diff --git a/docs/Xen.xml b/docs/Xen.xml
index b22f6a483..656a6725d 100644
--- a/docs/Xen.xml
+++ b/docs/Xen.xml
@@ -109,21 +109,23 @@
systems (including Dom0).
- I find Xen Domain 0 to be an arcane environment in which to try to
- use Netfilter (and hence Shorewall). As the number of interfaces and
- bridges increase, complexity increases geometrically. I recommend
- following this guide only if you really need to place a public server in
- your local network. Otherwise, the way that I
- use Xen is much more straight-forward.
+ I find a bridged Xen Domain 0 to be an arcane environment in which
+ to try to use Netfilter (and hence Shorewall). As the number of
+ interfaces and bridges increase, complexity increases geometrically. I
+ recommend following this guide only if you really need to place a public
+ server in your local network. Otherwise, running Shorewall in a DomU is much more
+ straight-forward as is running
+ Shorewall in a routed Dom0.
I know of no case where a user has successfully used NAT
(including Masquerade) in a bridged Xen Dom0. So if you want to create a
masquerading firewall/gateway using Xen, you need to do so in a DomU
- (see how I do it) or you must
- configure Xen to use routing and NAT rather than the default
- bridging.
+ (see how I did it) or you must
+ configure Xen to use routing
+ or NAT rather than the default bridging.
Here is an example. In this example, we will assume that the system
diff --git a/docs/XenMyWay-Routed.xml b/docs/XenMyWay-Routed.xml
index 3a0265758..97cf0ab21 100644
--- a/docs/XenMyWay-Routed.xml
+++ b/docs/XenMyWay-Routed.xml
@@ -103,10 +103,6 @@
personal Linux desktop system and our Linux Laptop run
Ubuntu "Dapper Drake".
- If you are unfamiliar with Xen networking, I recommend that you read
- the first section of the companion Xen and
- Shorewall article.
-
Here is a high-level diagram of our network.
![]()
@@ -139,14 +135,15 @@
- Dom0 (DNS name gateway.shorewall.net) is used as our main
+ Dom0 (DNS name gateway.shorewall.net) is used as our main
firewall and wireless gateway as well as a local file server.
- The DomU (Dom name lists, DNS
- name lists.shorewall.net) is used as a public Web/FTP/Mail/DNS
- server.
+ The DomU (Domain name lists,
+ DNS name lists.shorewall.net) is used
+ as a public Web/FTP/Mail/DNS server.
@@ -162,7 +159,7 @@
configuration like this one for your first Shorewall installation. You
are very likely to frustrate both yourself and the Shorewall support
team. Rather I suggest that you start with something simple like a
- standalone installation in a domU;
+ standalone installation in a DomU;
once you are comfortable with that then you will be ready to try
something more substantial.
@@ -176,8 +173,8 @@
Domain Configuration
- Below are the relevant configuration files for the three domains.
- I use partitions on my hard drives for DomU storage devices.
+ Below are the relevant configuration files for the two domains. I
+ use a partition on my hard drives for the DomU storage device.
There is not much documentation about how to configure Xen for
routed operation. I've tried to mark the relevant parts with
title XEN
root (hd0,1)
- kernel /boot/xen.gz dom0_mem=458752 sched=bvt
+ kernel /boot/xen.gz Dom0_mem=458752 sched=bvt
module /boot/vmlinuz-xen root=/dev/hda2 vga=0x31a selinux=0 resume=/dev/hda1 splash=silent showopts
module /boot/initrd-xen
- /etc/modprobe.conf.local
+ /etc/modprobe.conf.local (This may need to
+ go in /etc/modprobe.conf or
+ /etc/modprobe.d/options on your system)
+
+
options netloop nloopbacks=0 #Stop netloop from creating 8 useless vifs
- /etc/xen/auto/02-lists — configuration file
- for the lists domain.
+ /etc/xen/auto/01-lists — configuration file
+ for the lists domain. Placed in /etc/xen/auto/ so it is started
+ automatically by Xen's xendomains service.
# -*- mode: python; -*-
@@ -228,7 +231,7 @@ vif = [ 'mac=aa:cc:00:00:00:01, ip=206.124.146.177, v
disk = [ 'phy:hda3,hda3,w' ]
Note that the vifname is set to 'eth3' for the virtual
- interface to this domU. This will cause the dom0 interface to the
+ interface to this DomU. This will cause the Dom0 interface to the
server to have a fixed name (eth3) which makes it a lot easier to
deal with in Shorewall and elsewhere.
@@ -242,6 +245,12 @@ disk = [ 'phy:hda3,hda3,w' ]
206.124.146.177 scope link src 206.124.146.176
gateway:~ #
+
+ Note that the source for the route is 206.124.146.176. That is
+ the primary IP address of Dom0's eth0. Xen configures eth3 to have that same IP address.
+
Excerpt from
@@ -281,11 +290,11 @@ gateway:~ #
Under some circumstances, UDP and/or TCP communication from a
- domU won't work for no obvious reason. That happened with the
+ DomU won't work for no obvious reason. That happened with the
lists domain in my setup. Looking at
- the IP traffic with tcpdump -nvvi eth1 in dom0
+ the IP traffic with tcpdump -nvvi eth1 in Dom0
showed that UDP packets from the lists domU had incorrect checksums. That
+ role="bold">lists DomU had incorrect checksums. That
problem was corrected by arranging for the following command to be
executed in the lists domain when its
eth0 device was brought
@@ -293,9 +302,9 @@ gateway:~ #
ethtool -K eth0 tx off
- Under SuSE 10.1, I placed the following in
- /etc/sysconfig/network/if-up.d/resettx (that file
- is executable):
+ Under SuSE 10.1, I placed the following
+ in /etc/sysconfig/network/if-up.d/resettx (that
+ file is executable):
#!/bin/sh
@@ -337,7 +346,7 @@ fi
wirelessly, the IP address is assigned by OpenVPN.
The Shorewall configuration files are shown below. All routing and
- secondary IP addresses are handled in the SUSE network
+ secondary IP addresses are handled in the SuSE network
configuration.
@@ -768,8 +777,10 @@ $EXT_IF 30 6*full/10 6*full/10 3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
- The tap0 device used by the bridged OpenVPN server is created and
- bridged to eth1 using a SuSE-specific SysV init script:
+ The tap0 device used by
+ the bridged OpenVPN server is created and bridged to eth1 using a SuSE-specific SysV init
+ script:
#!/bin/sh