Bring SVN documentation tree up to date

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3561 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

docs/XenMyWay.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2006-02-19</pubdate>
+    <pubdate>2006-02-20</pubdate>
 
     <copyright>
       <year>2006</year>
@@ -87,8 +87,8 @@
       </listitem>
 
       <listitem>
-        <para>My Linux desktop (which is actually the old public
+        <para>My Linux desktop (wookie, which is actually the old public
-        server)</para>
+        server box)</para>
       </listitem>
     </orderedlist>
 
@@ -123,20 +123,23 @@
 
     <para>There are three Xen domains. Dom0 (ursa) is used as a file server.
     One DomU (which is usually Domain 1) is used as a firewall and the other
-    (normally Domain 2) is used as a public Web/FTP/Mail/DNS server. Because
+    (lists, normally Domain 2) is used as a public Web/FTP/Mail/DNS server.
-    Xen only supports three virtual interfaces per DomU, I also use ursa as a
+    Because Xen only supports three virtual interfaces per DomU, I also use
-    gateway for our wireless network. Shorewall runs in both Dom0 and in the
+    ursa as a gateway for our wireless network rather than placing that
-    firewall domain.</para>
+    function in the firewall DomU (that domain already has three interfaces).
+    Shorewall runs in both Dom0 and in the firewall domain.</para>
 
-    <para>I have 1.5GB of RAM so I allocate 512MB to each server and 448MB to
+    <para>The system has 1.5GB of RAM so I allocate 512MB to each server and
-    the firewall (the remaining 64MB is used by Xen).</para>
+    448MB to the firewall (the remaining 64MB is used by Xen).</para>
 
-    <para>Here are the relevant configuration files for the three
+    <para>Below are the relevant configuration files for the three domains.
-    domains:</para>
+    The "loopback.nloopbacks=..." entries are used to restrict the number of
+    "veth<emphasis>n</emphasis>" devices that the Xen kernel creates. I use
+    partitions on my hard drives for DomU storage devices.</para>
 
     <blockquote>
       <para><filename>/boot/grub/menu.lst</filename> — here is the entry that
-      boots Xen in Dom0</para>
+      boots Xen in Dom0.</para>
 
       <programlisting>title XEN
     root (hd0,1)
@@ -210,7 +213,7 @@ disk     = [ 'phy:hda3,hda3,w' ]</programlisting>
     configuration.</para>
 
     <para>SuSE 10.0 includes Xen 3.0 which does not support PCI delegation; I
-    therefore used a bridged configuration with three briges (one for each
+    therefore use a bridged configuration with three briges (one for each
     network interface). When Shorewall starts during boot, it creates the
     three bridges and the tap device <filename
     class="devicefile">tap0</filename> and adds tap0 to <filename
@@ -220,50 +223,29 @@ disk     = [ 'phy:hda3,hda3,w' ]</programlisting>
     <para>Here is <filename>/etc/shorewall/init in Dom0</filename>:</para>
 
     <blockquote>
-      <programlisting>cat &gt;&amp;3 &lt;&lt; __EOF__
+      <programlisting>for bridge in xenbr0 xenbr1 xenbr2; do
-${INDENT}for bridge in xenbr0 xenbr1 xenbr2; do
+    if [ -z "$(/sbin/brctl show 2&gt; /dev/null | fgrep $bridge)" ]; then
-${INDENT}    if [ -z "\$(/sbin/brctl show 2&gt; /dev/null | fgrep \$bridge)" ]; then
+        /sbin/brctl addbr $bridge
-${INDENT}        /sbin/brctl addbr \$bridge
+        /sbin/ip link set dev $bridge up
-${INDENT}        /sbin/ip link set dev \$bridge up
+        case $bridge in
-${INDENT}        case \$bridge in
+            xenbr2)
-${INDENT}            xenbr2)
+                mac=`ip link show eth1 | grep 'link\/ether' | sed -e 's/.*ether \(..:..:..:..:..:..\).*/\1/'`
-${INDENT}                mac=`ip link show eth1 | grep 'link\/ether' | sed -e 's/.*ether \(..:..:..:..:..:..\).*/\1/'`
+                [ "$mac" = "fe:ff:ff:ff:ff:ff" ] || /sbin/ip link set dev eth1 addr fe:ff:ff:ff:ff:ff
-${INDENT}                [ "$mac" = "fe:ff:ff:ff:ff:ff" ] || /sbin/ip link set dev eth1 addr fe:ff:ff:ff:ff:ff
+                /sbin/ip link set dev eth1 up
-${INDENT}                /sbin/ip link set dev eth1 up
+                /sbin/brctl addif xenbr2 eth1
-${INDENT}                /sbin/brctl addif xenbr2 eth1
+                ;;
-${INDENT}                ;;
+            xenbr0)
-${INDENT}            xenbr0)
+                if ! qt /sbin/ip link ls dev tap0; then
-${INDENT}                if ! qt /sbin/ip link ls dev tap0; then
+                    /usr/sbin/openvpn --mktun --dev tap0
-${INDENT}                    /usr/sbin/openvpn --mktun --dev tap0
+                    /sbin/ip link set dev tap0 up
-${INDENT}                    /sbin/ip link set dev tap0 up
+                    /sbin/brctl addif xenbr0 tap0
-${INDENT}                    /sbin/brctl addif xenbr0 tap0
+                fi
-${INDENT}                fi
+                ;;
-${INDENT}                ;;
+       esac
-${INDENT}       esac
+    fi
-${INDENT}    fi
+done</programlisting>
-${INDENT}done
-__EOF__</programlisting>
     </blockquote>
 
-    <para>I run Shorewall 3.1 so this script runs at compile-time rather than
-    at run time. The "\$"'s above cause evaluation of the variables or
-    expressions to be deferred until run time. To use this script on earlier
-    releases:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>Remove the first and last lines.</para>
-      </listitem>
-
-      <listitem>
-        <para>Remove the leading "${INDENT}" from the remaining lines.</para>
-      </listitem>
-
-      <listitem>
-        <para>Replace "\$/ with "$".</para>
-      </listitem>
-    </itemizedlist>
-
     <para>The goals for the Shorewall configuration in Dom0 are as
     follows:</para>
 
@@ -461,6 +443,14 @@ OMAK=&lt;IP address at our second home&gt;
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
 </programlisting>
 
+      <para><filename>/etc/shorewall/init</filename>:</para>
+
+      <programlisting>echo 1 &gt; /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
+
+</programlisting>
+
+      <para><filename>/</filename></para>
+
       <para><filename>/etc/shorewall/interfaces</filename>:</para>
 
       <programlisting>#ZONE   INTERFACE       BROADCAST               OPTIONS
@@ -490,6 +480,13 @@ $EXT_IF                 192.168.0.0/22  206.124.146.179
       <programlisting>#ADDRESS        INTERFACE       EXTERNAL        HAVEROUTE       PERSISTENT
 192.168.1.1     $EXT_IF         $INT_IF         yes
 206.124.146.177 $DMZ_IF         $EXT_IF         yes
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
+
+      <para><filename>/etc/shorewall/tunnels</filename>:</para>
+
+      <programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY
+#                                               ZONE
+openvpnserver:udp       net     0.0.0.0/0
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
 
       <para><filename>/etc/shorewall/actions</filename>:</para>
@@ -503,8 +500,7 @@ Mirrors             # Accept traffic from Shorewall Mirrors
       <programlisting>#TARGET SOURCE          DEST            PROTO   DEST    SOURCE     ORIGINAL     RATE
 #                                               PORT    PORT(S)    DEST         LIMIT
 ACCEPT  $MIRRORS
-#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
-</programlisting>
 
       <para><filename>/etc/shorewall/rules</filename>:</para>
 
@@ -534,7 +530,7 @@ ACCEPT          loc                             fw                      udp
 ACCEPT          loc:192.168.1.5                 fw                      udp     111
 DROP            loc                             fw                      tcp     3185          #SuSE Meta pppd
 Ping/ACCEPT     loc                             fw
-REDIRECT        loc                             3128                    tcp     80                                      0               !192.168.0.7,206.124.146.177
+REDIRECT        loc                             3128                    tcp     80                                      -               !206.124.146.177
 ###############################################################################################################################################################################
 # Secure wireless to Firewall
 #