mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Update Xen My Way Doc
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3667 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
a89b603e41
commit
664394ef07
@ -15,7 +15,7 @@
|
|||||||
</author>
|
</author>
|
||||||
</authorgroup>
|
</authorgroup>
|
||||||
|
|
||||||
<pubdate>2006-03-13</pubdate>
|
<pubdate>2006-03-14</pubdate>
|
||||||
|
|
||||||
<copyright>
|
<copyright>
|
||||||
<year>2006</year>
|
<year>2006</year>
|
||||||
@ -128,7 +128,7 @@
|
|||||||
<para>There are three Xen domains. Dom0 (ursa) is used as a file server.
|
<para>There are three Xen domains. Dom0 (ursa) is used as a file server.
|
||||||
One DomU (which is usually Domain 1) is used as a firewall and the other
|
One DomU (which is usually Domain 1) is used as a firewall and the other
|
||||||
(lists, normally Domain 2) is used as a public Web/FTP/Mail/DNS server.
|
(lists, normally Domain 2) is used as a public Web/FTP/Mail/DNS server.
|
||||||
Because Xen only supports three virtual interfaces per DomU, I also use
|
Because Xen 3 only supports three virtual interfaces per DomU, I also use
|
||||||
ursa as a gateway for our wireless network rather than placing that
|
ursa as a gateway for our wireless network rather than placing that
|
||||||
function in the firewall DomU (that domain already has three interfaces).
|
function in the firewall DomU (that domain already has three interfaces).
|
||||||
Shorewall runs in both Dom0 and in the firewall domain.</para>
|
Shorewall runs in both Dom0 and in the firewall domain.</para>
|
||||||
@ -260,12 +260,16 @@ done</programlisting>
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Allow traffic to flow unrestricted through the three
|
<para>Allow traffic to flow unrestricted through the three bridges.
|
||||||
switches.</para>
|
This is done by configuring the hosts connected to each bridge as a
|
||||||
|
separate zone and relying on the implicit intra-zone ACCEPT policy to
|
||||||
|
permit traffic through the bridge.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Ensure that there is no stray traffic between the zones.</para>
|
<para>Ensure that there is no stray traffic between the zones. This is
|
||||||
|
a "belt+suspenders" measure since there should be no routing between
|
||||||
|
the bridges (because they don't have IP addresses).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
@ -536,10 +540,6 @@ DROP loc fw tcp
|
|||||||
Ping/ACCEPT loc fw
|
Ping/ACCEPT loc fw
|
||||||
REDIRECT loc 3128 tcp 80 - !206.124.146.177
|
REDIRECT loc 3128 tcp 80 - !206.124.146.177
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
# Secure wireless to Firewall
|
|
||||||
#
|
|
||||||
REDIRECT vpn 3128 tcp 80
|
|
||||||
###############################################################################################################################################################################
|
|
||||||
# Road Warriors to Firewall
|
# Road Warriors to Firewall
|
||||||
#
|
#
|
||||||
ACCEPT vpn fw tcp ssh,time,631,8080
|
ACCEPT vpn fw tcp ssh,time,631,8080
|
||||||
@ -555,7 +555,6 @@ Ping/ACCEPT vpn dmz
|
|||||||
# Local network to DMZ
|
# Local network to DMZ
|
||||||
#
|
#
|
||||||
ACCEPT loc dmz udp domain
|
ACCEPT loc dmz udp domain
|
||||||
LOG:$LOG loc:64.126.128.0/18 dmz tcp smtp
|
|
||||||
ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https -
|
ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https -
|
||||||
ACCEPT loc dmz tcp smtp
|
ACCEPT loc dmz tcp smtp
|
||||||
Trcrt/ACCEPT loc dmz
|
Trcrt/ACCEPT loc dmz
|
||||||
@ -586,7 +585,7 @@ Trcrt/ACCEPT net dmz
|
|||||||
DNAT net loc:192.168.1.4 tcp 1729
|
DNAT net loc:192.168.1.4 tcp 1729
|
||||||
DNAT net loc:192.168.1.4 gre
|
DNAT net loc:192.168.1.4 gre
|
||||||
#
|
#
|
||||||
# Roadwarrior access to Ursa
|
# Roadwarrior access to Wookie
|
||||||
#
|
#
|
||||||
ACCEPT net:$OMAK loc tcp 22
|
ACCEPT net:$OMAK loc tcp 22
|
||||||
Limit:$LOG:SSHA,3,60\
|
Limit:$LOG:SSHA,3,60\
|
||||||
@ -605,6 +604,7 @@ ACCEPT net loc:192.168.1.3 udp
|
|||||||
# Real Audio
|
# Real Audio
|
||||||
#
|
#
|
||||||
ACCEPT net loc:192.168.1.3 udp 6970:7170
|
ACCEPT net loc:192.168.1.3 udp 6970:7170
|
||||||
|
#
|
||||||
# Skype
|
# Skype
|
||||||
#
|
#
|
||||||
ACCEPT net loc:192.168.1.6 tcp 1194
|
ACCEPT net loc:192.168.1.6 tcp 1194
|
||||||
|
Loading…
Reference in New Issue
Block a user