holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Correct Bizarre formatting problem with Multi-ISP doc

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3216 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-01-03 15:56:46 +00:00
parent 8232d950b8
commit e749a66c83
3 changed files with 37 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-docs2/MultiISP.xml
View File

@ -49,7 +49,7 @@
ethernet interfaces to two different ISPs as in the following ethernet interfaces to two different ISPs as in the following
diagram.</para> diagram.</para>
<graphic align="left" fileref="images/TwoISPs.png" /> <graphic align="center" fileref="images/TwoISPs.png" valign="middle" />
<itemizedlist> <itemizedlist>
<listitem> <listitem>

37
Shorewall-docs2/Xen.xml
View File

@ -53,9 +53,14 @@
boot time by using the <command>xendomains</command> service.</para> boot time by using the <command>xendomains</command> service.</para>
<para>Xen virtualizes a network interface named <filename <para>Xen virtualizes a network interface named <filename
class="devicefile">eth0</filename> in each domain. In domain 0, Xen also class="devicefile">eth0</filename><footnote>
creates a bridge (<filename class="devicefile">xenbr0</filename>) and a <para>This assumes the default Xen configuration created by
number of virtual interfaces as shown in the following diagram.</para> <command>xend </command>and assumes that the host system has a single
ethernet interface named <filename
class="devicefile">eth0</filename>.</para>
</footnote> in each domain. In domain 0, Xen also creates a bridge
(<filename class="devicefile">xenbr0</filename>) and a number of virtual
interfaces as shown in the following diagram.</para>
<graphic align="center" fileref="images/Xen1.png" /> <graphic align="center" fileref="images/Xen1.png" />
@ -90,9 +95,9 @@
<para>As I state in the answer to <ulink url="FAQ.htm#faq2">Shorewall FAQ <para>As I state in the answer to <ulink url="FAQ.htm#faq2">Shorewall FAQ
2</ulink>, I object to running servers in a local zone because if the 2</ulink>, I object to running servers in a local zone because if the
server becomes compromised then there is no protection between that server becomes compromised then there is no protection between that
compromised server and the other local systems. Xen allows you to safely compromised server and the other local systems. Xen allows me to safely
run Internet-accessible servers in your local zone by creating a firewall run Internet-accessible servers in my local zone by creating a firewall in
in (the Extended) Domain 0 to isolate the server(s) from the other local (the Extended) Domain 0 to isolate the server(s) from the other local
systems (including Domain 0).</para> systems (including Domain 0).</para>
<para>Here is an example. In this example, we will assume that the system <para>Here is an example. In this example, we will assume that the system
@ -100,15 +105,22 @@
only have to worry about protecting the local lan from the systems running only have to worry about protecting the local lan from the systems running
in domains other than domain 0.</para> in domains other than domain 0.</para>
<note>
<para>This is the real <ulink url="myfiles.htm">configuration which I
run at shorewall.net</ulink>.</para>
</note>
<section> <section>
<title>/etc/shorewall/zones</title> <title>/etc/shorewall/zones</title>
<para>One thing strange about configuring Shorewall in this environment <para>One thing strange about configuring Shorewall in this environment
is that Domain 0 is defined as two different zones. It is defined as the is that Domain 0 is defined as two different zones. It is defined as the
firewall zone and it is also defined as "all systems connected to firewall zone and it is also defined as "all systems connected to
<filename class="devicefile">xenbr0:vif0.0</filename>. In this case, we <filename class="devicefile">xenbr0:vif0.0</filename>. In this case, I
call this second zone <emphasis role="bold">ursa</emphasis>; that zone call this second zone <emphasis role="bold">ursa</emphasis> (which is
corresponds roughly to what is shown as Extended Domain 0 above.</para> the name given to the virtual system running in Domain 0); that zone
corresponds roughly to what is shown as the Extended Domain 0
above.</para>
<blockquote> <blockquote>
<programlisting># OPTIONS OPTIONS <programlisting># OPTIONS OPTIONS
@ -143,7 +155,9 @@ net eth0 detect dhcp
zone <emphasis role="bold">net</emphasis>.<blockquote> zone <emphasis role="bold">net</emphasis>.<blockquote>
<programlisting>#ZONE HOST(S) OPTIONS <programlisting>#ZONE HOST(S) OPTIONS
ursa xenbr0:vif0.0 ursa xenbr0:vif0.0
dmz xenbr0:vif+ dmz xenbr0:vif+<footnote>
<para>There is a bug in Shorewall versions prior to 3.0.4 that treats all bridge ports as if they had routeback specified. I recommend that you run a Shorewall verison &gt; 3.0.3 if you run Xen.</para>
</footnote>
net xenbr0:peth0 net xenbr0:peth0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
</blockquote></para> </blockquote></para>
@ -200,8 +214,7 @@ Ping/ACCEPT dmz net
Ping/ACCEPT dmz ursa</programlisting> Ping/ACCEPT dmz ursa</programlisting>
</blockquote> </blockquote>
<para>In this example, 192.168.0.0/22 comprises the local <para>Here, 192.168.0.0/22 comprises my local network.</para>
network.</para>
<para>From the point of view of Shorewall, the zone diagram is as shown <para>From the point of view of Shorewall, the zone diagram is as shown
in the following diagram.</para> in the following diagram.</para>