Mention routed-nat configuration as an alternative to fw in a DomU

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4567 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

docs/Xen.xml

@@ -103,10 +103,10 @@
     <para>As I state in the answer to <ulink url="FAQ.htm#faq2">Shorewall FAQ
     2</ulink>, I object to running servers in a local zone because if the
     server becomes compromised then there is no protection between that
-    compromised server and the other local systems. Xen allows me to safely
-    run Internet-accessible servers in my local zone by creating a firewall in
-    (the Extended) Dom0 to isolate the server(s) from the other local systems
-    (including Dom0).</para>
+    compromised server and the other local systems. Xen allows you to safely
+    run Internet-accessible servers in your local zone by creating a firewall
+    in (the Extended) Dom0 to isolate the server(s) from the other local
+    systems (including Dom0).</para>
 
     <caution>
       <para>I find Xen Domain 0 to be an arcane environment in which to try to
@@ -121,7 +121,9 @@
       <para>I know of no case where a user has successfully used NAT
       (including Masquerade) in a bridged Xen Dom0. So if you want to create a
       masquerading firewall/gateway using Xen, you need to do so in a DomU
-      (see <ulink url="XenMyWay.html">how I do it</ulink>).</para>
+      (see <ulink url="XenMyWay.html">how I do it</ulink>) or you must
+      configure Xen to use routing and NAT rather than the default
+      bridging.</para>
     </warning>
 
     <para>Here is an example. In this example, we will assume that the system
@@ -147,10 +149,11 @@
       is that Dom0 is defined as two different zones. It is defined as the
       firewall zone and it is also defined as "all systems connected to
       <filename class="devicefile">xenbr0:vif0.0</filename>. In this case, I
-      call this second zone <emphasis role="bold">ursa</emphasis> (which is
-      the name given to the virtual system running in Dom0); that zone
-      corresponds to Dom0 as seen from the outside in the diagram above (see
-      more <link linkend="zones">below</link>).</para>
+      call this second zone <emphasis role="bold">ursa</emphasis> (which was
+      the name given to the virtual system running in Dom0 when I ran this
+      configuration); that zone corresponds to Dom0 as seen from the outside
+      in the diagram above (see more <link
+      linkend="zones">below</link>).</para>
 
       <blockquote>
         <programlisting>#                                       OPTIONS                 OPTIONS
@@ -242,7 +245,7 @@ Ping/ACCEPT     dmz                net
 Ping/ACCEPT     dmz                ursa</programlisting>
       </blockquote>
 
-      <para>Here, 192.168.0.0/22 comprises my local network.</para>
+      <para>Here, 192.168.0.0/22 comprises the local network.</para>
 
       <para id="zones">From the point of view of Shorewall, the zone diagram
       is as shown in the following diagram.</para>

docs/XenMyWay.xml

@@ -116,11 +116,11 @@
 
     <itemizedlist>
       <listitem>
-        <para><filename class="devicefile">eth0</filename> -- conntected to
-        the switch in my office. That switch is cabled to a second switch in
-        my wife's office where my wife has her desktop and networked printer
-        (I sure wish that there had been wireless back when I strung that
-        CAT-5 cable halfway across the house).</para>
+        <para><filename class="devicefile">eth0</filename> -- connected to the
+        switch in my office. That switch is cabled to a second switch in my
+        wife's office where my wife has her desktop and networked printer (I
+        sure wish that there had been wireless back when I strung that CAT-5
+        cable halfway across the house).</para>
       </listitem>
 
       <listitem>
@@ -161,15 +161,15 @@
     <caution>
       <para>As the developer of Shorewall, I have enough experience to be very
       comfortable with Linux networking and Shorewall/iptables. I arrived at
-      this configuration after a lot of trial and error experimentation (see
-      <ulink url="Xen.html">Xen and Shorewall</ulink>). If you are a Linux
-      networking novice, I recommend that you do not attempt a configuration
-      like this one for your first Shorewall installation. You are very likely
-      to frustrate both yourself and the Shorewall support team. Rather I
-      suggest that you start with something simple like a <ulink
-      url="standalone.htm">standalone installation</ulink> in a domU; once you
-      are comfortable with that then you will be ready to try something more
-      substantial.</para>
+      this configuration after a fair amount of trial and error
+      experimentation (see <ulink url="Xen.html">Xen and Shorewall</ulink>).
+      If you are a Linux networking novice, I recommend that you do not
+      attempt a configuration like this one for your first Shorewall
+      installation. You are very likely to frustrate both yourself and the
+      Shorewall support team. Rather I suggest that you start with something
+      simple like a <ulink url="standalone.htm">standalone
+      installation</ulink> in a domU; once you are comfortable with that then
+      you will be ready to try something more substantial.</para>
 
       <para>As Paul Gear says: <emphasis>Shorewall might make iptables easy,
       but it doesn't make understanding fundamental networking principles,
@@ -310,9 +310,9 @@ if [ $2 = eth0 ]; then
 fi</programlisting>
 
         <para>Under other distributions, the technique will vary. For example,
-        under <trademark>Debian</trademark> or Ubuntu, you can just add a
-        'post-up' entry to <filename>/etc/network/interfaces</filename> as
-        shown here:</para>
+        under <trademark>Debian</trademark> or <trademark>Ubuntu</trademark>,
+        you can just add a 'post-up' entry to
+        <filename>/etc/network/interfaces</filename> as shown here:</para>
 
         <programlisting> iface eth0 inet static
          address 206.124.146.177
@@ -409,15 +409,15 @@ SECTION NEW
       Guide</ulink> with the exception that I've added a fourth interface for
       our wireless network. The firewall runs a routed <ulink
       url="OPENVPN.html">OpenVPN server</ulink> to provide roadwarrior access
-      for our two laptops and a bridged OpenVPN server for our wireless
-      network. Here is the firewall's view of the network:</para>
+      for our two laptops and a bridged OpenVPN server for the wireless
+      network in our home. Here is the firewall's view of the network:</para>
 
       <graphic align="center" fileref="images/network4.png" />
 
       <para>The two laptops can be directly attached to the LAN as shown above
       or they can be attached wirelessly -- their IP addresses are the same in
       either case; when they are directly attached, the IP address is assigned
-      by the DHCP server running on the firewall and when they are attached
+      by the DHCP server running in Dom0 and when they are attached
       wirelessly, the IP address is assigned by OpenVPN.</para>
 
       <para>The Shorewall configuration files are shown below. All routing and
@@ -549,14 +549,16 @@ vpn     tun+            -
 
         <programlisting>#EXTERNAL               INTERFACE       INTERNAL        ALL             LOCAL
 #                                                       INTERFACES
-206.124.146.178         $EXT_IF         192.168.1.3     No              No
-206.124.146.180         $EXT_IF         192.168.1.6     No              No
+206.124.146.178         $EXT_IF         192.168.1.3     No              No     #Wookie
+206.124.146.180         $EXT_IF         192.168.1.6     No              No     #Work LapTop
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
 
         <para><filename>/etc/shorewall/masq (Note the cute trick here and in
-        the <filename>proxyarp</filename> file that follows that allows me to
+        the <filename>following proxyarp</filename> file that allows me to
         access the DSL "Modem" using it's default IP address
-        (192.168.1.1))</filename>:</para>
+        (192.168.1.1))</filename>. The leading "+" is required to place the
+        rule before the SNAT rules generated by entries in
+        <filename>/etc/shorewall/nat</filename> above.</para>
 
         <programlisting>#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
 +$EXT_IF:192.168.1.1    0.0.0.0/0       192.168.1.254
@@ -574,8 +576,8 @@ $EXT_IF                 192.168.0.0/22  206.124.146.179
 
         <programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY
 #                                               ZONE
-openvpnserver:udp       net     0.0.0.0/0
-openvpnserver:udp       wifi    192.168.3.0/24
+openvpnserver:udp       net     0.0.0.0/0                 #Routed server for RoadWarrior access
+openvpnserver:udp       wifi    192.168.3.0/24            #Home wireless network server
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
 
         <para><filename>/etc/shorewall/actions</filename>:</para>
@@ -649,7 +651,6 @@ dropNotSyn      net             dmz             tcp
 # Internet to DMZ
 #
 ACCEPT          net                             dmz                     udp     domain
-LOG:$LOG        net:64.126.128.0/18             dmz                     tcp     smtp
 ACCEPT          net                             dmz                     tcp     smtps,www,ftp,imaps,domain,https        -
 ACCEPT          net                             dmz                     tcp     smtp                                    -               206.124.146.177,206.124.146.178
 ACCEPT          net                             dmz                     udp     33434:33454
@@ -682,10 +683,6 @@ ACCEPT          net                             loc:192.168.1.3         tcp
 ACCEPT          net                             loc:192.168.1.3         tcp     6881:6889,6969
 ACCEPT          net                             loc:192.168.1.3         udp     6881:6889,6969
 #
-# Real Audio
-#
-ACCEPT          net                             loc:192.168.1.3         udp     6970:7170
-#
 # Skype
 #
 ACCEPT          net                             loc:192.168.1.6         tcp     1194