From 55df9ff8298b11ca2982cb93f165cd0b296aadb4 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 20 Mar 2006 17:26:59 +0000 Subject: [PATCH] Break XenMyWay doc into sections and expand git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3706 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/XenMyWay.xml | 363 +++++++++++++++++++++++++++++----------------- 1 file changed, 230 insertions(+), 133 deletions(-) diff --git a/docs/XenMyWay.xml b/docs/XenMyWay.xml index 84c97ddf2..b82429c58 100644 --- a/docs/XenMyWay.xml +++ b/docs/XenMyWay.xml @@ -15,7 +15,7 @@ - 2006-03-19 + 2006-03-20 2006 @@ -92,7 +92,7 @@ - All of the Linux systems run SuSE 10.0. + All of the Linux systems run SuSE 10.0 or SuSE 10.1 Beta. If you are unfamiliar with Xen networking, I recommend that you read the first section of the companion Xen and @@ -132,27 +132,30 @@ is used as a gateway to our wireless network. A seperate wireless gateway is necessary because Xen 3 only supports three virtual interfaces per DomU and the firewall DomU already has three interfaces. Shorewall runs in - Dom0, in the firewall domain and in the wireless gateway.. + Dom0, in the firewall domain and in the wireless gateway. - Below are the relevant configuration files for the four domains. The - "loopback.nloopbacks=..." entries are used to restrict the number of - "vethn" devices that the Xen kernel creates. I use - partitions on my hard drives for DomU storage devices. +
+ Domain Configuration -
- /boot/grub/menu.lst — here is the entry that - boots Xen in Dom0. + Below are the relevant configuration files for the four domains. + The "loopback.nloopbacks=..." entries are used to restrict the number of + "vethn" devices that the Xen kernel creates. I use + partitions on my hard drives for DomU storage devices. - title XEN +
+ /boot/grub/menu.lst — here is the entry + that boots Xen in Dom0. + + title XEN root (hd0,1) kernel /boot/xen.gz dom0_mem=458752 sched=bvt module /boot/vmlinuz-xen root=/dev/hda2 vga=0x31a selinux=0 resume=/dev/hda1 splash=silent showopts loopback.nloopbacks=1 module /boot/initrd-xen - /etc/xen/auto/01-gateway — configuration file - for the firewall domain + /etc/xen/auto/01-gateway — configuration + file for the firewall domain - # -*- mode: python; -*- + # -*- mode: python; -*- # configuration name: name = "gateway" @@ -177,10 +180,10 @@ hostname = name # storage devices: disk = [ 'phy:hdb2,hdb2,w' ] - /etc/xen/auto/02-server — configuration file - for the lists domain + /etc/xen/auto/02-server — configuration + file for the lists domain - # -*- mode: python; -*- + # -*- mode: python; -*- # configuration name: name = "server" @@ -205,10 +208,10 @@ hostname = name # storage devices: disk = [ 'phy:hda3,hda3,w' ] - /etc/xen/auto/03-gateway — configuration file for the wireless - domain. + /etc/xen/auto/03-wireless — configuration file for the wireless + domain. - # -*- mode: python; -*- + # -*- mode: python; -*- # configuration name: name = "wireless" @@ -233,25 +236,24 @@ hostname = name # storage devices: disk = [ 'phy:hdb4,hdb4,w' ] -
+
- With all four Xen domains up and running, the system looks as shown - in the following diagram. + With all four Xen domains up and running, the system looks as + shown in the following diagram. - + - The zones correspond to the Shorewall zones in the Dom0 - configuration. + The zones correspond to the Shorewall zones in the Dom0 + configuration. - SuSE 10.0 includes Xen 3.0 which does not support PCI delegation; I - therefore use a bridged configuration with four bridges (one for each - network interface). When Shorewall starts during boot, it creates the four - bridges. + SuSE 10.0 includes Xen 3.0 which does not support PCI delegation; + I therefore use a bridged configuration with four bridges (one for each + network interface). When Shorewall starts during boot of Dom0, it + creates the four bridges using this + /etc/shorewall/init extension script: - Here is /etc/shorewall/init in Dom0: - -
- for bridge in xenbr0 xenbr1 xenbr2 xenbr3; do +
+ for bridge in xenbr0 xenbr1 xenbr2 xenbr3; do if [ -z "$(/sbin/brctl show 2> /dev/null | fgrep $bridge)" ]; then /sbin/brctl addbr $bridge @@ -269,36 +271,40 @@ disk = [ 'phy:hdb4,hdb4,w' ] /sbin/brctl addif xenbr3 eth2 ;; esac - + /sbin/ip link set dev $bridge up fi done -
+
+
- The goals for the Shorewall configuration in Dom0 are as - follows: +
+ Dom0 Configuration - - - Allow traffic to flow unrestricted through the four bridges. - This is done by configuring the hosts connected to each bridge as a - separate zone and relying on the implicit intra-zone ACCEPT policy to - permit traffic through the bridge. - + The goals for the Shorewall configuration in Dom0 are as + follows: - - Ensure that there is no stray traffic between the zones. This is - a "belt+suspenders" measure since there should be no routing between - the bridges (because they don't have IP addresses). - - + + + Allow traffic to flow unrestricted through the four bridges. + This is done by configuring the hosts connected to each bridge as a + separate zone and relying on Shorewall's implicit intra-zone ACCEPT + policy to permit traffic through the bridge. + - The configuration is a simple one: + + Ensure that there is no stray traffic between the zones. This + is a "belt+suspenders" measure since there should be no routing + between the bridges (because they don't have IP addresses). + + -
- /etc/shorewall/zones: + The configuration is a simple one: - #ZONE TYPE OPTIONS IN OUT +
+ /etc/shorewall/zones: + + #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall Wifi ipv4 @@ -308,9 +314,10 @@ net ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE - /etc/shorewall/policy: + /etc/shorewall/policy (Note the unusual use + of an ACCEPT all->all policy): - #SOURCE DEST POLICY LOG LIMIT:BURST + #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL Wifi all REJECT info all Wifi REJECT info @@ -321,42 +328,46 @@ all net REJECT info all all ACCEPT #LAST LINE -- DO NOT REMOVE - /etc/shorewall/interfaces: + /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTIONS + #ZONE INTERFACE BROADCAST OPTIONS Wifi xenbr3 - routeback loc xenbr0 192.168.1.255 dhcp,routeback dmz xenbr1 - routeback net xenbr2 - routeback #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - /etc/shorewall/rules: + /etc/shorewall/rules: - #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED SECTION NEW #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE -
+
+
- In the firewall DomU, I run a conventional three-interface firewall - with Proxy ARP DMZ -- it is very similar to the firewall described in the - Shorewall Setup Guide. The - firewall runs a routed OpenVPN server to - provide roadwarrior access for our two laptops. Here is the firewall's - view of the network: +
+ Firewall DomU Configuration - + In the firewall DomU, I run a conventional three-interface + firewall with Proxy ARP DMZ -- it is very similar to the firewall + described in the Shorewall Setup + Guide. The firewall runs a routed OpenVPN server to provide roadwarrior access + for our two laptops. Here is the firewall's view of the network: - The Shorewall configuration files are shown below. All routing and - secondary IP addresses are handled in the SuSE network - configuration. + -
- /etc/shorewall/shorewall.conf: + The Shorewall configuration files are shown below. All routing and + secondary IP addresses are handled in the SuSE network + configuration. - TARTUP_ENABLED=Yes +
+ /etc/shorewall/shorewall.conf: + + TARTUP_ENABLED=Yes VERBOSITY=0 LOGFILE=/var/log/firewall LOGFORMAT="Shorewall:%s:%s:" @@ -407,9 +418,9 @@ MACLIST_TABLE=mangle MACLIST_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP - /etc/shorewall/zones: + /etc/shorewall/zones: - #ZONE TYPE OPTIONS IN OUT + #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 #Internet @@ -419,9 +430,9 @@ vpn ipv4 #Open VPN clients #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE - /etc/shorewall/policy: + /etc/shorewall/policy: - #SOURCE DEST POLICY LOG LIMIT:BURST + #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL $FW $FW ACCEPT $FW net ACCEPT @@ -436,9 +447,9 @@ net all DROP $LOG 10/sec:40 all all REJECT $LOG #LAST LINE -- DO NOT REMOVE - /etc/shorewall/params (edited): + /etc/shorewall/params (edited): - MIRRORS=<comma-separated list of Shorewall mirrors> + MIRRORS=<comma-separated list of Shorewall mirrors> NTPSERVERS=<comma-separated list of NTP servers I sync with> @@ -452,71 +463,68 @@ EXT_IF=eth3 OMAK=<IP address at our second home> -#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE - +#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE - /etc/shorewall/init: + /etc/shorewall/init: - echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal + echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal - + / - / + /etc/shorewall/interfaces: - /etc/shorewall/interfaces: - - #ZONE INTERFACE BROADCAST OPTIONS + #ZONE INTERFACE BROADCAST OPTIONS net $EXT_IF 206.124.146.255 dhcp,norfc1918,logmartians,blacklist,tcpflags,nosmurfs dmz $DMZ_IF 192.168.0.255 logmartians loc $INT_IF 192.168.1.255 dhcp,routeback,logmartians vpn tun+ - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - /etc/shorewall/nat: + /etc/shorewall/nat: - #EXTERNAL INTERFACE INTERNAL ALL LOCAL + #EXTERNAL INTERFACE INTERNAL ALL LOCAL # INTERFACES 206.124.146.178 $EXT_IF 192.168.1.5 No No 206.124.146.180 $EXT_IF 192.168.1.6 No No #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE - /etc/shorewall/masq: + /etc/shorewall/masq: - #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC + #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC +$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254 $EXT_IF 192.168.0.0/22 206.124.146.179 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE - /etc/shorewall/proxyarp: + /etc/shorewall/proxyarp: - #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT + #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 192.168.1.1 $EXT_IF $INT_IF yes 206.124.146.177 $DMZ_IF $EXT_IF yes #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - /etc/shorewall/tunnels: + /etc/shorewall/tunnels: - #TYPE ZONE GATEWAY GATEWAY + #TYPE ZONE GATEWAY GATEWAY # ZONE openvpnserver:udp net 0.0.0.0/0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - /etc/shorewall/actions: + /etc/shorewall/actions: - #ACTION + #ACTION Mirrors # Accept traffic from Shorewall Mirrors #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE - /etc/shorewall/action.Mirrors: + /etc/shorewall/action.Mirrors: - #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE + #TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE # PORT PORT(S) DEST LIMIT ACCEPT $MIRRORS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - /etc/shorewall/rules: + /etc/shorewall/rules: - SECTION NEW + SECTION NEW ############################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP @@ -678,23 +686,32 @@ Ping/ACCEPT fw dmz # DROP net:82.96.96.3 all #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE -
+
+
- The Shorewall configuration in the 'wireless' DomU is similarly - simple-minded. It's sole purpose is to protect the local network from the - Wireless net. +
+ Wireless Gateway DomU Configuration - + The Shorewall configuration in the 'wireless' DomU is very + simple-minded. It's sole purpose is to protect the local network from + the Wireless net by restricting wireless access to clients that have + established an OpenVPN Bridged + connection. This configuration illustrates that you can use any Linux + system on your internal LAN as a wireless gateway -- it doesn't have to + be your main firewall (and it doesn't have to run in a Xen domain + either). - We restrict wireless access to clients that have established an - OpenVPN Bridged connection. The 'tap0' - device used by OpenVPN is bridged to eth2 using this startup - script: + -
- /etc/init.d/bridge: + The 'tap0' device used by OpenVPN is bridged to eth2 using this + SuSE-specific startup script (see the Shorewall + Bridge Documentation for scripts that work on other + distributions): - #!/bin/sh +
+ /etc/init.d/bridge: + + #!/bin/sh # # The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V3.0 # @@ -744,7 +761,7 @@ DROP net:82.96.96.3 all ### END INIT INFO ################################################################################ -# Interfaces to be bridged -- may be listed by device name or by MAC +# Interfaces to be bridged -- may be listed by device name or by MAC address # INTERFACES="eth2" @@ -798,7 +815,7 @@ get_interfaces() { INTERFACES="$interfaces" } ################################################################################ -# Start the Bridge +# Configure the Bridge -- IP configuration is left to the SuSE network scripts ################################################################################ do_start() { @@ -863,46 +880,63 @@ case "$command" in ;; esac - BRIDGING=No in - /etc/shorewall/shorewall.conf. + As mentioned in the comments in the above script, IP + configuration of the bridge is done through the normal SuSE network + scripts. Here's the config file: - /etc/shorewall/zones: + BOOTPROTO='static' +BROADCAST='' +IPADDR='192.168.1.7' +MTU='' +NAME='Ethernet Network Card' +NETMASK='255.255.255.0' +NETWORK='' +REMOTE_IPADDR='' +STARTMODE='auto' +USERCONTROL='no' +_nm_name='br0' - #ZONE TYPE OPTIONS IN OUT + Since there is no requirement to restrict connections through + the bridge, I set BRIDGING=No in + /etc/shorewall/shorewall.conf. + + /etc/shorewall/zones: + + #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall Wifi ipv4 loc ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE - /etc/shorewall/interfaces: + /etc/shorewall/interfaces: - #ZONE INTERFACE BROADCAST OPTIONS + #ZONE INTERFACE BROADCAST OPTIONS Wifi eth4 192.168.3.255 dhcp,maclist loc br0 192.168.1.255 dhcp,routeback #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - /etc/shorewall/policy: + /etc/shorewall/policy: - #SOURCE DEST POLICY LOG LIMIT:BURST + #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL Wifi all REJECT info all all ACCEPT #LAST LINE -- DO NOT REMOVE - /etc/shorewall/tunnels: + /etc/shorewall/tunnels: - #TYPE ZONE GATEWAY GATEWAY + #TYPE ZONE GATEWAY GATEWAY # ZONE openvpnserver Wifi 192.168.3.0/24 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - /etc/shorewall/maclist (Note that this system runs - Shorewall 3.2 so there is an additional 'TARGET' - column): + /etc/shorewall/maclist (Note that this system runs + Shorewall 3.2 so there is an additional 'TARGET' + column): - #TARGET INTERFACE MAC IP ADDRESSES (Optional) + #TARGET INTERFACE MAC IP ADDRESSES (Optional) ACCEPT eth4 00:04:5a:0e:85:b9 #WAP11 ACCEPT eth4 00:06:25:45:33:3c #WET11 ACCEPT eth4 00:0b:cd:53:cc:97 192.168.3.8 #TIPPER @@ -911,6 +945,69 @@ ACCEPT eth4 00:12:79:3d:fe:2e 192.168.3.6 ACCEPT eth4 - 192.168.3.254 #Broadcast/Multicast from us DROP:info eth4 - 192.168.3.0/24 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE -
+ + /etc/shorewall/rules: + + #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +# PORT PORT(S) DEST LIMIT GROUP +#SECTION ESTABLISHED +#SECTION RELATED +SECTION NEW +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE +
+ + Here is the configuration of OpenVPN on this system: + +
+ /etc/openvpn/server-bridge (Note that I + prefer to push two /1 routes rather than to use the redirect-gateway directive; I find that the + latter occasionally leaves the remote system with no default gateway): + + dev tap0 + +local 192.168.3.254 + +server-bridge 192.168.1.5 255.255.255.0 192.168.1.64 192.168.1.71 + +client-to-client + +dh dh1024.pem + +ca /etc/certs/cacert.pem + +crl-verify /etc/certs/crl.pem + +cert /etc/certs/wireless.pem +key /etc/certs/wireless_key.pem + +port 1194 + +comp-lzo + +user nobody +group nogroup + +keepalive 15 45 +ping-timer-rem +persist-tun +persist-key + +client-config-dir /etc/openvpn/bridge-clients +ccd-exclusive + +verb 3 + +push "route 0.0.0.0 128.0.0.0 192.168.1.254" +push "route 128.0.0.0 128.0.0.0 192.168.1.254" + + /etc/bridge-clients/tipper.shorewall.net + (used to assign a fixed IP address to clients -- there are other + similar files in this directory): + + ifconfig-push 192.168.1.8 255.255.255.0 +
+
\ No newline at end of file