diff --git a/Shorewall-docs2/MultiISP.xml b/Shorewall-docs2/MultiISP.xml
index 61e185a90..7f5c5dc9b 100644
--- a/Shorewall-docs2/MultiISP.xml
+++ b/Shorewall-docs2/MultiISP.xml
@@ -49,7 +49,7 @@
ethernet interfaces to two different ISPs as in the following
diagram.
- ![]()
+ ![]()
diff --git a/Shorewall-docs2/Xen.xml b/Shorewall-docs2/Xen.xml
index a7e99d69a..a28efc9fa 100644
--- a/Shorewall-docs2/Xen.xml
+++ b/Shorewall-docs2/Xen.xml
@@ -53,9 +53,14 @@
boot time by using the xendomains service.
Xen virtualizes a network interface named eth0 in each domain. In domain 0, Xen also
- creates a bridge (xenbr0) and a
- number of virtual interfaces as shown in the following diagram.
+ class="devicefile">eth0
+ This assumes the default Xen configuration created by
+ xend and assumes that the host system has a single
+ ethernet interface named eth0.
+ in each domain. In domain 0, Xen also creates a bridge
+ (xenbr0) and a number of virtual
+ interfaces as shown in the following diagram.
![]()
@@ -90,9 +95,9 @@
As I state in the answer to Shorewall FAQ
2, I object to running servers in a local zone because if the
server becomes compromised then there is no protection between that
- compromised server and the other local systems. Xen allows you to safely
- run Internet-accessible servers in your local zone by creating a firewall
- in (the Extended) Domain 0 to isolate the server(s) from the other local
+ compromised server and the other local systems. Xen allows me to safely
+ run Internet-accessible servers in my local zone by creating a firewall in
+ (the Extended) Domain 0 to isolate the server(s) from the other local
systems (including Domain 0).
Here is an example. In this example, we will assume that the system
@@ -100,15 +105,22 @@
only have to worry about protecting the local lan from the systems running
in domains other than domain 0.
+
+ This is the real configuration which I
+ run at shorewall.net.
+
+
/etc/shorewall/zones
One thing strange about configuring Shorewall in this environment
is that Domain 0 is defined as two different zones. It is defined as the
firewall zone and it is also defined as "all systems connected to
- xenbr0:vif0.0. In this case, we
- call this second zone ursa; that zone
- corresponds roughly to what is shown as Extended Domain 0 above.
+ xenbr0:vif0.0. In this case, I
+ call this second zone ursa (which is
+ the name given to the virtual system running in Domain 0); that zone
+ corresponds roughly to what is shown as the Extended Domain 0
+ above.
# OPTIONS OPTIONS
@@ -143,7 +155,9 @@ net eth0 detect dhcp
zone net.
#ZONE HOST(S) OPTIONS
ursa xenbr0:vif0.0
-dmz xenbr0:vif+
+dmz xenbr0:vif+
+ There is a bug in Shorewall versions prior to 3.0.4 that treats all bridge ports as if they had routeback specified. I recommend that you run a Shorewall verison > 3.0.3 if you run Xen.
+
net xenbr0:peth0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
@@ -200,8 +214,7 @@ Ping/ACCEPT dmz net
Ping/ACCEPT dmz ursa
- In this example, 192.168.0.0/22 comprises the local
- network.
+ Here, 192.168.0.0/22 comprises my local network.
From the point of view of Shorewall, the zone diagram is as shown
in the following diagram.
diff --git a/Shorewall-docs2/myfiles.xml b/Shorewall-docs2/myfiles.xml
index d7a65f309..93fda89ea 100644
--- a/Shorewall-docs2/myfiles.xml
+++ b/Shorewall-docs2/myfiles.xml
@@ -446,7 +446,7 @@ Limit #Limit connection rate from each individual Host
#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
-ACCEPT $MIRRORS
+ACCEPT $MIRRORS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
@@ -518,7 +518,7 @@ ACCEPT vpn dmz udp
ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 -
Ping/ACCEPT vpn dmz
###############################################################################################################################################################################
-# Local network to DMZ
+# Local network to DMZ
#
ACCEPT loc dmz udp domain
ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https -
@@ -880,28 +880,28 @@ ACCEPT net $FW tcp 4000:4100
dev tun
remote gateway.shorewall.net
up /etc/openvpn/home.up
-
+
tls-client
pull
-
+
ca /etc/certs/cacert.pem
-
+
cert /etc/certs/tipper.pem
key /etc/certs/tipper_key.pem
-
+
port 1194
-
+
user nobody
group nogroup
-
+
comp-lzo
-
+
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
-
+
verb 3
@@ -911,7 +911,7 @@ verb 3
#!/bin/bash
-
+
ip route add 192.168.1.0/24 via $5 #Access to Home Network
ip route add 206.124.146.177/32 via $5 #So that DNS names will resolve in my
#Internal Bind 9 view because the source IP will