mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
Update Xen My Way Doc
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3667 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
a89b603e41
commit
664394ef07
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2006-03-13</pubdate>
|
||||
<pubdate>2006-03-14</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2006</year>
|
||||
@ -128,7 +128,7 @@
|
||||
<para>There are three Xen domains. Dom0 (ursa) is used as a file server.
|
||||
One DomU (which is usually Domain 1) is used as a firewall and the other
|
||||
(lists, normally Domain 2) is used as a public Web/FTP/Mail/DNS server.
|
||||
Because Xen only supports three virtual interfaces per DomU, I also use
|
||||
Because Xen 3 only supports three virtual interfaces per DomU, I also use
|
||||
ursa as a gateway for our wireless network rather than placing that
|
||||
function in the firewall DomU (that domain already has three interfaces).
|
||||
Shorewall runs in both Dom0 and in the firewall domain.</para>
|
||||
@ -260,12 +260,16 @@ done</programlisting>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Allow traffic to flow unrestricted through the three
|
||||
switches.</para>
|
||||
<para>Allow traffic to flow unrestricted through the three bridges.
|
||||
This is done by configuring the hosts connected to each bridge as a
|
||||
separate zone and relying on the implicit intra-zone ACCEPT policy to
|
||||
permit traffic through the bridge.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Ensure that there is no stray traffic between the zones.</para>
|
||||
<para>Ensure that there is no stray traffic between the zones. This is
|
||||
a "belt+suspenders" measure since there should be no routing between
|
||||
the bridges (because they don't have IP addresses).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -536,10 +540,6 @@ DROP loc fw tcp
|
||||
Ping/ACCEPT loc fw
|
||||
REDIRECT loc 3128 tcp 80 - !206.124.146.177
|
||||
###############################################################################################################################################################################
|
||||
# Secure wireless to Firewall
|
||||
#
|
||||
REDIRECT vpn 3128 tcp 80
|
||||
###############################################################################################################################################################################
|
||||
# Road Warriors to Firewall
|
||||
#
|
||||
ACCEPT vpn fw tcp ssh,time,631,8080
|
||||
@ -555,7 +555,6 @@ Ping/ACCEPT vpn dmz
|
||||
# Local network to DMZ
|
||||
#
|
||||
ACCEPT loc dmz udp domain
|
||||
LOG:$LOG loc:64.126.128.0/18 dmz tcp smtp
|
||||
ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https -
|
||||
ACCEPT loc dmz tcp smtp
|
||||
Trcrt/ACCEPT loc dmz
|
||||
@ -586,7 +585,7 @@ Trcrt/ACCEPT net dmz
|
||||
DNAT net loc:192.168.1.4 tcp 1729
|
||||
DNAT net loc:192.168.1.4 gre
|
||||
#
|
||||
# Roadwarrior access to Ursa
|
||||
# Roadwarrior access to Wookie
|
||||
#
|
||||
ACCEPT net:$OMAK loc tcp 22
|
||||
Limit:$LOG:SSHA,3,60\
|
||||
@ -605,6 +604,7 @@ ACCEPT net loc:192.168.1.3 udp
|
||||
# Real Audio
|
||||
#
|
||||
ACCEPT net loc:192.168.1.3 udp 6970:7170
|
||||
#
|
||||
# Skype
|
||||
#
|
||||
ACCEPT net loc:192.168.1.6 tcp 1194
|
||||
|
Loading…
Reference in New Issue
Block a user