extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-23 08:03:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Correct Bizarre formatting problem with Multi-ISP doc

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3216 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-01-03 15:56:46 +00:00
parent 8232d950b8
commit e749a66c83
3 changed files with 37 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-docs2/MultiISP.xml
View File

@ -49,7 +49,7 @@
ethernet interfaces to two different ISPs as in the following
diagram.</para>
<graphic align="left" fileref="images/TwoISPs.png" />
<graphic align="center" fileref="images/TwoISPs.png" valign="middle" />
<itemizedlist>
<listitem>

37
Shorewall-docs2/Xen.xml
View File

@ -53,9 +53,14 @@
boot time by using the <command>xendomains</command> service.</para>
<para>Xen virtualizes a network interface named <filename
class="devicefile">eth0</filename> in each domain. In domain 0, Xen also
creates a bridge (<filename class="devicefile">xenbr0</filename>) and a
number of virtual interfaces as shown in the following diagram.</para>
class="devicefile">eth0</filename><footnote>
<para>This assumes the default Xen configuration created by
<command>xend </command>and assumes that the host system has a single
ethernet interface named <filename
class="devicefile">eth0</filename>.</para>
</footnote> in each domain. In domain 0, Xen also creates a bridge
(<filename class="devicefile">xenbr0</filename>) and a number of virtual
interfaces as shown in the following diagram.</para>
<graphic align="center" fileref="images/Xen1.png" />
@ -90,9 +95,9 @@
<para>As I state in the answer to <ulink url="FAQ.htm#faq2">Shorewall FAQ
2</ulink>, I object to running servers in a local zone because if the
server becomes compromised then there is no protection between that
compromised server and the other local systems. Xen allows you to safely
run Internet-accessible servers in your local zone by creating a firewall
in (the Extended) Domain 0 to isolate the server(s) from the other local
compromised server and the other local systems. Xen allows me to safely
run Internet-accessible servers in my local zone by creating a firewall in
(the Extended) Domain 0 to isolate the server(s) from the other local
systems (including Domain 0).</para>
<para>Here is an example. In this example, we will assume that the system
@ -100,15 +105,22 @@
only have to worry about protecting the local lan from the systems running
in domains other than domain 0.</para>
<note>
<para>This is the real <ulink url="myfiles.htm">configuration which I
run at shorewall.net</ulink>.</para>
</note>
<section>
<title>/etc/shorewall/zones</title>
<para>One thing strange about configuring Shorewall in this environment
is that Domain 0 is defined as two different zones. It is defined as the
firewall zone and it is also defined as "all systems connected to
<filename class="devicefile">xenbr0:vif0.0</filename>. In this case, we
call this second zone <emphasis role="bold">ursa</emphasis>; that zone
corresponds roughly to what is shown as Extended Domain 0 above.</para>
<filename class="devicefile">xenbr0:vif0.0</filename>. In this case, I
call this second zone <emphasis role="bold">ursa</emphasis> (which is
the name given to the virtual system running in Domain 0); that zone
corresponds roughly to what is shown as the Extended Domain 0
above.</para>
<blockquote>
<programlisting># OPTIONS OPTIONS
@ -143,7 +155,9 @@ net eth0 detect dhcp
zone <emphasis role="bold">net</emphasis>.<blockquote>
<programlisting>#ZONE HOST(S) OPTIONS
ursa xenbr0:vif0.0
dmz xenbr0:vif+
dmz xenbr0:vif+<footnote>
<para>There is a bug in Shorewall versions prior to 3.0.4 that treats all bridge ports as if they had routeback specified. I recommend that you run a Shorewall verison &gt; 3.0.3 if you run Xen.</para>
</footnote>
net xenbr0:peth0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote></para>
@ -200,8 +214,7 @@ Ping/ACCEPT dmz net
Ping/ACCEPT dmz ursa</programlisting>
</blockquote>
<para>In this example, 192.168.0.0/22 comprises the local
network.</para>
<para>Here, 192.168.0.0/22 comprises my local network.</para>
<para>From the point of view of Shorewall, the zone diagram is as shown
in the following diagram.</para>

22
Shorewall-docs2/myfiles.xml
View File

@ -446,7 +446,7 @@ Limit #Limit connection rate from each individual Host
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
ACCEPT $MIRRORS
ACCEPT $MIRRORS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
</blockquote>
</section>
@ -518,7 +518,7 @@ ACCEPT vpn dmz udp
ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 -
Ping/ACCEPT vpn dmz
###############################################################################################################################################################################
# Local network to DMZ
# Local network to DMZ
#
ACCEPT loc dmz udp domain
ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https -
@ -880,28 +880,28 @@ ACCEPT net $FW tcp 4000:4100
<programlisting>dev tun
remote gateway.shorewall.net
up /etc/openvpn/home.up
tls-client
pull
ca /etc/certs/cacert.pem
cert /etc/certs/tipper.pem
key /etc/certs/tipper_key.pem
port 1194
user nobody
group nogroup
comp-lzo
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
verb 3</programlisting>
</blockquote>
</section>
@ -911,7 +911,7 @@ verb 3</programlisting>
<blockquote>
<programlisting>#!/bin/bash
ip route add 192.168.1.0/24 via $5 #Access to Home Network
ip route add 206.124.146.177/32 via $5 #So that DNS names will resolve in my
#Internal Bind 9 view because the source IP will