mirror of
https://gitlab.com/shorewall/code.git
synced 2025-02-16 17:51:16 +01:00
Update Xen articles for 5.0
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
e36bf75f9f
commit
749fdfa5af
@ -105,7 +105,7 @@
|
|||||||
|
|
||||||
<para>Here is a high-level diagram of our network.</para>
|
<para>Here is a high-level diagram of our network.</para>
|
||||||
|
|
||||||
<graphic align="center" fileref="images/Xen5.png" />
|
<graphic align="center" fileref="images/Xen5.png"/>
|
||||||
|
|
||||||
<para>As shown in this diagram, the Xen system has three physical network
|
<para>As shown in this diagram, the Xen system has three physical network
|
||||||
interfaces. These are:</para>
|
interfaces. These are:</para>
|
||||||
@ -365,7 +365,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
|
|||||||
<para>With the three Xen domains up and running, the system looks as
|
<para>With the three Xen domains up and running, the system looks as
|
||||||
shown in the following diagram.</para>
|
shown in the following diagram.</para>
|
||||||
|
|
||||||
<graphic align="center" fileref="images/Xen4a.png" />
|
<graphic align="center" fileref="images/Xen4a.png"/>
|
||||||
|
|
||||||
<para>The zones correspond to the Shorewall zones in the Dom0
|
<para>The zones correspond to the Shorewall zones in the Dom0
|
||||||
configuration.</para>
|
configuration.</para>
|
||||||
@ -440,7 +440,7 @@ bootentry = 'hda2:/boot/vmlinuz-xen,/boot/initrd-xen'
|
|||||||
a bridged OpenVPN server for the wireless network in our home. Here is
|
a bridged OpenVPN server for the wireless network in our home. Here is
|
||||||
the firewall's view of the network:</para>
|
the firewall's view of the network:</para>
|
||||||
|
|
||||||
<graphic align="center" fileref="images/network4a.png" />
|
<graphic align="center" fileref="images/network4a.png"/>
|
||||||
|
|
||||||
<para>The three laptops can be directly attached to the LAN as shown
|
<para>The three laptops can be directly attached to the LAN as shown
|
||||||
above or they can be attached wirelessly -- their IP addresses are the
|
above or they can be attached wirelessly -- their IP addresses are the
|
||||||
@ -520,8 +520,7 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
|
|||||||
|
|
||||||
<para><filename>/etc/shorewall/zones</filename>:</para>
|
<para><filename>/etc/shorewall/zones</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||||
# OPTIONS OPTIONS
|
|
||||||
fw firewall #The firewall itself.
|
fw firewall #The firewall itself.
|
||||||
net ipv4 #Internet
|
net ipv4 #Internet
|
||||||
loc ipv4 #Local wired Zone
|
loc ipv4 #Local wired Zone
|
||||||
@ -533,8 +532,7 @@ wifi ipv4 #Local Wireless Zone
|
|||||||
|
|
||||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||||
# LEVEL
|
|
||||||
$FW $FW ACCEPT
|
$FW $FW ACCEPT
|
||||||
$FW net ACCEPT
|
$FW net ACCEPT
|
||||||
loc net ACCEPT
|
loc net ACCEPT
|
||||||
@ -591,12 +589,11 @@ loc $TEST_IF detect optional
|
|||||||
loc $TEST1_IF detect optional
|
loc $TEST1_IF detect optional
|
||||||
wifi $WIFI_IF detect dhcp,maclist,mss=1400
|
wifi $WIFI_IF detect dhcp,maclist,mss=1400
|
||||||
vpn tun+ -
|
vpn tun+ -
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/nat</filename>:</para>
|
<para><filename>/etc/shorewall/nat</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
|
||||||
# INTERFACES
|
|
||||||
COMMENT One-to-one NAT
|
COMMENT One-to-one NAT
|
||||||
206.124.146.178 $EXT_IF:0 192.168.1.3 No No
|
206.124.146.178 $EXT_IF:0 192.168.1.3 No No
|
||||||
206.124.146.180 $EXT_IF:2 192.168.1.6 No No
|
206.124.146.180 $EXT_IF:2 192.168.1.6 No No
|
||||||
@ -609,7 +606,7 @@ COMMENT One-to-one NAT
|
|||||||
rule before the SNAT rules generated by entries in
|
rule before the SNAT rules generated by entries in
|
||||||
<filename>/etc/shorewall/nat</filename> above.</para>
|
<filename>/etc/shorewall/nat</filename> above.</para>
|
||||||
|
|
||||||
<programlisting>#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC
|
<programlisting>#INTERFACE SOURCE ADDRESS PROTO DPORT IPSEC
|
||||||
COMMENT Handle DSL 'Modem'
|
COMMENT Handle DSL 'Modem'
|
||||||
|
|
||||||
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
|
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||||
@ -637,19 +634,11 @@ $EXT_IF 192.168.1.0/24 206.124.146.179
|
|||||||
|
|
||||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||||
# ZONE
|
|
||||||
openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
|
openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
|
||||||
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server
|
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/blacklist</filename>:</para>
|
|
||||||
|
|
||||||
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
|
|
||||||
- udp 1024:1033,1434
|
|
||||||
- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898
|
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/actions</filename>:</para>
|
<para><filename>/etc/shorewall/actions</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION
|
<programlisting>#ACTION
|
||||||
@ -667,8 +656,7 @@ ACCEPT $MIRRORS
|
|||||||
|
|
||||||
<programlisting>SECTION NEW
|
<programlisting>SECTION NEW
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST RATE USER
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
REJECT:$LOG loc net tcp 25
|
REJECT:$LOG loc net tcp 25
|
||||||
REJECT:$LOG loc net udp 1025:1031
|
REJECT:$LOG loc net udp 1025:1031
|
||||||
@ -893,28 +881,24 @@ Ping(ACCEPT) fw dmz
|
|||||||
# Avoid logging Freenode.net probes
|
# Avoid logging Freenode.net probes
|
||||||
#
|
#
|
||||||
DROP net:82.96.96.3 all
|
DROP net:82.96.96.3 all
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/tcdevices</filename></para>
|
<para><filename>etc/shorewall/tcdevices</filename></para>
|
||||||
|
|
||||||
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
|
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
|
||||||
$EXT_IF 1300kbit 384kbit
|
$EXT_IF 1300kbit 384kbit
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
||||||
</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/tcclasses</filename><programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
<para><filename>/etc/shorewall/tcclasses</filename><programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
||||||
$EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay
|
$EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay
|
||||||
$EXT_IF 20 3*full/10 9*full/10 2 default
|
$EXT_IF 20 3*full/10 9*full/10 2 default
|
||||||
$EXT_IF 30 2*full/10 6*full/10 3
|
$EXT_IF 30 2*full/10 6*full/10 3</programlisting></para>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
<para><filename>/etc/shorewall/mangle</filename><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||||
# PORT(S)
|
CLASSIFY(1:110) 192.168.0.0/22 $EXT_IF #Our internal nets get priority
|
||||||
1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority
|
#over the server
|
||||||
#over the server
|
CLASSIFY(1:130) 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
|
||||||
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
|
#Shorewall Mirrors.</programlisting></para>
|
||||||
#Shorewall Mirrors.
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
|
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
<para>The <filename class="devicefile">tap0</filename> device used by
|
<para>The <filename class="devicefile">tap0</filename> device used by
|
||||||
|
@ -72,7 +72,7 @@
|
|||||||
class="devicefile">xenbr0</filename>) and a number of virtual interfaces
|
class="devicefile">xenbr0</filename>) and a number of virtual interfaces
|
||||||
as shown in the following diagram.</para>
|
as shown in the following diagram.</para>
|
||||||
|
|
||||||
<graphic align="center" fileref="images/Xen1.png" />
|
<graphic align="center" fileref="images/Xen1.png"/>
|
||||||
|
|
||||||
<para>I use the term <firstterm>Extended Dom0</firstterm> to distinguish
|
<para>I use the term <firstterm>Extended Dom0</firstterm> to distinguish
|
||||||
the bridge and virtual interfaces from Dom0 itself. That distinction is
|
the bridge and virtual interfaces from Dom0 itself. That distinction is
|
||||||
@ -169,7 +169,7 @@
|
|||||||
|
|
||||||
<para>Here is a high-level diagram of our network.</para>
|
<para>Here is a high-level diagram of our network.</para>
|
||||||
|
|
||||||
<graphic align="center" fileref="images/Xen5.png" />
|
<graphic align="center" fileref="images/Xen5.png"/>
|
||||||
|
|
||||||
<para>As shown in this diagram, the Xen system has three physical network
|
<para>As shown in this diagram, the Xen system has three physical network
|
||||||
interfaces. These are:</para>
|
interfaces. These are:</para>
|
||||||
@ -330,7 +330,7 @@ disk = [ 'phy:hda3,hda3,w' ]</programlisting>
|
|||||||
<para>With all three Xen domains up and running, the system looks as
|
<para>With all three Xen domains up and running, the system looks as
|
||||||
shown in the following diagram.</para>
|
shown in the following diagram.</para>
|
||||||
|
|
||||||
<graphic align="center" fileref="images/Xen4.png" />
|
<graphic align="center" fileref="images/Xen4.png"/>
|
||||||
|
|
||||||
<para>The zones correspond to the Shorewall zones in the firewall DomU
|
<para>The zones correspond to the Shorewall zones in the firewall DomU
|
||||||
configuration.</para>
|
configuration.</para>
|
||||||
@ -430,39 +430,24 @@ done</programlisting>
|
|||||||
<blockquote>
|
<blockquote>
|
||||||
<para><filename>/etc/shorewall/zones</filename>:</para>
|
<para><filename>/etc/shorewall/zones</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||||
# OPTIONS OPTIONS
|
|
||||||
fw firewall
|
fw firewall
|
||||||
loc ipv4
|
loc ipv4
|
||||||
dmz ipv4
|
dmz ipv4</programlisting>
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
|
||||||
</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/policy</filename> (Note the unusual use
|
<para><filename>/etc/shorewall/policy</filename> (Note the unusual use
|
||||||
of an ACCEPT all->all policy):</para>
|
of an ACCEPT all->all policy):</para>
|
||||||
|
|
||||||
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||||
# LEVEL
|
|
||||||
dmz all REJECT info
|
dmz all REJECT info
|
||||||
all dmz REJECT info
|
all dmz REJECT info
|
||||||
all all ACCEPT
|
all all ACCEPT</programlisting>
|
||||||
#LAST LINE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
<para><filename>/etc/shorewall/interfaces</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||||
loc xenbr0 192.168.1.255 dhcp,routeback
|
loc xenbr0 192.168.1.255 dhcp,routeback
|
||||||
dmz xenbr1 - routeback
|
dmz xenbr1 - routeback</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
|
||||||
# PORT PORT(S) DEST LIMIT GROUP
|
|
||||||
#SECTION ESTABLISHED
|
|
||||||
#SECTION RELATED
|
|
||||||
SECTION NEW
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
@ -478,7 +463,7 @@ SECTION NEW
|
|||||||
for our two laptops and a bridged OpenVPN server for the wireless
|
for our two laptops and a bridged OpenVPN server for the wireless
|
||||||
network in our home. Here is the firewall's view of the network:</para>
|
network in our home. Here is the firewall's view of the network:</para>
|
||||||
|
|
||||||
<graphic align="center" fileref="images/network4.png" />
|
<graphic align="center" fileref="images/network4.png"/>
|
||||||
|
|
||||||
<para>The two laptops can be directly attached to the LAN as shown above
|
<para>The two laptops can be directly attached to the LAN as shown above
|
||||||
or they can be attached wirelessly -- their IP addresses are the same in
|
or they can be attached wirelessly -- their IP addresses are the same in
|
||||||
@ -544,21 +529,17 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
|
|||||||
|
|
||||||
<para><filename>/etc/shorewall/zones</filename>:</para>
|
<para><filename>/etc/shorewall/zones</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
<programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
|
||||||
# OPTIONS OPTIONS
|
|
||||||
fw firewall
|
fw firewall
|
||||||
net ipv4 #Internet
|
net ipv4 #Internet
|
||||||
loc ipv4 #Local wired Zone
|
loc ipv4 #Local wired Zone
|
||||||
dmz ipv4 #DMZ
|
dmz ipv4 #DMZ
|
||||||
vpn ipv4 #Open VPN clients
|
vpn ipv4 #Open VPN clients
|
||||||
wifi ipv4 #Local Wireless Zone
|
wifi ipv4 #Local Wireless Zone</programlisting>
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
|
|
||||||
</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/policy</filename>:</para>
|
<para><filename>/etc/shorewall/policy</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#SOURCE DEST POLICY LOG LIMIT:BURST
|
<programlisting>#SOURCE DEST POLICY LOGLEVEL LIMIT
|
||||||
# LEVEL
|
|
||||||
$FW $FW ACCEPT
|
$FW $FW ACCEPT
|
||||||
$FW net ACCEPT
|
$FW net ACCEPT
|
||||||
loc net ACCEPT
|
loc net ACCEPT
|
||||||
@ -573,8 +554,7 @@ net $FW DROP $LOG 1/sec:2
|
|||||||
net loc DROP $LOG 2/sec:4
|
net loc DROP $LOG 2/sec:4
|
||||||
net dmz DROP $LOG 8/sec:30
|
net dmz DROP $LOG 8/sec:30
|
||||||
net vpn DROP $LOG
|
net vpn DROP $LOG
|
||||||
all all REJECT $LOG
|
all all REJECT $LOG</programlisting>
|
||||||
#LAST LINE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/params (edited)</filename>:</para>
|
<para><filename>/etc/shorewall/params (edited)</filename>:</para>
|
||||||
|
|
||||||
@ -607,15 +587,14 @@ dmz $DMZ_IF 192.168.0.255 logmartians
|
|||||||
loc $INT_IF 192.168.1.255 dhcp,routeback,logmartians
|
loc $INT_IF 192.168.1.255 dhcp,routeback,logmartians
|
||||||
wifi $WIFI_IF 192.168.3.255 dhcp,maclist
|
wifi $WIFI_IF 192.168.3.255 dhcp,maclist
|
||||||
vpn tun+ -
|
vpn tun+ -
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/nat</filename>:</para>
|
<para><filename>/etc/shorewall/nat</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
<programlisting>#EXTERNAL INTERFACE INTERNAL ALLINTS LOCAL
|
||||||
# INTERFACES
|
|
||||||
206.124.146.178 $EXT_IF 192.168.1.3 No No #Wookie
|
206.124.146.178 $EXT_IF 192.168.1.3 No No #Wookie
|
||||||
206.124.146.180 $EXT_IF 192.168.1.6 No No #Work LapTop
|
206.124.146.180 $EXT_IF 192.168.1.6 No No #Work LapTop
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/masq (Note the cute trick here and in
|
<para><filename>/etc/shorewall/masq (Note the cute trick here and in
|
||||||
the <filename>following proxyarp</filename> file that allows me to
|
the <filename>following proxyarp</filename> file that allows me to
|
||||||
@ -624,38 +603,33 @@ vpn tun+ -
|
|||||||
rule before the SNAT rules generated by entries in
|
rule before the SNAT rules generated by entries in
|
||||||
<filename>/etc/shorewall/nat</filename> above.</para>
|
<filename>/etc/shorewall/nat</filename> above.</para>
|
||||||
|
|
||||||
<programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
<programlisting>#INTERFACE SUBNET ADDRESS PROTO DPORT IPSEC
|
||||||
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
|
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||||
$EXT_IF 192.168.0.0/22 206.124.146.179
|
$EXT_IF 192.168.0.0/22 206.124.146.179</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
|
<para><filename>/etc/shorewall/proxyarp</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
<programlisting>#ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT
|
||||||
192.168.1.1 $EXT_IF $INT_IF yes
|
192.168.1.1 $EXT_IF $INT_IF yes
|
||||||
206.124.146.177 $DMZ_IF $EXT_IF yes
|
206.124.146.177 $DMZ_IF $EXT_IF yes</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY
|
<programlisting>#TYPE ZONE GATEWAY GATEWAY_ZONE
|
||||||
# ZONE
|
|
||||||
openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
|
openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
|
||||||
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server
|
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/actions</filename>:</para>
|
<para><filename>/etc/shorewall/actions</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#ACTION
|
<programlisting>#ACTION
|
||||||
Mirrors # Accept traffic from Shorewall Mirrors
|
Mirrors # Accept traffic from Shorewall Mirrors
|
||||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/action.Mirrors</filename>:</para>
|
<para><filename>/etc/shorewall/action.Mirrors</filename>:</para>
|
||||||
|
|
||||||
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
<programlisting>#TARGET SOURCE DEST PROTO PORT SPORT ORIGDEST RATE
|
||||||
# PORT PORT(S) DEST LIMIT
|
ACCEPT $MIRRORS</programlisting>
|
||||||
ACCEPT $MIRRORS
|
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/rules</filename>:</para>
|
<para><filename>/etc/shorewall/rules</filename>:</para>
|
||||||
|
|
||||||
@ -815,28 +789,24 @@ Ping(ACCEPT) fw dmz
|
|||||||
# Avoid logging Freenode.net probes
|
# Avoid logging Freenode.net probes
|
||||||
#
|
#
|
||||||
DROP net:82.96.96.3 all
|
DROP net:82.96.96.3 all
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/tcdevices</filename></para>
|
<para><filename>/etc/shorewall/tcdevices</filename></para>
|
||||||
|
|
||||||
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
|
<programlisting>#INTERFACE IN_BANDWITH OUT_BANDWIDTH
|
||||||
$EXT_IF 1300kbit 384kbit
|
$EXT_IF 1300kbit 384kbit</programlisting>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
|
||||||
</programlisting>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/tcclasses</filename><programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
<para><filename>/etc/shorewall/tcclasses</filename><programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
||||||
$EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay
|
$EXT_IF 10 5*full/10 full 1 tcp-ack,tos-minimize-delay
|
||||||
$EXT_IF 20 3*full/10 9*full/10 2 default
|
$EXT_IF 20 3*full/10 9*full/10 2 default
|
||||||
$EXT_IF 30 2*full/10 6*full/10 3
|
$EXT_IF 30 2*full/10 6*full/10 3</programlisting></para>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
|
|
||||||
|
|
||||||
<para><filename>/etc/shorewall/tcrules</filename><programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
<para><filename>/etc/shorewall/mangle</filename><programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST
|
||||||
# PORT(S)
|
CLASSIFY(1:110) 192.168.0.0/22 $EXT_IF #Our internal nets get priority
|
||||||
1:110 192.168.0.0/22 $EXT_IF #Our internal nets get priority
|
#over the server
|
||||||
#over the server
|
CLASSIFY(1:130) 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
|
||||||
1:130 206.124.146.177 $EXT_IF tcp - 873 #Throttle rsync traffic to the
|
#Shorewall Mirrors.
|
||||||
#Shorewall Mirrors.
|
</programlisting></para>
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting></para>
|
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
<para>The tap0 device used by the bridged OpenVPN server is bridged to
|
<para>The tap0 device used by the bridged OpenVPN server is bridged to
|
||||||
|
Loading…
Reference in New Issue
Block a user