diff --git a/Shorewall-docs2/Documentation_Index.xml b/Shorewall-docs2/Documentation_Index.xml index db7f69b00..7946a7d27 100644 --- a/Shorewall-docs2/Documentation_Index.xml +++ b/Shorewall-docs2/Documentation_Index.xml @@ -15,7 +15,7 @@ - 2005-12-07 + 2005-12-30 2001-2005 @@ -732,5 +732,9 @@ White List Creation + + + Xen and Shorewall + \ No newline at end of file diff --git a/Shorewall-docs2/Xen.xml b/Shorewall-docs2/Xen.xml new file mode 100644 index 000000000..13ae8e800 --- /dev/null +++ b/Shorewall-docs2/Xen.xml @@ -0,0 +1,212 @@ + + +
+ + + + Xen and Shorewall + + + + Tom + + Eastep + + + + 2006-01-01 + + + 2006 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + +
+ Xen Network Environment + + Xen is a + paravirtualization tool that allows you to run + multiple virtual machines on one physical machine. It is available on a + wide number of platforms and is included in recent + SuSE distributions. + + Xen refers to the virtual machines as + Domains. Domains are number with the first domain + being domain 0, the second domain 1, and so on. Domain 0 is special + because that is the domain created when to machine is booted. Additional + domains are created using the xm create command. + Additional domains can also be created automatically at boot time by using + the xendomains service. + + Xen virtualizes a network interface named eth0 in each domain. In domain 0, Xen also + creates a bridge and a number of virtual interfaces as shown in the + following diagram. + + + + I use the term Extended Domain 0 to + distinguish the bridge and virtual interfaces from domain 0 itself. That + distinction is important when we try to apply Shorewall in this + environment. + + The bridge has a number of ports: + + + + peth0 — This is the port that connects to the physical network + interface in your system. + + + + vif0.0 — This is the bridge port that is used by traffic to/from + Domain 0. + + + + vifX.0 — This is the bridge port that is used by traffic to/from + Domain X. + + +
+ +
+ Configuring Shorewall in Domain 0 + + As I state in the answer to Shorewall FAQ + 2, I object to running servers in a local zone because if the + server becomes compromised then there is no protection between that + compromised server and the other local systems. Xen allows you to safely + run Internet-accessible servers in your local zone by creating a firewall + in (the Extended) Domain 0 to isolate the server(s) from the other local + systems (including Domain 0). + + Here is an example. In this example, we will assume that the system + is behind a second firewall that restricts incoming traffic so that we + only have to worry about protecting the local lan from the systems running + in domains other than domain 0. + +
+ /etc/shorewall/zones + + One thing strange about configuring Shorewall in this environment + is that Domain 0 is defined as two different zones. It is defined as the + firewall zone and it is also defined as "all systems connected to + xenbr0:vif0.0. In this case, we + call this second zone ursa; that zone + corresponds roughly to what is shown as Extended Domain 0 above. + +
+ # OPTIONS OPTIONS +fw firewall #Domain 0 +ursa ipv4 #Domain 0 on the bridge +dmz ipv4 #Server(s) running in Domains other than 0 +net ipv4 #The local LAN and beyond +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE +
+
+ +
+ /etc/shorewall/interfaces + + We must deal with two network interfaces. We must deal with the + (virtualized) eth0 and we must also deal with the bridge (xenbr0) + created by Xen. + +
+ #ZONE INTERFACE BROADCAST OPTIONS +- xenbr0 - dhcp +net eth0 detect dhcp +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +
+
+ +
+ /etc/shorewall/hosts + + Here we define the zones ursa and + dmz and we extend the definition of the + zone net.
+ #ZONE HOST(S) OPTIONS +ursa xenbr0:vif0.0 +dmz xenbr0:vif+ +net xenbr0:peth0 +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE +
+ + Note that the net zone has two + different interfaces. From the point of view of Domain 0 (which is where + Shorewall runs), the net zone comprises + everything except Domain 0. From the point of view of the Extended + Domain 0, the net zone is everything + connected (directly or indirectly) to the peth0 port on the bridge. +
+ +
+ /etc/shorewall/policy + + The policies shown here effectively isolate Domains 1...N. + +
+ #SOURCE DEST POLICY LOG LIMIT:BURST +# LEVEL +all fw ACCEPT +fw all ACCEPT +ursa all ACCEPT +net ursa ACCEPT +net net NONE +all all REJECT info +#LAST LINE -- DO NOT REMOVE + +
+
+ +
+ /etc/shorewall/rules + + These rules determine the traffic allowed into and out of the + dmz zone. + +
+ # +# "Net' to DMZ +# +ACCEPT net dmz udp domain +ACCEPT net dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128 +Trcrt/ACCEPT net dmz +# +# DMZ to 'Net' +# +ACCEPT dmz net:!192.168.0.0/22 udp domain,ntp +ACCEPT dmz net:!192.168.0.0/22 tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,rsync,cvspserver,2702,2703,8080 +ACCEPT dmz net:$POPSERVERS tcp pop3 +Ping/ACCEPT dmz net + +Ping/ACCEPT dmz ursa +
+ + In this example, 192.168.0.0/22 comprises the local + network. + + From the point of view of Shorewall, the zone diagram is as shown + in the following diagram. + + +
+
+
\ No newline at end of file diff --git a/Shorewall-docs2/images/Xen1.png b/Shorewall-docs2/images/Xen1.png new file mode 100755 index 000000000..4d45bc59d Binary files /dev/null and b/Shorewall-docs2/images/Xen1.png differ diff --git a/Shorewall-docs2/images/Xen1.vsd b/Shorewall-docs2/images/Xen1.vsd new file mode 100755 index 000000000..76c691d18 Binary files /dev/null and b/Shorewall-docs2/images/Xen1.vsd differ diff --git a/Shorewall-docs2/images/Xen2.png b/Shorewall-docs2/images/Xen2.png new file mode 100755 index 000000000..31fae58eb Binary files /dev/null and b/Shorewall-docs2/images/Xen2.png differ diff --git a/Shorewall-docs2/images/Xen2.vsd b/Shorewall-docs2/images/Xen2.vsd new file mode 100755 index 000000000..fe9f4ee25 Binary files /dev/null and b/Shorewall-docs2/images/Xen2.vsd differ diff --git a/Shorewall-docs2/myfiles.xml b/Shorewall-docs2/myfiles.xml index 03257a35d..c6c375cda 100644 --- a/Shorewall-docs2/myfiles.xml +++ b/Shorewall-docs2/myfiles.xml @@ -418,7 +418,7 @@ openvpnserver:1194 Wifi 192.168.3.0/24 #ACTION Mirrors #Accept traffic from the Shorewall Mirror sites -Limit #Limit connection rate from individual Hosts +Limit #Limit connection rate from each individual Host #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE @@ -427,7 +427,8 @@ Limit #Limit connection rate from individual Hosts action.Mirrors File
- $MIRRORS is set in /etc/shorewall/params above. + $MIRRORS is set in /etc/shorewall/params + above. #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE # PORT PORT(S) DEST LIMIT diff --git a/Shorewall-docs2/template.xml b/Shorewall-docs2/template.xml index 34d1612ea..8543edc31 100644 --- a/Shorewall-docs2/template.xml +++ b/Shorewall-docs2/template.xml @@ -15,10 +15,10 @@ - 2005-07-31 + 2006-01-01 - 2005 + 2006 Thomas M. Eastep diff --git a/Shorewall-docs2/traffic_shaping.xml b/Shorewall-docs2/traffic_shaping.xml index 683175d39..0d94bf386 100644 --- a/Shorewall-docs2/traffic_shaping.xml +++ b/Shorewall-docs2/traffic_shaping.xml @@ -21,7 +21,7 @@ - 2005-12-03 + 2005-12-30 2001-2004 @@ -413,7 +413,7 @@ ppp0 6000kbit 500kbit SOURCE - The source of the packet. If the packet originates on - the firewall, place fw in this column. Otherwise, + the firewall, place $FW in this column. Otherwise, this is a comma-separated list of interface names, IP addresses, MAC addresses in Shorewall Format and/or Subnets. @@ -476,7 +476,7 @@ ppp0 6000kbit 500kbit 1 eth1 0.0.0.0/0 all 2 eth2 0.0.0.0/0 all 2 eth3 0.0.0.0/0 all -3 fw 0.0.0.0/0 all +3 $FW 0.0.0.0/0 all