[CentOS] Not firewall, but what?

Mon May 10 20:12:01 UTC 2010
Kahlil Hodgson <kahlil.hodgson at dealmax.com.au>

On 05/10/2010 11:03 PM, Jussi Hirvi wrote:
> On 10.5.2010 15.48, Les Mikesell wrote:
>> How do you handle the default route on the 'connect to both' guests?  Normally
>> you only want one default gateway and it should be the same one where the
>> connections are coming in.  Otherwise you have to do some very tricky things to
>> make return packets go back the same path they came in, although asymmetrical
>> routes are supposed to work if you don't have NAT or stateful firewalls in the way.
> 
> On that dual-network xen-guest, I don't handle the routing in any 
> special way. Now only one nw connection works (because of these routing 
> problems), but if they would both work, packets still might leave from 
> only one interface (default route). I don't see why this would be a 
> problem, though, even if it may not be very elegant.
> 
> Here is "ip route show" from that host:
> 
> 62.236.221.64/28 dev eth0  proto kernel  scope link  src 62.236.221.71
> 62.220.237.96/27 dev eth1  proto kernel  scope link  src 62.220.237.111
> 169.254.0.0/16 dev eth1  scope link
> default via 62.220.237.126 dev eth1

You've also got two bridges (xenbr0 and xenbr1) and you've enslaved eth0
to the first and eth1 to the second.  From your ifconfig output, none of
you're bridges or virtual interfaces seem to have IP addresses or
networks.  Okay, its early in the morning and I had a few beers while
watching the footy last night, so I could be completely wrong here, but
I'm not entirely sure your routing table is having any direct impact on
the network flows at all. My guess is traffic from guests on network A
is going straight out eth0 to whatever switch it is connected to and not
touching your xen-host routing table at all; likewise traffic from guest
on network B and eth1 (other list readers feel free to correct me here).

I have to shower and head off to work but the shorewall documentation
about bridging and routers might help clear things up:

http://shorewall.net/Documentation.html

and specifically

http://shorewall.net/bridge-Shorewall-perl.html

Hope this helps,

Kal