Discover it
Toolbox
Xen3 yet another Virtual Network Concept
From openSUSE
Contents |
[edit]
Introduction
Since one of the main aims of XEN is to be hardware independent, I thought about a networking concept that’s also as possible hardware independent and most flexible in implementing different network topologies e.g. scenarios. All ( host dom0 and all other guest domu’s ) was done with the packages that came with the SuSE10.1 remastered DVD 32bit ( not patched or updated ).
The base for this howto is a brouter setup as presented at [1], but with some slight modifications to allow:
- Install and run multiple separated virtual LANs ( it’s also possible to route them if needed! ) e.g. domu1 and domu2 in home net1 and domu3 in dmz net2 by installing multiple xenbridges. You can virtualise multiple separated network environments with only one nic in your box. So no need for more nic’s. This is now done by a new script network-virtual. This script will call all the network-virtual-x scripts which create the xenbr’s.
- Hardened network security through removing routing that comes with the default brouter script, so that parallel installed domains are not routed automatically to each other and to dom0. Routing must now be done by iptables. That’s important, since you might want to have a virtual internal LAN and a virtual dmz LAN that should no be connected to each other. So the installed virtual-networks should be isolated. This is now done by the script network-virtual-x for each domux e.g. network-virtual-1 for domu1.... The origin of this script was taken from [2] .
- Dom0 has to act as the router to the outside world in this concept and it’s the only dom that’s connected to the physical eth’s. So that routing the virtual net’s traffic from and to outside world must be done by dom0. If dom0 gets compromised so all other domu’s will be also. Think its the main weakness of this concept. So my advise, don’t run any services inside dom0 except xend, firewall and routing. Also I will show you some examples on how to do routing based on the SuSEfirewall2 script but I will also show you an iptable –L output including my network topology, to see how it should look like, if you use other tools to set up iptables.
- Bug fixed some little error in the original virtual-net script from [3] and renamed it to network-virtual-x.
- Since the original XEN-auto-start scripts that come with XEN3 don’t work properly I used the auto start scripts from [4] to auto start the domu’s and added comment’s on how to use them and modified them little for compatibility purposes with the SuSE file structure. This is now done by the two scripts domulist and xen-all-dom.
Image1: The principal of the concept and also my real network topology
[edit]
Requirements
PC with at least one nic, installed SuSE10.1 remasetered, installed XEN and enough RAM.
[edit]
Tips on installing and running domu’s
The YAST installation problem.
After installation of SuSE10.1 with XEN and boot with XEN kernel start YAST2 xen, add a virtual machine and choose to install with the ( system run installation program ) option. Choose now the options to customize your domu, check that the suse10.1remastered-DVD is in your DVD-drive and start installation. Note, while installing the domu within YAST, the installation will stop at the point where linuxrc will tell you ( Could not find the SUSE Linux Installation Source. Activating manual setup program ). Continue and select the language then choose the keyboard layout, continue with ( Installation / start system ), then continue with ( Installation/update start), choose ( hard drive ), now it asks for the partition ( try hdb and depending on your hardware configuration and your DVD-ROM drive maybe you try also hdd, hdc... ), now it asks for the source directory ( leave blank ) and continue installation in text mode.
Some hints about virtual and real file system e.g. disk images and real hard drives.
Resizing disk images. As I decided to choose virtual disk images to install my domu's, i thought about how to resize them if I need more disk space. You can do that by the YAST disk management. But how about if you have a 4GB image file with 1GB swap and 3GB root partitions in it and now you want to increase your root partition? Here a work around. In this example I will add 1GB to my image file imagefile-virtual-hd-domu2. But before I start, I make a copy of my image file. I call the copy imagefile-virtual-hd-domu2-copy. Now I change to the directory and start resizing:
dd if=/dev/zero bs=1024 count=1000000 >> imagefile-virtual-hd-domu2
Now I added some zero bytes to my image but its still not possible to resize it while system is running from root partition. So I attach my file to a domux as it were a new disk drive, then I boot from imagefile-virtual-hd-domu2-copy and resize imagefile-virtual-hd-domu2 with YAST. This should look like the following lines in your domu's configuration file in /etc/xen/vm/domu2.
disk = [ 'file:/dir1/dir2/imagefile-virtual-hd-domu1-copy,hda,w', 'phy:/dev/hdd,hdb,r', 'file:/dir1/dir2/imagefile-virtual-hd-domu1,hdc,w' ]
You can see now imagefile-virtual-hd-domu2 as hdc in YAST and can resize it.
You can also map a physical partition in dom0 to use it as further disk drive in domu2. Let’s assume you want to have access from domu2 to a physical ext3 partition ( let's say sda5 ) in dom0 with tons of mp3's ( for example to share via samba running in domu2 with your friends that are connected via vpn within home1 LAN ). This will look like this:
disk = ['file:/dir1/dir2/imagefile-virtual-hd-domu1,hda,w', 'phy:/dev/hdd,hdb,r', 'phy:/dev/sda5,hdc,r' ]
And in domu2 you can mount it like:
mount –t ext3 /dev/hdc /my/mount/point
You can share by this way data between different domu’s. BUT BE AWARE TO NOT WRITE TO IT TWICE e.g. FROM DIFERRENT DOM’S, YOU WILL END UP WITH A CORRUPT FILE SYSTEM. This is why i use in the example above the read only directive ( r ).
The domu’s auto start problem.
Note when you use the default auto start script of XEN3 (xendomains) you will encounter a problem, that they will not auto start reliable. So I take the scripts from http://de.xen-forum.net/wiki/index.php/XenDomUStartscript and modified them little. They are two scripts, xen-all-dom and domulist. The xen-all-dom script auto starts the doum’s by calling the domulist script that contains a list of the domu’s that you want to auto start. First disable the xendomains autostart script that comes default with XEN e.g. unregister it from the runlevels. Copy the xen-all-dom script in to your init.d directory and insert it into your runlevels. This is the content of the xen-all-dom script:
#!/bin/bash
#
# xen-all-dom Starts and stops secondary Xen domains
#
# chkconfig: 35 99 00
# description: Starts and stops secondary Xen domains
#
### BEGIN INIT INFO
# Provides: xen-all-dom
# Required-Start: $syslog $remote_fs xend
# Should-Start:
# Required-Stop: $syslog $remote_fs xend
# Should-Stop:
# Default-Start: 3 5
# Default-Stop: 0 1 2 4 6
# Short-Description: Starts and stops secondary Xen domains
# Description: Starts and stops secondary Xen domains automatically
# when domain 0 starts and stops.
### END INIT INFO
set -e
DESC="all XEN Domains"
DOMULIST="domulist"
NAME="xen-all-dom"
SCRIPTNAME=/etc/init.d/$NAME
if [ -r /etc/xen/auto/$DOMULIST ]
then
source /etc/xen/auto/$DOMULIST
else
echo "Keine Konfigurationsdatei in /etc/xen/auto gefunden. Abbruch!"
exit 1
fi
d_start() {
echo
for i in $DOMAINS; do
xm create $i
sleep 60
done
}
d_stop() {
echo
LISTE=`xm list | cut -b 36 | grep [0-9]`
for i in $LISTE; do
if [ $i -gt 0 ]; then
xm shutdown $i
echo "shutdown domain $i"
sleep 50
fi
done
}
d_reload() {
d_stop
d_start
}
case "$1" in
start)
echo -n "Starting $DESC: $NAME"
d_start
echo "... done"
;;
stop)
echo -n "Stopping $DESC: $NAME"
d_stop
echo "... done"
;;
restart)
echo -n "Restarting $DESC: $NAME"
d_stop
sleep 1
d_start
echo "... done"
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|}" >&2
exit 1
;;
esac
exit 0
Now copy the domulist script into /etc/xen/auto and edit it and add the domu’s that you want to be auto started. Like this:
#Place this script in the /etc/xen/auto dir. \ #Put your domU's (name of the config files of your domU's) in \ #the DOMAINS variable. \ #For example if your first domU's config file is named vm1 \ #and the second is named vm2, \ #then it should look like this ... DOMAINS="vm1 vm2" DOMAINS="domu1 domu2"
That’s all about the auto start of the domu’s!
For better understanding see also my configuration of my two domu’s, domu1 and domu2. The domu’s configuration files in XEN3 are located in /etc/xen/vm.
This is my domu1 config file:
disk = [ 'file:/mount-domu1-big/hda-vm1-big,hda,w', 'phy:/dev/hdd,hdb,r', 'phy:/dev/hda3,hdc,w' ] memory = 512 vcpus = 1 builder = 'linux' name = 'domu1' vif = [ 'mac=00:16:3e:c7:bb:c7,bridge=xenbr1' ] localtime = 1 on_poweroff = 'destroy' on_reboot = 'destroy' on_crash = 'destroy' extra = ' TERM=xterm' bootloader = '/usr/lib/xen/boot/domUloader.py' bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
This is my domu2 config file
disk = [ 'file:/mount-vm/hda-domu2,hda,w', 'phy:/dev/hdd,hdb,r' ] memory = 512 vcpus = 1 builder = 'linux' name = 'domu2' vif = [ 'mac=00:16:3e:70:02:01,bridge=xenbr2' ] localtime = 1 on_poweroff = 'destroy' on_reboot = 'destroy' on_crash = 'destroy' extra = ' TERM=xterm' bootloader = '/usr/lib/xen/boot/domUloader.py' bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
[edit]
Networking and the virtual net
And now to the networking and topology part. To create more than one xenbr e.g virtual net you have to call for each bridge a separate script. I have tried to call the xenbr scripts within the xend-config.sxp config file but I failed to get it work. So I wrote a wrapper script as recommended in the XEN3 networking manual. It’s a little script where the xenbr scripts ( network-virtual-1, network-virtual-1 ... etc. ) are listed. I call it network-virtual and it looks like this:
#!/bin/sh
#
#For every new virtual net e.g. xenbr create a new line in the manner: \
#("$dir/network-virtual-x" "$@" vifnum=x ) where the x stands for the number \
#of the new vitual net e.g. xenbr. \
#
dir=$(dirname "$0")
"$dir/network-virtual-1" "$@" vifnum=1
"$dir/network-virtual-2" "$@" vifnum=2
exit
Place this script in /etc/xen/scripts and add an entry for it in the xend-config.sxp. Just change the line in your xend-config.sxp from
(network-script network-bridge)
into
(network-script network-virtual)
and leave the rest at default. In the above example it calls the two xenbr scripts network-virtual-1 and network-virtual-2 that I need to create my two domu’s. And now let’s take a look at the script that creates the xenbr. I call it network-virtual-x where the x stands for the number of the bridge e.g. virtual net that I create. The script is in origin taken from [5] . And after modification it looks now like this:
#!/bin/sh
#
# Default Xen network start/stop script.
# Xend calls a network script when it starts.
# The script name to use is defined in /etc/xen/xend-config.sxp
# in the network-script field.
#
# This script creates a bridge (default xenbr${vifnum}), gives it an IP address
# and the appropriate route. Then it starts the SuSEfirewall2 which should have
# the bridge device in the zone you want it.
#
# If all goes well, this should ensure that networking stays up.
# However, some configurations are upset by this, especially
# NFS roots. If the bridged setup does not meet your needs,
# configure a different script, for example using routing instead.
#
# Usage:
#
# vnet-brouter (start|stop|status) {VAR=VAL}*
#
# Vars:
#
# bridgeip Holds the ip address the bridge should have in the
# the form ip/mask (10.0.0.1/24).
# brnet Holds the network of the bridge (10.0.0.1/24).
#
# vifnum Virtual device number to use (default 0). Numbers >=8
# require the netback driver to have nloopbacks set to a
# higher value than its default of 8.
# bridge The bridge to use (default xenbr${vifnum}).
#
# start:
# Creates the bridge
# Gives it the IP address and netmask
# Adds the routes to the routing table.
#
# stop:
# Removes all routes from the bridge
# Removes any devices on the bridge from it.
# Deletes bridge
#
# status:
# Print addresses, interfaces, routes
#
#
dir=$(dirname "$0")
. "$dir/xen-script-common.sh"
. "$dir/xen-network-common.sh"
#
findCommand "$@"
evalVariables "$@"
#
vifnum=${vifnum:-1}
bridgeip=${bridgeip:-192.168.50.1/24}
brnet=${brnet:-192.168.50.0/24}
netmask=${netmask:-255.255.255.0}
bridge=${bridge:-xenbr${vifnum}}
#
##
# link_exists interface
#
# Returns 0 if the interface named exists (whether up or down), 1 otherwise.
#
link_exists()
{
if ip link show "$1" >/dev/null 2>/dev/null
then
return 0
else
return 1
fi
}
#
# Usage: create_bridge bridge
create_bridge () {
local bridge=$1
#
# Don't create the bridge if it already exists.
if [ ! -d "/sys/class/net/${bridge}/bridge" ]; then
brctl addbr ${bridge}
brctl stp ${bridge} off
brctl setfd ${bridge} 0
fi
ip link set ${bridge} up
}
#
# Usage: add_to_bridge bridge dev
add_to_bridge () {
local bridge=$1
local dev=$2
# Don't add $dev to $bridge if it's already on a bridge.
if ! brctl show | grep -wq ${dev} ; then
brctl addif ${bridge} ${dev}
fi
}
#
# Usage: show_status dev bridge
# Print ifconfig and routes.
show_status () {
local dev=$1
local bridge=$2
#
echo '============================================================'
ip addr show ${dev}
ip addr show ${bridge}
echo ' '
brctl show ${bridge}
echo ' '
ip route list
echo ' '
route -n
echo '============================================================'
}
#
op_start () {
if [ "${bridge}" = "null" ] ; then
return
fi
#
create_bridge ${bridge}
#
if link_exists "$bridge"; then
ip address add dev $bridge $bridgeip
ip link set ${bridge} up arp on
# ip route add to $brnet dev $bridge
fi
#
if [ "${antispoof}" = yes ] ; then
antispoofing
fi
rcSuSEfirewall2 start
}
#
op_stop () {
if [ "${bridge}" = "null" ]; then
return
fi
if ! link_exists "$bridge"; then
return
fi
#
# ip route del to $brnet dev $bridge
ip link set ${bridge} down arp off
ip address del dev $bridge $bridgeip
##FIXME: disconnect the interfaces from the bridge 1st
brctl delbr ${bridge}
rcSuSEfirewall2 start
}
#
case "$command" in
start)
op_start
;;
#
stop)
op_stop
;;
#
status)
show_status ${netdev} ${bridge}
;;
#
*)
echo "Unknown command: $command" >&2
echo 'Valid commands are: start, stop, status' >&2
exit 1
esac
All what you have to setup here are the parameters:
vifnum=${vifnum:-1}
bridgeip=${bridgeip:-192.168.50.1/24}
brnet=${brnet:-192.168.50.0/24}
netmask=${netmask:-255.255.255.0}
This will create a xenbr1 with the IP 192.168.50.1 what means it creates a virtual net 192.168.50.1/24 where you can attach one or more domu’s. In my case it’s domu1. Note that I have commented out the lines ip route add to $brnet dev $bridge and ip route del to $brnet dev $bridge to remove the routing as explained in the introduction. Now we have to setup the routing with iptables. You have to place this script and any further network-virtual-x scripts for further xenbr's e.g. virtual nets in /etc/xen/scripts! Also take a look on how I have configured my domu’s to be connected to the bridges in the vif directive in line 6 in my domu1 and domu2 configuration files. You can attach by this way several domu's eg. virtual machines to one bridge similar to connecting several machines to one net.
[edit]
Networking the routing and the firewalling
What you will see here is my SuSEfirewall2 configuration of dom0 that acts as a router. I also included some outputs of my iptables, bridges and routes. But take a look at the topology at first for better understanding.
- My dom0 server with external physical eth0 with ip (192.168.200.15) is behind a small router (with internal ip 192.168.200.1) that's connected to the internet. So if you are directly connected to the internet for example via dsl so eth0 would be dsl0.
- I have defined here two zones in my firewall for the two virtual LAN’s, namely zone dmz1 ( 192.168.50.0/24 ) and zone home1( 192.168.40.0/24 ).
- I have an openvpn server (udp 1194) runnig on domu2 (192.168.40.10) in my home1 LAN (192.168.40.0/24). Trusted clients from Internet (outside) should be able to connect to the openvpn server so I have to forward requests coming from outside.
- I have also a DMZ server domu1 (192.168.50.10) in zone dmz1 LAN (192.168.50.0/24) that runs apache so I have to forward http and https requests from internet (outside) to it.
- And note that domu1 and domu2 are not connected to each other. Traffic from domu1 (DMZ server) will never reach home1 (domu2).
- My internal LAN clients should have access to the internet so I have to nat and masquerade their traffic.
And here you can see the SuSEfirewall2 configuration ( i did not post the default comments in the SuSEfirewall2 because they would be the same as your SuSEfirewall2 ):
# FW_DEV_EXT="eth0" # FW_DEV_INT="eth1" # FW_DEV_DMZ="" # FW_ROUTE="yes" # FW_MASQUERADE="yes" # FW_MASQ_DEV="$FW_DEV_EXT" # #FW_MASQ_NETS="0/0" # #I masquerade here the home1 net to allow access to internet. FW_MASQ_NETS="192.168.40.0/24" # FW_PROTECT_FROM_INT="yes" # # FW_SERVICES_EXT_TCP="" # FW_SERVICES_EXT_UDP="" # FW_SERVICES_EXT_IP="" # FW_SERVICES_EXT_RPC="" # FW_SERVICES_DMZ_TCP="" # FW_SERVICES_DMZ_UDP="" # FW_SERVICES_DMZ_IP="" # FW_SERVICES_DMZ_RPC="" # FW_SERVICES_INT_TCP="22" # FW_SERVICES_INT_UDP="" # FW_SERVICES_INT_IP="" # FW_SERVICES_INT_RPC="" # FW_SERVICES_DROP_EXT="" # FW_SERVICES_REJECT_EXT="0/0,tcp,113" # FW_SERVICES_ACCEPT_EXT="" # FW_TRUSTED_NETS="" # FW_ALLOW_INCOMING_HIGHPORTS_TCP="" # FW_ALLOW_INCOMING_HIGHPORTS_UDP="" # #Here I route home1 net to internet e.g. allow access to internet. FW_FORWARD="192.168.40.0/24,0/0" # #To make my apache server in my dmz net and also my vpn server #in my home1 net reachable from internet. FW_FORWARD_MASQ="0/0,192.168.50.10,tcp,80 0/0,192.168.50.10,tcp,443 0/0,192.168.40.10,udp,1194" # FW_REDIRECT="" # FW_LOG_DROP_CRIT="yes" # FW_LOG_DROP_ALL="no" # FW_LOG_ACCEPT_CRIT="yes" # FW_LOG_ACCEPT_ALL="no" # FW_LOG_LIMIT="" # FW_LOG="" # FW_KERNEL_SECURITY="yes" # FW_STOP_KEEP_ROUTING_STATE="no" # FW_ALLOW_PING_FW="yes" # FW_ALLOW_PING_DMZ="no" # FW_ALLOW_PING_EXT="no" # FW_ALLOW_FW_SOURCEQUENCH="" # FW_ALLOW_FW_BROADCAST_EXT="no" # FW_ALLOW_FW_BROADCAST_INT="no" # FW_ALLOW_FW_BROADCAST_DMZ="no" # FW_IGNORE_FW_BROADCAST_EXT="yes" # FW_IGNORE_FW_BROADCAST_INT="no" # FW_IGNORE_FW_BROADCAST_DMZ="no" # FW_ALLOW_CLASS_ROUTING="" # FW_CUSTOMRULES="" # FW_HTB_TUNE_DEV="" # FW_IPv6="" # FW_IPv6_REJECT_OUTGOING="" # FW_IPSEC_TRUST="no" # #Here I defined the zones for my two virtual nets, #dmz net (domu1)and home1 net (domu2) # FW_ZONES="dmz1 home1" # #This is the zone of my dmz net (domu1) # FW_DEV_dmz1="xenbr1" FW_SERVICES_dmz1_TCP="" FW_SERVICES_dmz1_UDP="" FW_SERVICES_dmz1_IP="" FW_SERVICES_dmz1_RPC="" FW_SERVICES_DROP_dmz1="" FW_SERVICES_REJECT_dmz1="0/0,tcp,113" FW_SERVICES_ACCEPT_dmz1="" FW_ALLOW_PING_dmz1="no" FW_ALLOW_FW_BROADCAST_dmz1="no" FW_IGNORE_FW_BROADCAST_dmz1="no" # #This is the zone of my home1 net (domu2) # FW_DEV_home1="xenbr2" FW_SERVICES_home1_TCP="" FW_SERVICES_home1_UDP="" FW_SERVICES_home1_IP="" FW_SERVICES_home1_RPC="" FW_SERVICES_DROP_home1="" FW_SERVICES_REJECT_home1="0/0,tcp,113" FW_SERVICES_ACCEPT_home1="" FW_ALLOW_PING_home1="no" FW_ALLOW_FW_BROADCAST_home1="no" FW_IGNORE_FW_BROADCAST_home1="no" # FW_USE_IPTABLES_BATCH="" # FW_LOAD_MODULES="" # FW_FORWARD_ALWAYS_INOUT_DEV=""
Here you can see an output from my iptables that was generated by the SuSEfirewall2 script ( iptables -L ).
Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED input_int all -- anywhere anywhere input_ext all -- anywhere anywhere input_dmz1 all -- anywhere anywhere input_home1 all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET ' DROP all -- anywhere anywhere # Chain FORWARD (policy DROP) target prot opt source destination TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU forward_int all -- anywhere anywhere forward_ext all -- anywhere anywhere forward_dmz1 all -- anywhere anywhere forward_home1 all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING ' DROP all -- anywhere anywhere ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif1.0 ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif2.0 # Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR ' # Chain forward_dmz1 (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect LOG all -- 192.168.40.0/24 anywhere limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz1-ACC-FORW ' ACCEPT all -- 192.168.40.0/24 anywhere state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere 192.168.40.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.40.0/24 anywhere state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere 192.168.40.0/24 state RELATED,ESTABLISHED LOG tcp -- anywhere 192.168.50.10 limit: avg 3/min burst 5 tcp dpt:http state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz1-ACC-REVMASQ ' ACCEPT tcp -- anywhere 192.168.50.10 tcp dpt:http ACCEPT tcp -- 192.168.50.10 anywhere state RELATED,ESTABLISHED LOG tcp -- anywhere 192.168.50.10 limit: avg 3/min burst 5 tcp dpt:https state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz1-ACC-REVMASQ ' ACCEPT tcp -- anywhere 192.168.50.10 tcp dpt:https ACCEPT tcp -- 192.168.50.10 anywhere state RELATED,ESTABLISHED LOG udp -- anywhere 192.168.40.10 limit: avg 3/min burst 5 udp dpt:openvpn state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz1-ACC-REVMASQ ' ACCEPT udp -- anywhere 192.168.40.10 udp dpt:openvpn ACCEPT udp -- 192.168.40.10 anywhere state RELATED,ESTABLISHED LOG all -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz1-DROP-DEFLT ' DROP all -- anywhere anywhere PKTTYPE = multicast LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz1-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz1-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz1-DROP-DEFLT ' LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDdmz1-DROP-DEFLT-INV ' DROP all -- anywhere anywhere # Chain forward_ext (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect LOG all -- 192.168.40.0/24 anywhere limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-FORW ' ACCEPT all -- 192.168.40.0/24 anywhere state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere 192.168.40.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.40.0/24 anywhere state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere 192.168.40.0/24 state RELATED,ESTABLISHED LOG tcp -- anywhere 192.168.50.10 limit: avg 3/min burst 5 tcp dpt:http state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-REVMASQ ' ACCEPT tcp -- anywhere 192.168.50.10 tcp dpt:http ACCEPT tcp -- 192.168.50.10 anywhere state RELATED,ESTABLISHED LOG tcp -- anywhere 192.168.50.10 limit: avg 3/min burst 5 tcp dpt:https state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-REVMASQ ' ACCEPT tcp -- anywhere 192.168.50.10 tcp dpt:https ACCEPT tcp -- 192.168.50.10 anywhere state RELATED,ESTABLISHED LOG udp -- anywhere 192.168.40.10 limit: avg 3/min burst 5 udp dpt:openvpn state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-REVMASQ ' ACCEPT udp -- anywhere 192.168.40.10 udp dpt:openvpn ACCEPT udp -- 192.168.40.10 anywhere state RELATED,ESTABLISHED LOG all -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT ' DROP all -- anywhere anywhere PKTTYPE = multicast LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT ' LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT-INV ' DROP all -- anywhere anywhere # Chain forward_home1 (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect LOG all -- 192.168.40.0/24 anywhere limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDhome1-ACC-FORW ' ACCEPT all -- 192.168.40.0/24 anywhere state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere 192.168.40.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.40.0/24 anywhere state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere 192.168.40.0/24 state RELATED,ESTABLISHED LOG tcp -- anywhere 192.168.50.10 limit: avg 3/min burst 5 tcp dpt:http state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDhome1-ACC-REVMASQ ' ACCEPT tcp -- anywhere 192.168.50.10 tcp dpt:http ACCEPT tcp -- 192.168.50.10 anywhere state RELATED,ESTABLISHED LOG tcp -- anywhere 192.168.50.10 limit: avg 3/min burst 5 tcp dpt:https state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDhome1-ACC-REVMASQ ' ACCEPT tcp -- anywhere 192.168.50.10 tcp dpt:https ACCEPT tcp -- 192.168.50.10 anywhere state RELATED,ESTABLISHED LOG udp -- anywhere 192.168.40.10 limit: avg 3/min burst 5 udp dpt:openvpn state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDhome1-ACC-REVMASQ ' ACCEPT udp -- anywhere 192.168.40.10 udp dpt:openvpn ACCEPT udp -- 192.168.40.10 anywhere state RELATED,ESTABLISHED LOG all -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-options ip-options prefix `SFW2-FWDhome1-DROP-DEFLT ' DROP all -- anywhere anywhere PKTTYPE = multicast LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDhome1-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDhome1-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDhome1-DROP-DEFLT ' LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDhome1-DROP-DEFLT-INV ' DROP all -- anywhere anywhere # Chain forward_int (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect LOG all -- 192.168.40.0/24 anywhere limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDint-ACC-FORW ' ACCEPT all -- 192.168.40.0/24 anywhere state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere 192.168.40.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.40.0/24 anywhere state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere 192.168.40.0/24 state RELATED,ESTABLISHED LOG tcp -- anywhere 192.168.50.10 limit: avg 3/min burst 5 tcp dpt:http state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDint-ACC-REVMASQ ' ACCEPT tcp -- anywhere 192.168.50.10 tcp dpt:http ACCEPT tcp -- 192.168.50.10 anywhere state RELATED,ESTABLISHED LOG tcp -- anywhere 192.168.50.10 limit: avg 3/min burst 5 tcp dpt:https state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDint-ACC-REVMASQ ' ACCEPT tcp -- anywhere 192.168.50.10 tcp dpt:https ACCEPT tcp -- 192.168.50.10 anywhere state RELATED,ESTABLISHED LOG udp -- anywhere 192.168.40.10 limit: avg 3/min burst 5 udp dpt:openvpn state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDint-ACC-REVMASQ ' ACCEPT udp -- anywhere 192.168.40.10 udp dpt:openvpn ACCEPT udp -- 192.168.40.10 anywhere state RELATED,ESTABLISHED LOG all -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT ' DROP all -- anywhere anywhere PKTTYPE = multicast LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT ' LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT-INV ' DROP all -- anywhere anywhere # Chain input_dmz1 (1 references) target prot opt source destination DROP all -- anywhere anywhere PKTTYPE = broadcast ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect reject_func tcp -- anywhere anywhere tcp dpt:ident state NEW LOG all -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-options ip-options prefix `SFW2-INdmz1-DROP-DEFLT ' DROP all -- anywhere anywhere PKTTYPE = multicast LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INdmz1-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INdmz1-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INdmz1-DROP-DEFLT ' LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INdmz1-DROP-DEFLT-INV ' DROP all -- anywhere anywhere # Chain input_ext (1 references) target prot opt source destination DROP all -- anywhere anywhere PKTTYPE = broadcast ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect reject_func tcp -- anywhere anywhere tcp dpt:ident state NEW LOG all -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' DROP all -- anywhere anywhere PKTTYPE = multicast LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT-INV ' DROP all -- anywhere anywhere # Chain input_home1 (1 references) target prot opt source destination DROP all -- anywhere anywhere PKTTYPE = broadcast ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect reject_func tcp -- anywhere anywhere tcp dpt:ident state NEW LOG all -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-options ip-options prefix `SFW2-INhome1-DROP-DEFLT ' DROP all -- anywhere anywhere PKTTYPE = multicast LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INhome1-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INhome1-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INhome1-DROP-DEFLT ' LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INhome1-DROP-DEFLT-INV ' DROP all -- anywhere anywhere # Chain input_int (1 references) target prot opt source destination DROP all -- anywhere anywhere PKTTYPE = broadcast ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INint-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ssh LOG all -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-DEFLT ' DROP all -- anywhere anywhere PKTTYPE = multicast LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-DEFLT ' LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-DEFLT-INV ' DROP all -- anywhere anywhere # Chain reject_func (3 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
Also you can see here my network configuration ( ifconfig ).
eth0 Protokoll:Ethernet Hardware Adresse 00:01:36:0D:CD:C6
inet Adresse:192.168.200.15 Bcast:192.168.200.255 Maske:255.255.255.0
inet6 Adresse: fe80::201:36ff:fe0d:cdc6/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:569 errors:0 dropped:0 overruns:0 frame:0
TX packets:226 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 Sendewarteschlangenlänge:1000
RX bytes:162016 (158.2 Kb) TX bytes:18880 (18.4 Kb)
Interrupt:19
#
eth1 Protokoll:Ethernet Hardware Adresse 00:50:8D:F9:BC:00
inet Adresse:192.168.10.11 Bcast:192.168.10.255 Maske:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 Sendewarteschlangenlänge:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:18 Basisadresse:0xc000
#
lo Protokoll:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
inet6 Adresse: ::1/128 Gültigkeitsbereich:Maschine
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:72 errors:0 dropped:0 overruns:0 frame:0
TX packets:72 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 Sendewarteschlangenlänge:0
RX bytes:4664 (4.5 Kb) TX bytes:4664 (4.5 Kb)
#
vif1.0 Protokoll:Ethernet Hardware Adresse FE:FF:FF:FF:FF:FF
inet6 Adresse: fe80::fcff:ffff:feff:ffff/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:19 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:14 overruns:0 carrier:0
collisions:0 Sendewarteschlangenlänge:0
RX bytes:1706 (1.6 Kb) TX bytes:2172 (2.1 Kb)
#
vif2.0 Protokoll:Ethernet Hardware Adresse FE:FF:FF:FF:FF:FF
inet6 Adresse: fe80::fcff:ffff:feff:ffff/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:30 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:12 overruns:0 carrier:0
collisions:0 Sendewarteschlangenlänge:0
RX bytes:2580 (2.5 Kb) TX bytes:646 (646.0 b)
#
xenbr1 Protokoll:Ethernet Hardware Adresse FE:FF:FF:FF:FF:FF
inet Adresse:192.168.50.1 Bcast:0.0.0.0 Maske:255.255.255.0
inet6 Adresse: fe80::200:ff:fe00:0/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:19 errors:0 dropped:0 overruns:0 frame:0
TX packets:72 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 Sendewarteschlangenlänge:0
RX bytes:1440 (1.4 Kb) TX bytes:6024 (5.8 Kb)
#
xenbr2 Protokoll:Ethernet Hardware Adresse FE:FF:FF:FF:FF:FF
inet Adresse:192.168.40.1 Bcast:0.0.0.0 Maske:255.255.255.0
inet6 Adresse: fe80::200:ff:fe00:0/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:30 errors:0 dropped:0 overruns:0 frame:0
TX packets:64 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 Sendewarteschlangenlänge:0
RX bytes:2160 (2.1 Kb) TX bytes:5461 (5.3 Kb)
Here I show you how the routes look like ( route -n ).
Kernel IP Routentabelle Ziel Router Genmask Flags Metric Ref Use Iface 192.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 xenbr1 192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.40.0 0.0.0.0 255.255.255.0 U 0 0 0 xenbr2 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.200.1 0.0.0.0 UG 0 0 0 eth0
Last but not least let's see how the bridging looks like ( brctl show ).
bridge name bridge id STP enabled interfaces xenbr1 8000.feffffffffff no vif1.0 xenbr2 8000.feffffffffff no vif2.0
[edit]
Networking running ntp e.g. adjusting net time in the domu's
Since one of the security principals of this concept is to avoid communication via network services with dom0 e.g. to isolate dom0, we have to adjust the net time of our domu's independently from dom0. In the default configuration of XEN3 the domu's sync their time internally ( not via ntp ) with dom0. So when you try to sync your domu via ntp with external ntp servers you would fail. But there is a workaround for this issue. All what you need is to set the system parameter independent_wallclock located in /proc/sys/xen/independent_wallclock to 1 e.g. ( echo 1 > proc/sys/xen/independent_wallclock ). After this setting ntp works. And to make it set automaticly with system start add the line echo 1 > /proc/sys/xen/independent_wallclock to your default SuSE ntp rc-script ntp located in /etc/init.d/ just like follows. What you see here is only a section of the origin SuSE ntp rc-script:
........ ### END INIT INFO # # First reset status of this service . /etc/rc.status rc_reset # # Make domU time independet settable from dom0. echo 1 > /proc/sys/xen/independent_wallclock # # Return values acc. to LSB for all commands but status: # 0 - success # 1 - generic or unspecified error # 2 - invalid or excess argument(s) # 3 - unimplemented feature (e.g. "reload") # # # ........................
A more compatible way is to add the line xen.independent_wallclock=1 to your sysctl.conf located in /etc/ . This will also ensure that this setting is done before any network services are started in a early runlevel ( e.g. runlevel 2, 3, 5 ... ).
That’s all and good luck.
In memory of Christian Haase, he was one of Germany’s best and dedicated Linux and OpenSource developers and a good friend of all that knew him.
Saman Behnam
Dipl. Ing. (FH)
sbehnam73@yahoo.de
Deshalb koennen Pinguine nicht fliegen! Was nicht fliegt, kann nicht abstuerzen.
The content on this and other wiki pages is posted by community members who are not acting for or on behalf of Novell, Inc., whether or not they otherwise have affiliation with Novell.
This site uses the YAML CSS framework.
About openSUSE | Disclaimers | Feedback
This page was last modified 19:03, 10 June 2008. This page has been accessed 16,732 times.
This site uses the YAML CSS framework.
About openSUSE | Disclaimers | Feedback
This page was last modified 19:03, 10 June 2008. This page has been accessed 16,732 times.