Mailinglist Archive: opensuse-security (138 mails)

< Previous Next >
Xen3 and SuSEfirewall
  • From: Hamish <lists@xxxxxxxxxxx>
  • Date: Tue, 13 Dec 2005 17:14:06 +0000
  • Message-id: <200512131714.18890.lists@xxxxxxxxxxx>
I am pulling my hair out over Xen and SuSEfirewall. After messing around with
things in xen, I discovered that rather than a misconfiguration, SuSEfirewall
was causing a "dead" network. Looking in the docs, it says:

"If you use SUSEfirewall2, you'll probably want to add xenbr0, peth0,
vif0.0 and the vifX.1 [X in 1 ... N] to the list of interfaces; as
eth0 is on there, you'll probably want to add xenbr0 to the same
class as eth0. You also need to enable forwarding (FW_FORWARD="yes")
and allow forwarding of packets from xenbr0, vif0.0 and vifX.1,
possibly by inserting a custom rule into the forward_XXX chain.
For testing it's easiest to disable SuSEfirewall2, make sure that
iptables -P FORWARD ACCEPT is set."

I cannot really tell what this means, and what I should do about it. I have
added the interfaces to INTERNAL and set FW_FORWARD="yes". This seems to
conflict with the comments in the SuSEfirewall config file, which seem to
expect [sourcenet],[destnet]). I have no idea how to allow forwarding from
the different interfaces, can anyone help?

It is a strange way that the interfaces are set up, from the docs again:

"When using bridging, in domain0, the eth0 device will be renamed to peth0
and its MAC addr be set to fe:ff:ff:ff:ff:ff and ARP disabled. veth0 will
take over the old MAC address, be renamed to eth0 and be enabled (ifup'ed).
vif0.0 and peth0 are then enslaved to xenbr0.
veth0 is connected to vif0.0 behind the scenes, that's why it works."

I can get a dhcp address with the firewall up, but cannot ping or query dns.
With the firewall down, everything works fine.

Any suggestions welcome!
< Previous Next >
This Thread
  • No further messages