[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Network issues with SuSE firewall

On Mon, Nov 10 03 at  8:32:30PM +0000, Ian Pratt wrote:
> > I don't understand this - reality seems to the be opposite of what you
> > wrote.  If you flush (-F) & delete (-X) all the existing filter rules
> > & chain, then it clearly *does* interact with the current firewall.
> I think Richard meant that having the -F and -X made the script
> idempotent with respect to itself.


> I think it's more useful just to remove the two lines -- I'll
> check in a 'fix'.

This will probably break NAT. The NAT script adds rules to the filter
table which are appended to the end; these rules are required to allow
the traffic to be forwarded. If a firewall script runs first, then they
will be added after the firewall's rules; many firewalls put in a
catch-all DROP or REJECT rule as the last entry (so that logging can be
done..etc rather than rely on a table policy) so this will break.

Also, the line '-t filter -P FORWARD DROP' changes the default policy
for the FORWARD table, whcih may also interact with a firewall.

If the firewall only touches the INPUT table you shouldn't have a
problem. You still want to flush the FORWARD table on running this
script, however; Ian: substitute '-t filter -F' for '-t filter -F
FORWARD' and remove '-t filter -X'.

Any firewall which touches the FORWARD table is liable to either break,
or break NAT. If you want to be able to use an existing firewall with
NAT and be assured of it definatly working, you need to write the NAT
rules yourself. 

If you need documentation on how to do NAT, the NAT HOWTO at
www.netfilter.org is very informative and covers how to set up firewall
rules to play nicely with NAT.

Torne Wuff

This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.