Update Xen My Way Doc

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3667 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-03-14 17:00:19 +00:00
parent a89b603e41
commit 664394ef07

View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2006-03-13</pubdate> <pubdate>2006-03-14</pubdate>
<copyright> <copyright>
<year>2006</year> <year>2006</year>
@ -128,7 +128,7 @@
<para>There are three Xen domains. Dom0 (ursa) is used as a file server. <para>There are three Xen domains. Dom0 (ursa) is used as a file server.
One DomU (which is usually Domain 1) is used as a firewall and the other One DomU (which is usually Domain 1) is used as a firewall and the other
(lists, normally Domain 2) is used as a public Web/FTP/Mail/DNS server. (lists, normally Domain 2) is used as a public Web/FTP/Mail/DNS server.
Because Xen only supports three virtual interfaces per DomU, I also use Because Xen 3 only supports three virtual interfaces per DomU, I also use
ursa as a gateway for our wireless network rather than placing that ursa as a gateway for our wireless network rather than placing that
function in the firewall DomU (that domain already has three interfaces). function in the firewall DomU (that domain already has three interfaces).
Shorewall runs in both Dom0 and in the firewall domain.</para> Shorewall runs in both Dom0 and in the firewall domain.</para>
@ -260,12 +260,16 @@ done</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>Allow traffic to flow unrestricted through the three <para>Allow traffic to flow unrestricted through the three bridges.
switches.</para> This is done by configuring the hosts connected to each bridge as a
separate zone and relying on the implicit intra-zone ACCEPT policy to
permit traffic through the bridge.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>Ensure that there is no stray traffic between the zones.</para> <para>Ensure that there is no stray traffic between the zones. This is
a "belt+suspenders" measure since there should be no routing between
the bridges (because they don't have IP addresses).</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@ -536,10 +540,6 @@ DROP loc fw tcp
Ping/ACCEPT loc fw Ping/ACCEPT loc fw
REDIRECT loc 3128 tcp 80 - !206.124.146.177 REDIRECT loc 3128 tcp 80 - !206.124.146.177
############################################################################################################################################################################### ###############################################################################################################################################################################
# Secure wireless to Firewall
#
REDIRECT vpn 3128 tcp 80
###############################################################################################################################################################################
# Road Warriors to Firewall # Road Warriors to Firewall
# #
ACCEPT vpn fw tcp ssh,time,631,8080 ACCEPT vpn fw tcp ssh,time,631,8080
@ -555,7 +555,6 @@ Ping/ACCEPT vpn dmz
# Local network to DMZ # Local network to DMZ
# #
ACCEPT loc dmz udp domain ACCEPT loc dmz udp domain
LOG:$LOG loc:64.126.128.0/18 dmz tcp smtp
ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https - ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https -
ACCEPT loc dmz tcp smtp ACCEPT loc dmz tcp smtp
Trcrt/ACCEPT loc dmz Trcrt/ACCEPT loc dmz
@ -586,7 +585,7 @@ Trcrt/ACCEPT net dmz
DNAT net loc:192.168.1.4 tcp 1729 DNAT net loc:192.168.1.4 tcp 1729
DNAT net loc:192.168.1.4 gre DNAT net loc:192.168.1.4 gre
# #
# Roadwarrior access to Ursa # Roadwarrior access to Wookie
# #
ACCEPT net:$OMAK loc tcp 22 ACCEPT net:$OMAK loc tcp 22
Limit:$LOG:SSHA,3,60\ Limit:$LOG:SSHA,3,60\
@ -605,6 +604,7 @@ ACCEPT net loc:192.168.1.3 udp
# Real Audio # Real Audio
# #
ACCEPT net loc:192.168.1.3 udp 6970:7170 ACCEPT net loc:192.168.1.3 udp 6970:7170
#
# Skype # Skype
# #
ACCEPT net loc:192.168.1.6 tcp 1194 ACCEPT net loc:192.168.1.6 tcp 1194