extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-21 23:23:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update Xen articles for 5.0

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-02-19 10:46:36 -08:00
parent e36bf75f9f
commit 749fdfa5af
2 changed files with 53 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
docs/XenMyWay-Routed.xml
View File

@ -105,7 +105,7 @@
<para>Here is a high-level diagram of our network.</para>
<graphic align="center" fileref="images/Xen5.png" />
<graphic align="center" fileref="images/Xen5.png"/>
<para>As shown in this diagram, the Xen system has three physical network
interfaces. These are:</para>
@ -365,7 +365,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
<para>With the three Xen domains up and running, the system looks as
shown in the following diagram.</para>
<graphic align="center" fileref="images/Xen4a.png" />
<graphic align="center" fileref="images/Xen4a.png"/>
<para>The zones correspond to the Shorewall zones in the Dom0
configuration.</para>
@ -440,7 +440,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
a bridged OpenVPN server for the wireless network in our home. Here is
the firewall's view of the network:</para>
<graphic align="center" fileref="images/network4a.png" />
<graphic align="center" fileref="images/network4a.png"/>
<para>The three laptops can be directly attached to the LAN as shown
above or they can be attached wirelessly -- their IP addresses are the
@ -520,8 +520,7 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
<para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall #The firewall itself.
net ipv4 #Internet
loc ipv4 #Local wired Zone
@ -533,8 +532,7 @@ wifi ipv4 #Local Wireless Zone
<para><filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
$FW $FW ACCEPT
$FW net ACCEPT
loc net ACCEPT
@ -591,12 +589,11 @@ loc $TEST_IF detect optional
loc $TEST1_IF detect optional
wifi $WIFI_IF detect dhcp,maclist,mss=1400
vpn tun+ -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</programlisting>
<para><filename>/etc/shorewall/nat</filename>:</para>
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
COMMENT One-to-one NAT
206.124.146.178 $EXT_IF:0 192.168.1.3 No No
206.124.146.180 $EXT_IF:2 192.168.1.6 No No
@ -609,7 +606,7 @@ COMMENT One-to-one NAT
rule before the SNAT rules generated by entries in
<filename>/etc/shorewall/nat</filename> above.</para>
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC
<programlisting>#INTERFACE SOURCE ADDRESS PROTO DPORT IPSEC
COMMENT Handle DSL 'Modem'
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
@ -637,19 +634,11 @@ $EXT_IF 192.168.1.0/24 206.124.146.179
<para><filename>/etc/shorewall/tunnels</filename>:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY
# ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/blacklist</filename>:</para>
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
- udp 1024:1033,1434
- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/actions</filename>:</para>
<programlisting>#ACTION
@ -667,8 +656,7 @@ ACCEPT $MIRRORS
<programlisting>SECTION NEW
###############################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
###############################################################################################################################################################################
REJECT:$LOG loc net tcp 25
REJECT:$LOG loc net udp 1025:1031
@ -893,28 +881,24 @@ Ping(ACCEPT) fw dmz
# Avoid logging Freenode.net probes
#
DROP net:82.96.96.3 all
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</programlisting>
<para><filename>/etc/shorewall/tcdevices</filename></para>
<para><filename>etc/shorewall/tcdevices</filename></para>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
$EXT_IF 1300kbit 384kbit
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
<para><filename>/etc/shorewall/tcclasses</filename><programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
$EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay
$EXT_IF 20 3*full/10 9*full/10 2 default
$EXT_IF 30 2*full/10 6*full/10 3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
$EXT_IF 30 2*full/10 6*full/10 3</programlisting></para>
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority
#over the server
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
#Shorewall Mirrors.
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
<para><filename>/etc/shorewall/mangle</filename><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
CLASSIFY(1:110) 192.168.0.0/22 $EXT_IF #Our internal nets get priority
#over the server
CLASSIFY(1:130) 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
#Shorewall Mirrors.</programlisting></para>
</blockquote>
<para>The <filename class="devicefile">tap0</filename> device used by

98
docs/XenMyWay.xml
View File

@ -72,7 +72,7 @@
class="devicefile">xenbr0</filename>) and a number of virtual interfaces
as shown in the following diagram.</para>
<graphic align="center" fileref="images/Xen1.png" />
<graphic align="center" fileref="images/Xen1.png"/>
<para>I use the term <firstterm>Extended Dom0</firstterm> to distinguish
the bridge and virtual interfaces from Dom0 itself. That distinction is
@ -169,7 +169,7 @@
<para>Here is a high-level diagram of our network.</para>
<graphic align="center" fileref="images/Xen5.png" />
<graphic align="center" fileref="images/Xen5.png"/>
<para>As shown in this diagram, the Xen system has three physical network
interfaces. These are:</para>
@ -330,7 +330,7 @@ disk = [ 'phy:hda3,hda3,w' ]</programlisting>
<para>With all three Xen domains up and running, the system looks as
shown in the following diagram.</para>
<graphic align="center" fileref="images/Xen4.png" />
<graphic align="center" fileref="images/Xen4.png"/>
<para>The zones correspond to the Shorewall zones in the firewall DomU
configuration.</para>
@ -430,39 +430,24 @@ done</programlisting>
<blockquote>
<para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
loc ipv4
dmz ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
dmz ipv4</programlisting>
<para><filename>/etc/shorewall/policy</filename> (Note the unusual use
of an ACCEPT all-&gt;all policy):</para>
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
dmz all REJECT info
all dmz REJECT info
all all ACCEPT
#LAST LINE -- DO NOT REMOVE</programlisting>
all all ACCEPT</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
loc xenbr0 192.168.1.255 dhcp,routeback
dmz xenbr1 - routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
dmz xenbr1 - routeback</programlisting>
</blockquote>
</section>
@ -478,7 +463,7 @@ SECTION NEW
for our two laptops and a bridged OpenVPN server for the wireless
network in our home. Here is the firewall's view of the network:</para>
<graphic align="center" fileref="images/network4.png" />
<graphic align="center" fileref="images/network4.png"/>
<para>The two laptops can be directly attached to the LAN as shown above
or they can be attached wirelessly -- their IP addresses are the same in
@ -544,21 +529,17 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
<para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
fw firewall
net ipv4 #Internet
loc ipv4 #Local wired Zone
dmz ipv4 #DMZ
vpn ipv4 #Open VPN clients
wifi ipv4 #Local Wireless Zone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
</programlisting>
wifi ipv4 #Local Wireless Zone</programlisting>
<para><filename>/etc/shorewall/policy</filename>:</para>
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
$FW $FW ACCEPT
$FW net ACCEPT
loc net ACCEPT
@ -573,8 +554,7 @@ net $FW DROP $LOG 1/sec:2
net loc DROP $LOG 2/sec:4
net dmz DROP $LOG 8/sec:30
net vpn DROP $LOG
all all REJECT $LOG
#LAST LINE -- DO NOT REMOVE</programlisting>
all all REJECT $LOG</programlisting>
<para><filename>/etc/shorewall/params (edited)</filename>:</para>
@ -607,15 +587,14 @@ dmz $DMZ_IF 192.168.0.255 logmartians
loc $INT_IF 192.168.1.255 dhcp,routeback,logmartians
wifi $WIFI_IF 192.168.3.255 dhcp,maclist
vpn tun+ -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</programlisting>
<para><filename>/etc/shorewall/nat</filename>:</para>
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
# INTERFACES
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
206.124.146.178 $EXT_IF 192.168.1.3 No No #Wookie
206.124.146.180 $EXT_IF 192.168.1.6 No No #Work LapTop
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
</programlisting>
<para><filename>/etc/shorewall/masq (Note the cute trick here and in
the <filename>following proxyarp</filename> file that allows me to
@ -624,38 +603,33 @@ vpn tun+ -
rule before the SNAT rules generated by entries in
<filename>/etc/shorewall/nat</filename> above.</para>
<programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
<programlisting>#INTERFACE SUBNET ADDRESS PROTO DPORT IPSEC
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
$EXT_IF 192.168.0.0/22 206.124.146.179
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
$EXT_IF 192.168.0.0/22 206.124.146.179</programlisting>
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
192.168.1.1 $EXT_IF $INT_IF yes
206.124.146.177 $DMZ_IF $EXT_IF yes
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
206.124.146.177 $DMZ_IF $EXT_IF yes</programlisting>
<para><filename>/etc/shorewall/tunnels</filename>:</para>
<programlisting>#TYPE ZONE GATEWAY GATEWAY
# ZONE
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</programlisting>
<para><filename>/etc/shorewall/actions</filename>:</para>
<programlisting>#ACTION
Mirrors # Accept traffic from Shorewall Mirrors
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</programlisting>
<para><filename>/etc/shorewall/action.Mirrors</filename>:</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
ACCEPT $MIRRORS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
<programlisting>#TARGET SOURCE DEST PROTO PORT SPORT ORIGDEST RATE
ACCEPT $MIRRORS</programlisting>
<para><filename>/etc/shorewall/rules</filename>:</para>
@ -815,28 +789,24 @@ Ping(ACCEPT) fw dmz
# Avoid logging Freenode.net probes
#
DROP net:82.96.96.3 all
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</programlisting>
<para><filename>/etc/shorewall/tcdevices</filename></para>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
$EXT_IF 1300kbit 384kbit
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</programlisting>
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
$EXT_IF 1300kbit 384kbit</programlisting>
<para><filename>/etc/shorewall/tcclasses</filename><programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
$EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay
$EXT_IF 20 3*full/10 9*full/10 2 default
$EXT_IF 30 2*full/10 6*full/10 3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
$EXT_IF 30 2*full/10 6*full/10 3</programlisting></para>
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
# PORT(S)
1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority
#over the server
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
#Shorewall Mirrors.
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
<para><filename>/etc/shorewall/mangle</filename><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
CLASSIFY(1:110) 192.168.0.0/22 $EXT_IF #Our internal nets get priority
#over the server
CLASSIFY(1:130) 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
#Shorewall Mirrors.
</programlisting></para>
</blockquote>
<para>The tap0 device used by the bridged OpenVPN server is bridged to