Re: [Xen-devel] Network issues with SuSE firewall

[Ian Pratt <Ian.Pratt@xxxxxxxxxxxx>]

> First, I noted that xen_nat_enable was *not* built along with the
> other tools in xeno-clone/install/bin.  Is this still needed (per the
> README.CD instructions, for a NAT-based virtual host, rather than
> IP-based)?

It's a script rather than a binary. 

The current 'loop through domain0' approach to NAT is not the
long term solution (we're adding NAT to Xen).

I'm afraid I'm not entirely surprised that xen_nat_enable doesn't
play well with your firewall. 

Are you short of IP addresses? I'd certainly recommend using one
IP per guest for the moment unless you really have to use NAT. Of
course, you don't need to use NAT if you only want to do
inter-guest communication (you can use the 169.254.1.X addresses
directly).

> I copied & ran the xen_nat_enable from the CD, and immediately was
> unable to access my machine to/from the network (I had already run
> "ifconfig eth0:0 169.254.1.0 up").
> 
> What I found was that the SuSEfirewall default configuration did not
> get along well with whatever changes to iptables were made by
> xen_nat_enable.  My solution, which needs to be tuned later, was to
> edit /etc/sysconfig/SuSEfirewall2 to greatly loosen the firewall.  I
> then restarted it:

Another thing to watch out for is that some distributions
'helpfully' create random link-local 169.254.x.x addresses for
all interfaces automatically. This doesn't play well with our use
of link-local addresses. e.g. you have to nail this in RH9 with ZEROCONF=NO
in ifcfg-eth0

Ian


-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/xen-devel