forked from extern/shorewall_code
Mention routed-nat configuration as an alternative to fw in a DomU
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4567 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
6aecd73c4b
commit
d917972673
23
docs/Xen.xml
23
docs/Xen.xml
@ -103,10 +103,10 @@
|
||||
<para>As I state in the answer to <ulink url="FAQ.htm#faq2">Shorewall FAQ
|
||||
2</ulink>, I object to running servers in a local zone because if the
|
||||
server becomes compromised then there is no protection between that
|
||||
compromised server and the other local systems. Xen allows me to safely
|
||||
run Internet-accessible servers in my local zone by creating a firewall in
|
||||
(the Extended) Dom0 to isolate the server(s) from the other local systems
|
||||
(including Dom0).</para>
|
||||
compromised server and the other local systems. Xen allows you to safely
|
||||
run Internet-accessible servers in your local zone by creating a firewall
|
||||
in (the Extended) Dom0 to isolate the server(s) from the other local
|
||||
systems (including Dom0).</para>
|
||||
|
||||
<caution>
|
||||
<para>I find Xen Domain 0 to be an arcane environment in which to try to
|
||||
@ -121,7 +121,9 @@
|
||||
<para>I know of no case where a user has successfully used NAT
|
||||
(including Masquerade) in a bridged Xen Dom0. So if you want to create a
|
||||
masquerading firewall/gateway using Xen, you need to do so in a DomU
|
||||
(see <ulink url="XenMyWay.html">how I do it</ulink>).</para>
|
||||
(see <ulink url="XenMyWay.html">how I do it</ulink>) or you must
|
||||
configure Xen to use routing and NAT rather than the default
|
||||
bridging.</para>
|
||||
</warning>
|
||||
|
||||
<para>Here is an example. In this example, we will assume that the system
|
||||
@ -147,10 +149,11 @@
|
||||
is that Dom0 is defined as two different zones. It is defined as the
|
||||
firewall zone and it is also defined as "all systems connected to
|
||||
<filename class="devicefile">xenbr0:vif0.0</filename>. In this case, I
|
||||
call this second zone <emphasis role="bold">ursa</emphasis> (which is
|
||||
the name given to the virtual system running in Dom0); that zone
|
||||
corresponds to Dom0 as seen from the outside in the diagram above (see
|
||||
more <link linkend="zones">below</link>).</para>
|
||||
call this second zone <emphasis role="bold">ursa</emphasis> (which was
|
||||
the name given to the virtual system running in Dom0 when I ran this
|
||||
configuration); that zone corresponds to Dom0 as seen from the outside
|
||||
in the diagram above (see more <link
|
||||
linkend="zones">below</link>).</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting># OPTIONS OPTIONS
|
||||
@ -242,7 +245,7 @@ Ping/ACCEPT dmz net
|
||||
Ping/ACCEPT dmz ursa</programlisting>
|
||||
</blockquote>
|
||||
|
||||
<para>Here, 192.168.0.0/22 comprises my local network.</para>
|
||||
<para>Here, 192.168.0.0/22 comprises the local network.</para>
|
||||
|
||||
<para id="zones">From the point of view of Shorewall, the zone diagram
|
||||
is as shown in the following diagram.</para>
|
||||
|
@ -116,11 +116,11 @@
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><filename class="devicefile">eth0</filename> -- conntected to
|
||||
the switch in my office. That switch is cabled to a second switch in
|
||||
my wife's office where my wife has her desktop and networked printer
|
||||
(I sure wish that there had been wireless back when I strung that
|
||||
CAT-5 cable halfway across the house).</para>
|
||||
<para><filename class="devicefile">eth0</filename> -- connected to the
|
||||
switch in my office. That switch is cabled to a second switch in my
|
||||
wife's office where my wife has her desktop and networked printer (I
|
||||
sure wish that there had been wireless back when I strung that CAT-5
|
||||
cable halfway across the house).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -161,15 +161,15 @@
|
||||
<caution>
|
||||
<para>As the developer of Shorewall, I have enough experience to be very
|
||||
comfortable with Linux networking and Shorewall/iptables. I arrived at
|
||||
this configuration after a lot of trial and error experimentation (see
|
||||
<ulink url="Xen.html">Xen and Shorewall</ulink>). If you are a Linux
|
||||
networking novice, I recommend that you do not attempt a configuration
|
||||
like this one for your first Shorewall installation. You are very likely
|
||||
to frustrate both yourself and the Shorewall support team. Rather I
|
||||
suggest that you start with something simple like a <ulink
|
||||
url="standalone.htm">standalone installation</ulink> in a domU; once you
|
||||
are comfortable with that then you will be ready to try something more
|
||||
substantial.</para>
|
||||
this configuration after a fair amount of trial and error
|
||||
experimentation (see <ulink url="Xen.html">Xen and Shorewall</ulink>).
|
||||
If you are a Linux networking novice, I recommend that you do not
|
||||
attempt a configuration like this one for your first Shorewall
|
||||
installation. You are very likely to frustrate both yourself and the
|
||||
Shorewall support team. Rather I suggest that you start with something
|
||||
simple like a <ulink url="standalone.htm">standalone
|
||||
installation</ulink> in a domU; once you are comfortable with that then
|
||||
you will be ready to try something more substantial.</para>
|
||||
|
||||
<para>As Paul Gear says: <emphasis>Shorewall might make iptables easy,
|
||||
but it doesn't make understanding fundamental networking principles,
|
||||
@ -300,7 +300,7 @@ disk = [ 'phy:hda3,hda3,w' ]</programlisting>
|
||||
|
||||
<para>Under SuSE 10.1, I placed the following in
|
||||
<filename>/etc/sysconfig/network/if-up.d/resettx</filename> (that file
|
||||
is executable): </para>
|
||||
is executable):</para>
|
||||
|
||||
<programlisting>#!/bin/sh
|
||||
|
||||
@ -310,9 +310,9 @@ if [ $2 = eth0 ]; then
|
||||
fi</programlisting>
|
||||
|
||||
<para>Under other distributions, the technique will vary. For example,
|
||||
under <trademark>Debian</trademark> or Ubuntu, you can just add a
|
||||
'post-up' entry to <filename>/etc/network/interfaces</filename> as
|
||||
shown here:</para>
|
||||
under <trademark>Debian</trademark> or <trademark>Ubuntu</trademark>,
|
||||
you can just add a 'post-up' entry to
|
||||
<filename>/etc/network/interfaces</filename> as shown here:</para>
|
||||
|
||||
<programlisting> iface eth0 inet static
|
||||
address 206.124.146.177
|
||||
@ -409,15 +409,15 @@ SECTION NEW
|
||||
Guide</ulink> with the exception that I've added a fourth interface for
|
||||
our wireless network. The firewall runs a routed <ulink
|
||||
url="OPENVPN.html">OpenVPN server</ulink> to provide roadwarrior access
|
||||
for our two laptops and a bridged OpenVPN server for our wireless
|
||||
network. Here is the firewall's view of the network:</para>
|
||||
for our two laptops and a bridged OpenVPN server for the wireless
|
||||
network in our home. Here is the firewall's view of the network:</para>
|
||||
|
||||
<graphic align="center" fileref="images/network4.png" />
|
||||
|
||||
<para>The two laptops can be directly attached to the LAN as shown above
|
||||
or they can be attached wirelessly -- their IP addresses are the same in
|
||||
either case; when they are directly attached, the IP address is assigned
|
||||
by the DHCP server running on the firewall and when they are attached
|
||||
by the DHCP server running in Dom0 and when they are attached
|
||||
wirelessly, the IP address is assigned by OpenVPN.</para>
|
||||
|
||||
<para>The Shorewall configuration files are shown below. All routing and
|
||||
@ -549,14 +549,16 @@ vpn tun+ -
|
||||
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
# INTERFACES
|
||||
206.124.146.178 $EXT_IF 192.168.1.3 No No
|
||||
206.124.146.180 $EXT_IF 192.168.1.6 No No
|
||||
206.124.146.178 $EXT_IF 192.168.1.3 No No #Wookie
|
||||
206.124.146.180 $EXT_IF 192.168.1.6 No No #Work LapTop
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/masq (Note the cute trick here and in
|
||||
the <filename>proxyarp</filename> file that follows that allows me to
|
||||
the <filename>following proxyarp</filename> file that allows me to
|
||||
access the DSL "Modem" using it's default IP address
|
||||
(192.168.1.1))</filename>:</para>
|
||||
(192.168.1.1))</filename>. The leading "+" is required to place the
|
||||
rule before the SNAT rules generated by entries in
|
||||
<filename>/etc/shorewall/nat</filename> above.</para>
|
||||
|
||||
<programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
||||
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||
@ -574,8 +576,8 @@ $EXT_IF 192.168.0.0/22 206.124.146.179
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY
|
||||
# ZONE
|
||||
openvpnserver:udp net 0.0.0.0/0
|
||||
openvpnserver:udp wifi 192.168.3.0/24
|
||||
openvpnserver:udp net 0.0.0.0/0 #Routed server for RoadWarrior access
|
||||
openvpnserver:udp wifi 192.168.3.0/24 #Home wireless network server
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para><filename>/etc/shorewall/actions</filename>:</para>
|
||||
@ -649,7 +651,6 @@ dropNotSyn net dmz tcp
|
||||
# Internet to DMZ
|
||||
#
|
||||
ACCEPT net dmz udp domain
|
||||
LOG:$LOG net:64.126.128.0/18 dmz tcp smtp
|
||||
ACCEPT net dmz tcp smtps,www,ftp,imaps,domain,https -
|
||||
ACCEPT net dmz tcp smtp - 206.124.146.177,206.124.146.178
|
||||
ACCEPT net dmz udp 33434:33454
|
||||
@ -682,10 +683,6 @@ ACCEPT net loc:192.168.1.3 tcp
|
||||
ACCEPT net loc:192.168.1.3 tcp 6881:6889,6969
|
||||
ACCEPT net loc:192.168.1.3 udp 6881:6889,6969
|
||||
#
|
||||
# Real Audio
|
||||
#
|
||||
ACCEPT net loc:192.168.1.3 udp 6970:7170
|
||||
#
|
||||
# Skype
|
||||
#
|
||||
ACCEPT net loc:192.168.1.6 tcp 1194
|
||||
|
Loading…
Reference in New Issue
Block a user