diff --git a/docs/MyNetwork.xml b/docs/MyNetwork.xml index db9cf0104..d01bbc1ae 100755 --- a/docs/MyNetwork.xml +++ b/docs/MyNetwork.xml @@ -165,7 +165,7 @@ show correct usage, they don't necessarily provide any useful benefit. I have tried to point those out in the sub-sections that follow. -
+
/etc/shorewall/params MIRRORS=62.216.169.37,\ @@ -186,7 +186,7 @@ VPS_IF=venet0As shown, this file defines variables to hold and the network interfaces.
-
+
/etc/shorewall/shorewall.conf ############################################################################### @@ -300,7 +300,7 @@ TCP_FLAGS_DISPOSITION=DROP there
-
+
/etc/shorewall/zones fw firewall @@ -318,7 +318,7 @@ drct:loc ipv4 #Direct internet accessThe registration) don't work through the proxy.
-
+
/etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS @@ -328,9 +328,24 @@ net $EXT_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmu net $COM_IF detect dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0 loc tun+ detectNotice that VPN clients are treated the same as local hosts. + + I set the proxyarp option on + $EXT_IF so that + + + + The firewall will respond to ARP who-has requests for the + servers in the DMZ. + + + + To keep OpenVZ happy (it issues dire warnings if the option is + not set on the associated external interface). + +
-
+
/etc/shorewall/hosts #ZONE HOST(S) OPTIONS @@ -345,7 +360,7 @@ drct $INT_IF:dynamicThe loc).
-
+
/etc/shorewall/policy #SOURCE DEST POLICY LOG LIMIT:BURST @@ -366,7 +381,7 @@ all all REJECT $LOGI'm a bit someday...
-
+
/etc/shorewall/accounting #ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ @@ -411,7 +426,7 @@ COUNT web $VPS_IF:206.124.146.0/24 $EXT_IF
-
+
/etc/shorewall/blacklist #ADDRESS/SUBNET PROTOCOL PORT @@ -421,7 +436,7 @@ COUNT web $VPS_IF:206.124.146.0/24 $EXT_IF traffic.
-
+
/etc/shorewall/compile use strict; @@ -438,7 +453,7 @@ add_rule $chainref, q(-j ACCEPT); created.
-
+
/etc/shorewall/findgw if [ -f /var/lib/dhcp3/dhclient.${1}.leases ]; then @@ -447,7 +462,7 @@ fiThe Comcast line has a dynamic IP address assigned with the help of dhclient.
-
+
/etc/shorewall/isusable local status @@ -459,7 +474,7 @@ return $statusFor use with lsm.
-
+
/etc/shorewall/lib.private start_lsm() { @@ -486,7 +501,7 @@ EOF url="MultiISP.html#lsm">lsm.
-
+
/etc/shorewall/masq #INTERFACE SOURCE ADDRESS @@ -527,14 +542,15 @@ Comcast 2 0x20000 main $COM_IF detect track,balance the multi-ISP aspects of this configuration.
-
+
/etc/shorewall/proxyarp - <empty>I let OpenVZ - configure the Proxy ARP for my servers. + <empty>As mentioned above, I set the proxyarp on the associated + external interface instead of defining proxy ARP in this file.
-
+
/etc/shorewall/restored if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then @@ -545,7 +561,7 @@ chmod 744 ${VARDIR}/stateIf lsm isn't running then start it. Make the state file world-readable.
-
+
/etc/shorewall/route_rules #SOURCE DEST PROVIDER PRIORITY @@ -560,7 +576,7 @@ chmod 744 ${VARDIR}/stateIf lsm isn't running then start it. interface.
-
+
/etc/shorewall/routestopped #INTERFACE HOST(S) OPTIONS PROTO @@ -570,7 +586,7 @@ $EXT_IF - notrack 41
-
+
/etc/shorewall/rules ############################################################################################################################################################################### @@ -708,7 +724,7 @@ COMMENT ACCEPT any any icmp 8
-
+
/etc/shorewall/started if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then @@ -719,7 +735,7 @@ chmod 744 ${VARDIR}/stateIf lsm isn't running then start it. Make the state file world-readable.
-
+
/etc/shorewall/stopped if [ "$COMMAND" = stop -o "$COMMAND" = clear ]; then @@ -730,7 +746,7 @@ chmod 744 ${VARDIR}/stateKill lsm if the command is stop or clear. Make the state file world-readable.
-
+
/etc/shorewall/tunnels #TYPE ZONE GATEWAY GATEWAY