Add a caution to the XenMyWay article

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3790 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-01-03 03:59:16 +01:00 · 2006-04-15 15:48:08 +00:00 · 2006-04-15 15:48:08 +00:00 · 2778ca5e54
commit 2778ca5e54
parent 5ea0b6bf94
2 changed files with 42 additions and 17 deletions
--- a/docs/XenMyWay.xml
+++ b/docs/XenMyWay.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>

-    <pubdate>2006-04-10</pubdate>
+    <pubdate>2006-04-15</pubdate>

    <copyright>
      <year>2006</year>
@ -131,26 +131,26 @@

    <orderedlist>
      <listitem>
-        <para>Dom0 (ursa.shorewall.net) is used as a local file server (NFS
-        and Samba).</para>
+        <para>Dom0 (DNS name ursa.shorewall.net) is used as a local file
+        server (NFS and Samba).</para>
      </listitem>

      <listitem>
        <para>The first DomU (Dom name <emphasis
-        role="bold">firewall</emphasis>, gateway.shorewall.net) is used as our
-        main firewall.</para>
+        role="bold">firewall</emphasis>, DNS name gateway.shorewall.net) is
+        used as our main firewall.</para>
      </listitem>

      <listitem>
        <para>The second DomU (Dom name <emphasis
-        role="bold">lists</emphasis>, lists.shorewall.net) is used as a public
-        Web/FTP/Mail/DNS server.</para>
+        role="bold">lists</emphasis>, DNS name lists.shorewall.net) is used as
+        a public Web/FTP/Mail/DNS server.</para>
      </listitem>

      <listitem>
        <para>The third DomU (Dom name <emphasis
-        role="bold">wireless</emphasis>, wireless.shorewall.net) is used as a
-        gateway to our wireless network.</para>
+        role="bold">wireless</emphasis>, DNS name wireless.shorewall.net) is
+        used as a gateway to our wireless network.</para>
      </listitem>
    </orderedlist>

@ -159,6 +159,26 @@
    has three interfaces. Shorewall runs in Dom0, in the firewall domain and
    in the wireless gateway.</para>

+    <caution>
+      <para>As the developer of Shorewall, I have enough experience to be very
+      comfortable with Linux networking and Shorewall/iptables. I arrived at
+      this configuration after a lot of trial and error experimentation (see
+      <ulink url="Xen.html">Xen and Shorewall</ulink>). If you are a Linux
+      networking novice, I recommend that you do not attempt a configuration
+      like this one for your first Shorewall installation. You are very likely
+      to frustrate both yourself and the Shorewall support team. Rather I
+      suggest that you start with something simple like a <ulink
+      url="standalone.htm">standalone installation</ulink> in a domU; once you
+      are comfortable with that then you will be ready to try something more
+      substantial.</para>
+
+      <para>As Paul Gear says: <emphasis>Shorewall might make iptables easy,
+      but it doesn't make understanding fundamental networking principles,
+      traffic shaping, or multi-ISP routing any easier</emphasis>.</para>
+
+      <para>The same goes for Xen networking.</para>
+    </caution>
+
    <section id="Domains">
      <title>Domain Configuration</title>

@ -274,7 +294,11 @@ disk     = [ 'phy:hdb4,hdb4,w' ]</programlisting>
      <para>SuSE 10.0 includes Xen 3.0 which does not support PCI
      delegation<footnote>
          <para>PCI delegation was a feature of Xen 2.0 but that capability
-          was dropped in 3.0. It has been restore in Xen 3.0.2.</para>
+          was dropped in 3.0. It has been restored in Xen 3.0.2 and once I
+          upgrade this system to SuSE 10.1 (which includes Xen 3.0.2), I
+          intend to implement PCI delegation and remove three of the four
+          bridges. I will probably combine the wireless and firewall domains
+          at that time as well.</para>
        </footnote>; I therefore use a bridged configuration with four bridges
      (one for each network interface). When Shorewall starts during bootup of
      Dom0, it creates the four bridges using this
@ -687,7 +711,7 @@ Trcrt/ACCEPT    loc                             dmz
 ###############################################################################################################################################################################
 # DMZ to Local
 #
-ACCEPT          dmz                             net:192.168.1.254       udp     123
+ACCEPT          dmz                             loc:192.168.1.5         udp     123
 ACCEPT          dmz                             loc:192.168.1.5         tcp     21
 Ping/ACCEPT     dmz                             loc

--- a/docs/starting_and_stopping_shorewall.xml
+++ b/docs/starting_and_stopping_shorewall.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>

-    <pubdate>2006-03-24</pubdate>
+    <pubdate>2006-04-10</pubdate>

    <copyright>
      <year>2004</year>
@ -888,11 +888,12 @@
          <para><command>shorewall [ -q ] refresh</command></para>

          <para>The rules involving the broadcast addresses of firewall
-          interfaces, the black list, traffic control rules and ECN control
-          rules are recreated to reflect any changes made to your
-          configuration files. Existing connections are untouched If -q is
-          specified, less detain is displayed making it easier to spot
-          warnings.</para>
+          interfaces, the black list and ECN control rules are recreated to
+          reflect any changes made to your configuration files. Shorewall
+          versions prior to 3.2.0 Beta 5 also recreate the traffic shaping
+          rules as part of processing the <command>refresh</command> command.
+          Existing connections are untouched. If -q is specified, less detail
+          is displayed making it easier to spot warnings.</para>
        </listitem>
      </varlistentry>