Add some info about mis-using Vserver zones

2024-11-08 08:44:05 +01:00 · 2011-01-23 09:43:35 -08:00 · 2011-01-23 09:43:35 -08:00 · a7dd95d394
commit a7dd95d394
parent 82913abeca
2 changed files with 15 additions and 0 deletions
--- a/docs/Shorewall_and_Aliased_Interfaces.xml
+++ b/docs/Shorewall_and_Aliased_Interfaces.xml
@ -338,5 +338,15 @@ loc2         eth1:192.168.20.0/24</programlisting>
        Interface</emphasis></ulink>.</para>
      </example>
    </section>
+
+    <section>
+      <title>Defining a Zone-per-Address</title>
+
+      <para><ulink url="Vserver.html">Shorewall's support for Linux
+      Vservers</ulink> can (miss-)used to create a separate zone per alias.
+      Note that this results in a <emphasis>partitioning of the firewall
+      zone</emphasis>. Be sure that you define an ACCEPT policy between your
+      vserver zones and $FW.</para>
+    </section>
  </section>
 </article>
--- a/docs/Vserver.xml
+++ b/docs/Vserver.xml
@ -65,6 +65,11 @@
      </listitem>
    </itemizedlist>

+    <para>Note that you don't need to run Vservers to use vserver zones; they
+    may also be used to create a firewall sub-zone for each <ulink
+    url="Shorewall_and_Aliased_Interfaces.html">aliased
+    interface</ulink>.</para>
+
    <para>If you use these zones, keep in mind that Linux-vserver implements a
    very weak form of network virtualization:</para>