extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 17:58:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Daily hacking on Xen My Way

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3732 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-03-24 23:55:30 +00:00
parent dc15f898ae
commit 4f7022b960
1 changed files with 21 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
docs/XenMyWay.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2006-03-23</pubdate> <pubdate>2006-03-24</pubdate>
<copyright> <copyright>
<year>2006</year> <year>2006</year>
@ -126,14 +126,17 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>There are four Xen domains. Dom0 (ursa) is used as a file server. <para>There are four Xen domains. Dom0 (ursa.shorewall.net) is used as a
The first DomU is used as a firewall; the second DomU (lists) is used as a file server (NFS and Samba). The first DomU (Dom name <emphasis
public Web/FTP/Mail/DNS server while the third DomU (wireless, normally role="bold">firewall</emphasis>, gateway.shorewall.net) is used as our
Domain 3) is used as a gateway to our wireless network. A seperate main firewall; the second DomU (Dom name <emphasis
wireless gateway is necessary because Xen 3 only supports three virtual role="bold">lists</emphasis>, lists.shorewall.net) is used as a public
interfaces per DomU and the firewall DomU already has three interfaces. Web/FTP/Mail/DNS server while the third DomU (Dom name <emphasis
Shorewall runs in Dom0, in the firewall domain and in the wireless role="bold">wireless</emphasis>, wireless.shorewall.net) is used as a
gateway.</para> gateway to our wireless network. A seperate wireless gateway is necessary
because Xen 3 only supports three virtual interfaces per DomU and the
firewall DomU already has three interfaces. Shorewall runs in Dom0, in the
firewall domain and in the wireless gateway.</para>
<section id="Domains"> <section id="Domains">
<title>Domain Configuration</title> <title>Domain Configuration</title>
@ -153,13 +156,13 @@
module /boot/vmlinuz-xen root=/dev/hda2 vga=0x31a selinux=0 resume=/dev/hda1 splash=silent showopts loopback.nloopbacks=1 module /boot/vmlinuz-xen root=/dev/hda2 vga=0x31a selinux=0 resume=/dev/hda1 splash=silent showopts loopback.nloopbacks=1
module /boot/initrd-xen</programlisting> module /boot/initrd-xen</programlisting>
<para><filename>/etc/xen/auto/01-gateway</filename> — configuration <para><filename>/etc/xen/auto/01-firewall</filename> — configuration
file for the firewall domain</para> file for the firewall domain</para>
<programlisting># -*- mode: python; -*- <programlisting># -*- mode: python; -*-
# configuration name: # configuration name:
name = "gateway" name = "firewall"
# usable ram: # usable ram:
memory = 256 memory = 256
@ -181,13 +184,13 @@ hostname = name
# storage devices: # storage devices:
disk = [ 'phy:hdb2,hdb2,w' ]</programlisting> disk = [ 'phy:hdb2,hdb2,w' ]</programlisting>
<para><filename>/etc/xen/auto/02-server</filename> — configuration <para><filename>/etc/xen/auto/02-lists</filename> — configuration file
file for the lists domain</para> for the lists domain</para>
<programlisting># -*- mode: python; -*- <programlisting># -*- mode: python; -*-
# configuration name: # configuration name:
name = "server" name = "lists"
# usable ram: # usable ram:
memory = 512 memory = 512
@ -249,7 +252,7 @@ disk = [ 'phy:hdb4,hdb4,w' ]</programlisting>
<para>SuSE 10.0 includes Xen 3.0 which does not support PCI delegation; <para>SuSE 10.0 includes Xen 3.0 which does not support PCI delegation;
I therefore use a bridged configuration with four bridges (one for each I therefore use a bridged configuration with four bridges (one for each
network interface). When Shorewall starts during boot of Dom0, it network interface). When Shorewall starts during bootup of Dom0, it
creates the four bridges using this creates the four bridges using this
<filename>/etc/shorewall/init</filename> extension script:</para> <filename>/etc/shorewall/init</filename> extension script:</para>
@ -373,7 +376,7 @@ SECTION NEW
<blockquote> <blockquote>
<para>/etc/shorewall/shorewall.conf:</para> <para>/etc/shorewall/shorewall.conf:</para>
<programlisting>TARTUP_ENABLED=Yes <programlisting>STARTUP_ENABLED=Yes
VERBOSITY=0 VERBOSITY=0
LOGFILE=/var/log/firewall LOGFILE=/var/log/firewall
LOGFORMAT="Shorewall:%s:%s:" LOGFORMAT="Shorewall:%s:%s:"
@ -475,8 +478,6 @@ OMAK=&lt;IP address at our second home&gt;
<programlisting>echo 1 &gt; /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal</programlisting> <programlisting>echo 1 &gt; /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal</programlisting>
<para><filename>/</filename></para>
<para><filename>/etc/shorewall/interfaces</filename>:</para> <para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
@ -490,11 +491,11 @@ vpn tun+ -
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL <programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES # INTERFACES
206.124.146.178 $EXT_IF 192.168.1.5 No No 206.124.146.178 $EXT_IF 192.168.1.3 No No
206.124.146.180 $EXT_IF 192.168.1.6 No No 206.124.146.180 $EXT_IF 192.168.1.6 No No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/masq (Note the cute drick here and in <para><filename>/etc/shorewall/masq (Note the cute trick here and in
the <filename>proxyarp</filename> file that follows that allows me to the <filename>proxyarp</filename> file that follows that allows me to
access the DSL "Modem" using it's default IP address access the DSL "Modem" using it's default IP address
(192.168.1.1))</filename>:</para> (192.168.1.1))</filename>:</para>