Welcome, Guest. Please login or register.
Did you miss your activation email?
Wednesday 20 November 2024, 09:24:39 am

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14258 Posts in 4377 Topics by 6515 Members
Latest Member: hulteends
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Reset interfaces for proper use in DomU?
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Reset interfaces for proper use in DomU?  (Read 13006 times)
KarboN
Jr. Member
*
Offline Offline

Posts: 3


« on: Sunday 23 October 2011, 11:59:46 am »

Hello,

I've been trying to run Endian Firewall 2.4.1 as a paravirtualized guest under Xen.

I've had a fair amount of complications:
 - Couldn't install it as a HVM because of lack of CPU support
  I finally installed it with VirtualBox on a workstation, converted the hard disk image, tweaked the partitions to remove the LVMs (my DomU kernel doesn't support them)

 - Needed to configure the PCI passthrough so that the Endian firewall can access the NIC directly (that finally worked).

After lots of efforts, I managed to get the DomU to boot with a custom kernel.  I believe it has every module that's needed for Endian.  If I notice anything missing, I can add support, that's no problem.

I can access the machine through the serial port provided by Xen.  Both network interfaces (one virtual, eth0 , the one that would be GREEN) and the physical one, eth1 (that would manage PPPoE and be red) are detected.  None have an IP.  With further manipulations, I can set the IP for eth0, set a temporary resolver, set the routes.  This is probably because of messed up configurations (the MAC addresses differ from the original installation).

Problem is, the virtual machine won't respond to either pings or HTTPS requests on port 10443.  However, I can ping from the Endian machine.  Apparently, this is caused by the iptables firewall rules.  I could tweak the rules so that it respond to ping, but could never make it accept connections on port 10443, so that I could reconfigure the interfaces.  Flushing the iptables rules would make the machine unresponsive through serial access.

I guess a clean way to fix the issue would be to re-run the ncurses assistant that's ran at install time.  Is this any possible?

If not, is there any other solution so that I get my interfaces back up correctly?

Thanks in advance
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #1 on: Wednesday 26 October 2011, 02:06:20 am »

Just a note, on Endian GREEN is always br0, not ethX. You can do most of the config from console, by editing files at /var/efw. Interfaces are defined on /var/efw/ethernet . The file 'settings' define the IP's of each internal zone. The br0 br1 and br2 files define what interfaces are bridged to GREEN, ORANGE and BLUE zones.

There is also extra files to create or tweak. If you want to create a bond, just make a file called bond0, and add the interfaced bonded, one on each line. About vlans, just create files that starts with vlan_. On that file add the VLAN ID numbers you want to create, one by line.
 i.e. vlan_eth0 will create VLAN configs for eth0. You can also create VLAN's on top of a bond, I myself have a vlan_bond0 because I use a bonded interface for internal subnets, each one separated by VLAN.
Logged
KarboN
Jr. Member
*
Offline Offline

Posts: 3


« Reply #2 on: Friday 28 October 2011, 01:15:39 am »

Thank you for your reply.

I've been looking in the /var/efw/ethernet files.  I have a br0 file with "eth0" as its content.

GREEN_IPS=192.168.1.1/24,
ORANGE_IPS=
BLUE_IPS=
GREEN_ADDRESS=192.168.1.1
GREEN_NETMASK=255.255.255.0
GREEN_NETADDRESS=192.168.1.0
GREEN_BROADCAST=192.168.1.255
CONFIG_TYPE=0
GREEN_DEV=br0

No info about the RED interface.  Is this normal?
Other than that, when I do ifconfig, I have 3 interfaces, eth0, eth1 and the loopback.  Is this what's expected?  Should I have a br0 interface?
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #3 on: Friday 28 October 2011, 04:39:54 am »

Yes, you should  have br0 with the IP address. NIC's doesn't have IP's unless they are RED interfaces, so eth0 shouldn't have any IP address.
RED interfaces are configured on another directory, as there can be more than one RED. They aren't connected to any bridge.


It's strange, ifconfig br0 always should return your GREEN IP.
Logged
KarboN
Jr. Member
*
Offline Offline

Posts: 3


« Reply #4 on: Friday 28 October 2011, 04:46:41 am »

Thanks for the info.

When trying to add a bridge manually, I get:

root@efw-1317587083:~ # brctl addbr br0
add bridge failed: Invalid argument

Any ideas?
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.078 seconds with 21 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com