opposite of what you
> > wrote.  If you flush (-F) & delete (-X) all the existing filter rules
> > & chain, then it clearly *does* interact with the current firewall.
> 
> I think Richard meant that having the -F and -X made the script
> idempotent with respect to itself.

Yes.

> I think it's more useful just to remove the two lines -- I'll
> check in a 'fix'.

This will probably break NAT. The NAT script adds rules to the filter
table which are appended to the end; these rules are required to allow
the traffic to be forwarded. If a firewall script runs first, then they
will be added after the firewall's rules; many firewalls put in a
catch-all DROP or REJECT rule as the last entry (so that logging can be
done..etc rather than rely on a table policy) so this will break.

Also, the line '-t filter -P FORWARD DROP' changes the default policy
for the FORWARD table, whcih may also interact with a firewall.

If the firewall only touches the INPUT table you shouldn't have a
problem. You still want to flush the FORWARD table on running this
script, however; Ian: substitute '-t filter -F' for '-t filter -F
FORWARD' and remove '-t filter -X'.

Any firewall which touches the FORWARD table is liable to either break,
or break NAT. If you want to be able to use an existing firewall with
NAT and be assured of it definatly working, you need to write the NAT
rules yourself. 

If you need documentation on how to do NAT, the NAT HOWTO at
www.netfilter.org is very informative and covers how to set up firewall
rules to play nicely with NAT.

-- 
Torne Wuff
torne@xxxxxxxxxxxxxxxx


-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-devel] Setting up a more complex system scenario, Bin Ren
Next by Date:  Re: [Xen-devel] Setting up a more complex system scenario, Tvrtko A. Uršulin
Previous by Thread:  Re: [Xen-devel] Network issues with SuSE firewall, Ian Pratt
Next by Thread:  Re: [Xen-devel] Help, Keir Fraser
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy