diff --git a/docs/Xen.xml b/docs/Xen.xml index 0bf5043df..b22f6a483 100644 --- a/docs/Xen.xml +++ b/docs/Xen.xml @@ -103,10 +103,10 @@ As I state in the answer to Shorewall FAQ 2, I object to running servers in a local zone because if the server becomes compromised then there is no protection between that - compromised server and the other local systems. Xen allows me to safely - run Internet-accessible servers in my local zone by creating a firewall in - (the Extended) Dom0 to isolate the server(s) from the other local systems - (including Dom0). + compromised server and the other local systems. Xen allows you to safely + run Internet-accessible servers in your local zone by creating a firewall + in (the Extended) Dom0 to isolate the server(s) from the other local + systems (including Dom0). I find Xen Domain 0 to be an arcane environment in which to try to @@ -121,7 +121,9 @@ I know of no case where a user has successfully used NAT (including Masquerade) in a bridged Xen Dom0. So if you want to create a masquerading firewall/gateway using Xen, you need to do so in a DomU - (see how I do it). + (see how I do it) or you must + configure Xen to use routing and NAT rather than the default + bridging. Here is an example. In this example, we will assume that the system @@ -147,10 +149,11 @@ is that Dom0 is defined as two different zones. It is defined as the firewall zone and it is also defined as "all systems connected to xenbr0:vif0.0. In this case, I - call this second zone ursa (which is - the name given to the virtual system running in Dom0); that zone - corresponds to Dom0 as seen from the outside in the diagram above (see - more below). + call this second zone ursa (which was + the name given to the virtual system running in Dom0 when I ran this + configuration); that zone corresponds to Dom0 as seen from the outside + in the diagram above (see more below).
# OPTIONS OPTIONS @@ -242,7 +245,7 @@ Ping/ACCEPT dmz net Ping/ACCEPT dmz ursa
- Here, 192.168.0.0/22 comprises my local network. + Here, 192.168.0.0/22 comprises the local network. From the point of view of Shorewall, the zone diagram is as shown in the following diagram. diff --git a/docs/XenMyWay.xml b/docs/XenMyWay.xml index 07f4920c0..539c54896 100644 --- a/docs/XenMyWay.xml +++ b/docs/XenMyWay.xml @@ -116,11 +116,11 @@ - eth0 -- conntected to - the switch in my office. That switch is cabled to a second switch in - my wife's office where my wife has her desktop and networked printer - (I sure wish that there had been wireless back when I strung that - CAT-5 cable halfway across the house). + eth0 -- connected to the + switch in my office. That switch is cabled to a second switch in my + wife's office where my wife has her desktop and networked printer (I + sure wish that there had been wireless back when I strung that CAT-5 + cable halfway across the house). @@ -161,15 +161,15 @@ As the developer of Shorewall, I have enough experience to be very comfortable with Linux networking and Shorewall/iptables. I arrived at - this configuration after a lot of trial and error experimentation (see - Xen and Shorewall). If you are a Linux - networking novice, I recommend that you do not attempt a configuration - like this one for your first Shorewall installation. You are very likely - to frustrate both yourself and the Shorewall support team. Rather I - suggest that you start with something simple like a standalone installation in a domU; once you - are comfortable with that then you will be ready to try something more - substantial. + this configuration after a fair amount of trial and error + experimentation (see Xen and Shorewall). + If you are a Linux networking novice, I recommend that you do not + attempt a configuration like this one for your first Shorewall + installation. You are very likely to frustrate both yourself and the + Shorewall support team. Rather I suggest that you start with something + simple like a standalone + installation in a domU; once you are comfortable with that then + you will be ready to try something more substantial. As Paul Gear says: Shorewall might make iptables easy, but it doesn't make understanding fundamental networking principles, @@ -300,7 +300,7 @@ disk = [ 'phy:hda3,hda3,w' ] Under SuSE 10.1, I placed the following in /etc/sysconfig/network/if-up.d/resettx (that file - is executable): + is executable): #!/bin/sh @@ -310,9 +310,9 @@ if [ $2 = eth0 ]; then fi Under other distributions, the technique will vary. For example, - under Debian or Ubuntu, you can just add a - 'post-up' entry to /etc/network/interfaces as - shown here: + under Debian or Ubuntu, + you can just add a 'post-up' entry to + /etc/network/interfaces as shown here: iface eth0 inet static address 206.124.146.177 @@ -409,15 +409,15 @@ SECTION NEW Guide with the exception that I've added a fourth interface for our wireless network. The firewall runs a routed OpenVPN server to provide roadwarrior access - for our two laptops and a bridged OpenVPN server for our wireless - network. Here is the firewall's view of the network: + for our two laptops and a bridged OpenVPN server for the wireless + network in our home. Here is the firewall's view of the network: The two laptops can be directly attached to the LAN as shown above or they can be attached wirelessly -- their IP addresses are the same in either case; when they are directly attached, the IP address is assigned - by the DHCP server running on the firewall and when they are attached + by the DHCP server running in Dom0 and when they are attached wirelessly, the IP address is assigned by OpenVPN. The Shorewall configuration files are shown below. All routing and @@ -549,14 +549,16 @@ vpn tun+ - #EXTERNAL INTERFACE INTERNAL ALL LOCAL # INTERFACES -206.124.146.178 $EXT_IF 192.168.1.3 No No -206.124.146.180 $EXT_IF 192.168.1.6 No No +206.124.146.178 $EXT_IF 192.168.1.3 No No #Wookie +206.124.146.180 $EXT_IF 192.168.1.6 No No #Work LapTop #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE /etc/shorewall/masq (Note the cute trick here and in - the proxyarp file that follows that allows me to + the following proxyarp file that allows me to access the DSL "Modem" using it's default IP address - (192.168.1.1)): + (192.168.1.1)). The leading "+" is required to place the + rule before the SNAT rules generated by entries in + /etc/shorewall/nat above. #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC +$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254 @@ -574,8 +576,8 @@ $EXT_IF 192.168.0.0/22 206.124.146.179 #TYPE ZONE GATEWAY GATEWAY # ZONE -openvpnserver:udp net 0.0.0.0/0 -openvpnserver:udp wifi 192.168.3.0/24 +openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access +openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE /etc/shorewall/actions: @@ -649,7 +651,6 @@ dropNotSyn net dmz tcp # Internet to DMZ # ACCEPT net dmz udp domain -LOG:$LOG net:64.126.128.0/18 dmz tcp smtp ACCEPT net dmz tcp smtps,www,ftp,imaps,domain,https - ACCEPT net dmz tcp smtp - 206.124.146.177,206.124.146.178 ACCEPT net dmz udp 33434:33454 @@ -682,10 +683,6 @@ ACCEPT net loc:192.168.1.3 tcp ACCEPT net loc:192.168.1.3 tcp 6881:6889,6969 ACCEPT net loc:192.168.1.3 udp 6881:6889,6969 # -# Real Audio -# -ACCEPT net loc:192.168.1.3 udp 6970:7170 -# # Skype # ACCEPT net loc:192.168.1.6 tcp 1194