[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Network issues with SuSE firewall

> First, I noted that xen_nat_enable was *not* built along with the
> other tools in xeno-clone/install/bin.  Is this still needed (per the
> README.CD instructions, for a NAT-based virtual host, rather than
> IP-based)?

It's a script rather than a binary. 

The current 'loop through domain0' approach to NAT is not the
long term solution (we're adding NAT to Xen).

I'm afraid I'm not entirely surprised that xen_nat_enable doesn't
play well with your firewall. 

Are you short of IP addresses? I'd certainly recommend using one
IP per guest for the moment unless you really have to use NAT. Of
course, you don't need to use NAT if you only want to do
inter-guest communication (you can use the 169.254.1.X addresses

> I copied & ran the xen_nat_enable from the CD, and immediately was
> unable to access my machine to/from the network (I had already run
> "ifconfig eth0:0 up").
> What I found was that the SuSEfirewall default configuration did not
> get along well with whatever changes to iptables were made by
> xen_nat_enable.  My solution, which needs to be tuned later, was to
> edit /etc/sysconfig/SuSEfirewall2 to greatly loosen the firewall.  I
> then restarted it:

Another thing to watch out for is that some distributions
'helpfully' create random link-local 169.254.x.x addresses for
all interfaces automatically. This doesn't play well with our use
of link-local addresses. e.g. you have to nail this in RH9 with ZEROCONF=NO
in ifcfg-eth0


This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.