mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 22:58:52 +01:00
Correct Bizarre formatting problem with Multi-ISP doc
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3216 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
8232d950b8
commit
e749a66c83
@ -49,7 +49,7 @@
|
||||
ethernet interfaces to two different ISPs as in the following
|
||||
diagram.</para>
|
||||
|
||||
<graphic align="left" fileref="images/TwoISPs.png" />
|
||||
<graphic align="center" fileref="images/TwoISPs.png" valign="middle" />
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
|
@ -53,9 +53,14 @@
|
||||
boot time by using the <command>xendomains</command> service.</para>
|
||||
|
||||
<para>Xen virtualizes a network interface named <filename
|
||||
class="devicefile">eth0</filename> in each domain. In domain 0, Xen also
|
||||
creates a bridge (<filename class="devicefile">xenbr0</filename>) and a
|
||||
number of virtual interfaces as shown in the following diagram.</para>
|
||||
class="devicefile">eth0</filename><footnote>
|
||||
<para>This assumes the default Xen configuration created by
|
||||
<command>xend </command>and assumes that the host system has a single
|
||||
ethernet interface named <filename
|
||||
class="devicefile">eth0</filename>.</para>
|
||||
</footnote> in each domain. In domain 0, Xen also creates a bridge
|
||||
(<filename class="devicefile">xenbr0</filename>) and a number of virtual
|
||||
interfaces as shown in the following diagram.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Xen1.png" />
|
||||
|
||||
@ -90,9 +95,9 @@
|
||||
<para>As I state in the answer to <ulink url="FAQ.htm#faq2">Shorewall FAQ
|
||||
2</ulink>, I object to running servers in a local zone because if the
|
||||
server becomes compromised then there is no protection between that
|
||||
compromised server and the other local systems. Xen allows you to safely
|
||||
run Internet-accessible servers in your local zone by creating a firewall
|
||||
in (the Extended) Domain 0 to isolate the server(s) from the other local
|
||||
compromised server and the other local systems. Xen allows me to safely
|
||||
run Internet-accessible servers in my local zone by creating a firewall in
|
||||
(the Extended) Domain 0 to isolate the server(s) from the other local
|
||||
systems (including Domain 0).</para>
|
||||
|
||||
<para>Here is an example. In this example, we will assume that the system
|
||||
@ -100,15 +105,22 @@
|
||||
only have to worry about protecting the local lan from the systems running
|
||||
in domains other than domain 0.</para>
|
||||
|
||||
<note>
|
||||
<para>This is the real <ulink url="myfiles.htm">configuration which I
|
||||
run at shorewall.net</ulink>.</para>
|
||||
</note>
|
||||
|
||||
<section>
|
||||
<title>/etc/shorewall/zones</title>
|
||||
|
||||
<para>One thing strange about configuring Shorewall in this environment
|
||||
is that Domain 0 is defined as two different zones. It is defined as the
|
||||
firewall zone and it is also defined as "all systems connected to
|
||||
<filename class="devicefile">xenbr0:vif0.0</filename>. In this case, we
|
||||
call this second zone <emphasis role="bold">ursa</emphasis>; that zone
|
||||
corresponds roughly to what is shown as Extended Domain 0 above.</para>
|
||||
<filename class="devicefile">xenbr0:vif0.0</filename>. In this case, I
|
||||
call this second zone <emphasis role="bold">ursa</emphasis> (which is
|
||||
the name given to the virtual system running in Domain 0); that zone
|
||||
corresponds roughly to what is shown as the Extended Domain 0
|
||||
above.</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting># OPTIONS OPTIONS
|
||||
@ -143,7 +155,9 @@ net eth0 detect dhcp
|
||||
zone <emphasis role="bold">net</emphasis>.<blockquote>
|
||||
<programlisting>#ZONE HOST(S) OPTIONS
|
||||
ursa xenbr0:vif0.0
|
||||
dmz xenbr0:vif+
|
||||
dmz xenbr0:vif+<footnote>
|
||||
<para>There is a bug in Shorewall versions prior to 3.0.4 that treats all bridge ports as if they had routeback specified. I recommend that you run a Shorewall verison > 3.0.3 if you run Xen.</para>
|
||||
</footnote>
|
||||
net xenbr0:peth0
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote></para>
|
||||
@ -200,8 +214,7 @@ Ping/ACCEPT dmz net
|
||||
Ping/ACCEPT dmz ursa</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>In this example, 192.168.0.0/22 comprises the local
|
||||
network.</para>
|
||||
<para>Here, 192.168.0.0/22 comprises my local network.</para>
|
||||
|
||||
<para>From the point of view of Shorewall, the zone diagram is as shown
|
||||
in the following diagram.</para>
|
||||
|
@ -446,7 +446,7 @@ Limit #Limit connection rate from each individual Host
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
ACCEPT $MIRRORS
|
||||
ACCEPT $MIRRORS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
@ -518,7 +518,7 @@ ACCEPT vpn dmz udp
|
||||
ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 -
|
||||
Ping/ACCEPT vpn dmz
|
||||
###############################################################################################################################################################################
|
||||
# Local network to DMZ
|
||||
# Local network to DMZ
|
||||
#
|
||||
ACCEPT loc dmz udp domain
|
||||
ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https -
|
||||
@ -880,28 +880,28 @@ ACCEPT net $FW tcp 4000:4100
|
||||
<programlisting>dev tun
|
||||
remote gateway.shorewall.net
|
||||
up /etc/openvpn/home.up
|
||||
|
||||
|
||||
tls-client
|
||||
pull
|
||||
|
||||
|
||||
ca /etc/certs/cacert.pem
|
||||
|
||||
|
||||
cert /etc/certs/tipper.pem
|
||||
key /etc/certs/tipper_key.pem
|
||||
|
||||
|
||||
port 1194
|
||||
|
||||
|
||||
user nobody
|
||||
group nogroup
|
||||
|
||||
|
||||
comp-lzo
|
||||
|
||||
|
||||
ping 15
|
||||
ping-restart 45
|
||||
ping-timer-rem
|
||||
persist-tun
|
||||
persist-key
|
||||
|
||||
|
||||
verb 3</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
@ -911,7 +911,7 @@ verb 3</programlisting>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#!/bin/bash
|
||||
|
||||
|
||||
ip route add 192.168.1.0/24 via $5 #Access to Home Network
|
||||
ip route add 206.124.146.177/32 via $5 #So that DNS names will resolve in my
|
||||
#Internal Bind 9 view because the source IP will
|
||||
|
Loading…
Reference in New Issue
Block a user