Update Xen My Way Doc

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3667 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-03-14 17:00:19 +00:00
parent a89b603e41
commit 664394ef07

View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2006-03-13</pubdate>
<pubdate>2006-03-14</pubdate>
<copyright>
<year>2006</year>
@ -128,7 +128,7 @@
<para>There are three Xen domains. Dom0 (ursa) is used as a file server.
One DomU (which is usually Domain 1) is used as a firewall and the other
(lists, normally Domain 2) is used as a public Web/FTP/Mail/DNS server.
Because Xen only supports three virtual interfaces per DomU, I also use
Because Xen 3 only supports three virtual interfaces per DomU, I also use
ursa as a gateway for our wireless network rather than placing that
function in the firewall DomU (that domain already has three interfaces).
Shorewall runs in both Dom0 and in the firewall domain.</para>
@ -260,12 +260,16 @@ done</programlisting>
</listitem>
<listitem>
<para>Allow traffic to flow unrestricted through the three
switches.</para>
<para>Allow traffic to flow unrestricted through the three bridges.
This is done by configuring the hosts connected to each bridge as a
separate zone and relying on the implicit intra-zone ACCEPT policy to
permit traffic through the bridge.</para>
</listitem>
<listitem>
<para>Ensure that there is no stray traffic between the zones.</para>
<para>Ensure that there is no stray traffic between the zones. This is
a "belt+suspenders" measure since there should be no routing between
the bridges (because they don't have IP addresses).</para>
</listitem>
</itemizedlist>
@ -536,10 +540,6 @@ DROP loc fw tcp
Ping/ACCEPT loc fw
REDIRECT loc 3128 tcp 80 - !206.124.146.177
###############################################################################################################################################################################
# Secure wireless to Firewall
#
REDIRECT vpn 3128 tcp 80
###############################################################################################################################################################################
# Road Warriors to Firewall
#
ACCEPT vpn fw tcp ssh,time,631,8080
@ -555,7 +555,6 @@ Ping/ACCEPT vpn dmz
# Local network to DMZ
#
ACCEPT loc dmz udp domain
LOG:$LOG loc:64.126.128.0/18 dmz tcp smtp
ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https -
ACCEPT loc dmz tcp smtp
Trcrt/ACCEPT loc dmz
@ -586,7 +585,7 @@ Trcrt/ACCEPT net dmz
DNAT net loc:192.168.1.4 tcp 1729
DNAT net loc:192.168.1.4 gre
#
# Roadwarrior access to Ursa
# Roadwarrior access to Wookie
#
ACCEPT net:$OMAK loc tcp 22
Limit:$LOG:SSHA,3,60\
@ -605,6 +604,7 @@ ACCEPT net loc:192.168.1.3 udp
# Real Audio
#
ACCEPT net loc:192.168.1.3 udp 6970:7170
#
# Skype
#
ACCEPT net loc:192.168.1.6 tcp 1194