Hi,
I am using Shorewall to set up a firewall in a VE. Now the problem is
that outgoing connections do not work, although I accept traffic from the
firewall to the network zone. I contacted the shorewall developer, and he
took a look at my configuration and he thinks that something is going
wrong in the kernel's connection tracking system. It seems indeed the
incoming packets responding to the outgoing packets, do not match the
state RELATED,ESTABLISHED rules which should accept them. Disabling the
firewall in the VE, or creating rules which accept the incoming packets,
makes it work, but of course this should not be necessary with the
RELATED,ESTABLISHED rule.
Some information on the hardware host (running Debian Lenny):
http://artipc10.vub.ac.be/openvz/hnode.txt
And on the VE (running Debian Etch):
http://artipc10.vub.ac.be/openvz/ve.txt
As you can see in the shorewall show output, no packets matched the
RELATED,ESTABLISHED rule in the net2fw rule, but instead packets are
matched by the fallback rule forwarding them to the Drop chain, and they
eventually seem to be dropped in the DropInvalid chain because of state
INVALID.
There's a Shorewall firewall on the hardware host too, but that one
accepts all relevant traffic: everything works with the firewall on the
hardware node enabled and the firewall in the VE disabled.
A related question, where can I find the logs of the firewall in the VE?
dmesg in the VE is empty and nothing is logged in /var/log, while the
logs in the hardware node only seem to reflect the firewall on the
hardware node.
--
Frederik