diff --git a/docs/Documentation_Index.xml b/docs/Documentation_Index.xml
index 197618792..6835964b6 100644
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -238,8 +238,8 @@
Port Knocking and Other Uses
of the 'Recent Match'
- Xen - Shorewall in Bridged Xen
- Dom0
+ Xen - Shorewall in Routed
+ Xen Dom0
@@ -247,8 +247,7 @@
PPTP
- Xen - Shorewall in Routed
- Xen Dom0
+
diff --git a/docs/Xen.xml b/docs/Xen.xml
deleted file mode 100644
index ee2d12b4a..000000000
--- a/docs/Xen.xml
+++ /dev/null
@@ -1,283 +0,0 @@
-
-
-
-
-
-
- Xen and Shorewall
-
-
-
- Tom
-
- Eastep
-
-
-
-
-
-
- 2006
-
- 2007
-
- Thomas M. Eastep
-
-
-
- Permission is granted to copy, distribute and/or modify this
- document under the terms of the GNU Free Documentation License, Version
- 1.2 or any later version published by the Free Software Foundation; with
- no Invariant Sections, with no Front-Cover, and with no Back-Cover
- Texts. A copy of the license is included in the section entitled
- GNU Free Documentation
- License.
-
-
-
-
- This article applies to Shorewall
- 3.0.6 and later. If you are running a version of Shorewall
- earlier than Shorewall 3.0.6, you will need to upgrade to that
- version.
-
-
-
- The technique described in this article will not work if you are
- running kernel 2.6.20 or later.
-
-
-
- Xen Network Environment
-
- Xen is a
- paravirtualization tool that allows you to run
- multiple virtual machines on one physical machine. It is available on a
- wide number of platforms and is included in recent
- SUSE distributions.
-
- Xen refers to the virtual machines as
- Domains. Domains are numbered with the first domain
- being domain 0, the second domain 1, and so on. Domain 0
- (Dom0) is special because that is the domain
- created when to machine is booted. Additional domains (called
- DomU's) are created using the xm
- create command from within Domain 0. Additional domains can also
- be created automatically at boot time by using the
- xendomains service.
-
- Xen virtualizes a network interface named eth0
- This assumes the default Xen configuration created by
- xend and assumes that the host system has a single
- ethernet interface named eth0.
- in each domain. In Dom0, Xen also creates a bridge (xenbr0) and a number of virtual interfaces
- as shown in the following diagram.
-
-
-
- I use the term Extended Dom0 to distinguish
- the bridge and virtual interfaces from Dom0 itself. That distinction is
- important when we try to apply Shorewall in this environment.
-
- The bridge has a number of ports:
-
-
-
- peth0 — This is the port that connects to the physical network
- interface in your system.
-
-
-
- vif0.0 — This is the bridge port that is used by traffic to/from
- Domain 0.
-
-
-
- vifX.0 — This is the bridge port that is used by traffic to/from
- Domain X.
-
-
-
-
-
- Configuring Shorewall in Dom0
-
- As I state in the answer to Shorewall FAQ
- 2, I object to running servers in a local zone because if the
- server becomes compromised then there is no protection between that
- compromised server and the other local systems. Xen allows you to safely
- run Internet-accessible servers in your local zone by creating a firewall
- in (the Extended) Dom0 to isolate the server(s) from the other local
- systems (including Dom0).
-
-
- The Shorewall configuration shown in this article does not work
- with kernel 2.6.20 and later. For new Xen installations, I strongly
- recommend against a bridged Xen Domain 0 unless you run Shorewall in a DomU.
-
-
-
- I find a bridged Xen Domain 0 to be an arcane environment in which
- to try to use Netfilter (and hence Shorewall). As the number of
- interfaces and bridges increase, complexity increases geometrically. I
- recommend following this guide only if you really need to place a public
- server in your local network. Otherwise, running Shorewall in a DomU is much more
- straight-forward as is running
- Shorewall in a routed Dom0.
-
-
-
- I know of no case where a user has successfully used NAT
- (including Masquerade) in a bridged Xen Dom0. So if you want to create a
- masquerading firewall/gateway using Xen, you need to do so in a DomU
- (see how I did it) or you must
- configure Xen to use routing
- or NAT rather than the default bridging.
-
-
- Here is an example. In this example, we will assume that the system
- is behind a second firewall that restricts incoming traffic so that we
- only have to worry about protecting the local LAN from the systems running
- in the DomU's.
-
-
- /etc/shorewall/shorewall.conf
-
- Because Xen uses normal Linux bridging, you must enable bridge
- support in shorewall.conf
-
-
- BRIDGING=Yes
-
-
-
-
- /etc/shorewall/zones
-
- One thing strange about configuring Shorewall in this environment
- is that Dom0 is defined as two different zones. It is defined as the
- firewall zone and it is also defined as "all systems connected to
- xenbr0:vif0.0. In this case, I
- call this second zone ursa (which was
- the name given to the virtual system running in Dom0 when I ran this
- configuration); that zone corresponds to Dom0 as seen from the outside
- in the diagram above (see more below).
-
-
- # OPTIONS OPTIONS
-fw firewall #Domain 0
-ursa ipv4 #Domain 0 on the bridge
-dmz ipv4 #Server(s) running in Domains other than 0
-net ipv4 #The local LAN and beyond
-#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
-
-
-
-
- /etc/shorewall/interfaces
-
- We must deal with two network interfaces. We must deal with the
- (virtualized) eth0 and we must also deal with the bridge (xenbr0)
- created by Xen.
-
-
- #ZONE INTERFACE BROADCAST OPTIONS
-- xenbr0 - dhcp
-net eth0 detect dhcp
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-
-
-
-
- /etc/shorewall/hosts
-
- Here we define the zones ursa and
- dmz and we extend the definition of the
- zone net.
- #ZONE HOST(S) OPTIONS
-ursa xenbr0:vif0.0
-dmz xenbr0:vif+ routeback
-net xenbr0:peth0
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
-
-
- Note that the net zone has two
- different interfaces. From the point of view of Dom0 (which is where
- Shorewall runs), the net zone comprises
- everything except Dom0. From the point of view of the Extended Domain 0,
- the net zone is everything connected
- (directly or indirectly) to the peth0 port on the bridge.
-
-
-
- /etc/shorewall/policy
-
- The policies shown here effectively isolate Domains 1...N.
-
-
- #SOURCE DEST POLICY LOG LIMIT:BURST
-# LEVEL
-all fw ACCEPT
-fw all ACCEPT
-ursa all ACCEPT
-net ursa ACCEPT
-net net NONE
-all all REJECT info
-#LAST LINE -- DO NOT REMOVE
-
-
-
-
-
- /etc/shorewall/rules
-
- These rules determine the traffic allowed into and out of the
- dmz zone.
-
-
- #
-# "Net' to DMZ
-#
-ACCEPT net dmz udp domain
-ACCEPT net dmz tcp www,smtp,smtps,domain,ssh,imap,rsync,https,imaps,ftp,10023,pop3,3128
-Trcrt/ACCEPT net dmz
-#
-# DMZ to 'Net'
-#
-ACCEPT dmz net:!192.168.0.0/22 udp domain,ntp
-ACCEPT dmz net:!192.168.0.0/22 tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,rsync,cvspserver,2702,2703,8080
-ACCEPT dmz net:$POPSERVERS tcp pop3
-Ping/ACCEPT dmz net
-
-Ping/ACCEPT dmz ursa
-
-
- Here, 192.168.0.0/22 comprises the local network.
-
- From the point of view of Shorewall, the zone diagram
- is as shown in the following diagram.
-
-
-
- Note that the ursa zone subsumes
- the fw zone because the ursa zone is defined to be all systems that
- interface to xenbr0's vif0.0 port — it is the rules governing traffic
- to/from the ursa zone that protect the
- firewall in this configuration.
-
- More elaborate configurations are possible as described in my
- Xen and the Art of Consolidation
- article.
-
-
-
\ No newline at end of file
diff --git a/docs/XenMyWay-Routed.xml b/docs/XenMyWay-Routed.xml
index 3c6f0f99d..71c1137bd 100644
--- a/docs/XenMyWay-Routed.xml
+++ b/docs/XenMyWay-Routed.xml
@@ -43,9 +43,8 @@
Before Xen
- Prior to adopting Xen, I had a home
- office crowded with 5 systems, three monitors a scanner and a printer. The
- systems were:
+ Prior to adopting Xen, I had a home office crowded with 5 systems,
+ three monitors a scanner and a printer. The systems were:
@@ -161,15 +160,14 @@
As the developer of Shorewall, I have enough experience to be very
comfortable with Linux networking and Shorewall/iptables. I arrived at
this configuration after a fair amount of trial and error
- experimentation (see Xen and Shorewall and
- Xen and the art of Consolidation). If
- you are a Linux networking novice, I recommend that you do not attempt a
- configuration like this one for your first Shorewall installation. You
- are very likely to frustrate both yourself and the Shorewall support
- team. Rather I suggest that you start with something simple like a
- standalone installation in a DomU;
- once you are comfortable with that then you will be ready to try
- something more substantial.
+ experimentation (see Xen and the art of
+ Consolidation). If you are a Linux networking novice, I
+ recommend that you do not attempt a configuration like this one for your
+ first Shorewall installation. You are very likely to frustrate both
+ yourself and the Shorewall support team. Rather I suggest that you start
+ with something simple like a standalone
+ installation in a DomU; once you are comfortable with that then
+ you will be ready to try something more substantial.
As Paul Gear says: Shorewall might make iptables easy,
but it doesn't make understanding fundamental networking principles,
diff --git a/docs/XenMyWay.xml b/docs/XenMyWay.xml
index 8937b72cc..1ed3763f2 100644
--- a/docs/XenMyWay.xml
+++ b/docs/XenMyWay.xml
@@ -47,12 +47,67 @@
running kernel 2.6.20 or later.
+
+ Xen Network Environment
+
+ Xen is a
+ paravirtualization tool that allows you to run
+ multiple virtual machines on one physical machine. It is available on a
+ wide number of platforms and is included in recent
+ SUSE distributions.
+
+ Xen refers to the virtual machines as
+ Domains. Domains are numbered with the first domain
+ being domain 0, the second domain 1, and so on. Domain 0
+ (Dom0) is special because that is the domain
+ created when to machine is booted. Additional domains (called
+ DomU's) are created using the xm
+ create command from within Domain 0. Additional domains can also
+ be created automatically at boot time by using the
+ xendomains service.
+
+ Xen virtualizes a network interface named eth0
+ This assumes the default Xen configuration created by
+ xend and assumes that the host system has a single
+ ethernet interface named eth0.
+ in each domain. In Dom0, Xen also creates a bridge (xenbr0) and a number of virtual interfaces
+ as shown in the following diagram.
+
+
+
+ I use the term Extended Dom0 to distinguish
+ the bridge and virtual interfaces from Dom0 itself. That distinction is
+ important when we try to apply Shorewall in this environment.
+
+ The bridge has a number of ports:
+
+
+
+ peth0 — This is the port that connects to the physical network
+ interface in your system.
+
+
+
+ vif0.0 — This is the bridge port that is used by traffic to/from
+ Domain 0.
+
+
+
+ vifX.0 — This is the bridge port that is used by traffic to/from
+ Domain X.
+
+
+
+
Before Xen
- Prior to adopting Xen, I had a home
- office crowded with 5 systems, three monitors a scanner and a printer. The
- systems were:
+ Prior to adopting Xen, I had a home office crowded with 5 systems,
+ three monitors a scanner and a printer. The systems were:
@@ -110,10 +165,6 @@
personal Linux desktop system and our Linux Laptop run
Ubuntu "Dapper Drake".
- If you are unfamiliar with Xen networking, I recommend that you read
- the first section of the companion Xen and
- Shorewall article.
-
The configuration described below uses a
bridged Xen Networking configuration; if you want to see how to accomplish
a similar configuration using a Routed Xen configuration then please see
@@ -176,12 +227,11 @@
As the developer of Shorewall, I have enough experience to be very
comfortable with Linux networking and Shorewall/iptables. I arrived at
this configuration after a fair amount of trial and error
- experimentation (see Xen and Shorewall).
- If you are a Linux networking novice, I recommend that you do not
- attempt a configuration like this one for your first Shorewall
- installation. You are very likely to frustrate both yourself and the
- Shorewall support team. Rather I suggest that you start with something
- simple like a standalone
+ experimentation. If you are a Linux networking novice, I recommend that
+ you do not attempt a configuration like this one for your first
+ Shorewall installation. You are very likely to frustrate both yourself
+ and the Shorewall support team. Rather I suggest that you start with
+ something simple like a standalone
installation in a domU; once you are comfortable with that then
you will be ready to try something more substantial.