forked from extern/shorewall_code
Correct Bizarre formatting problem with Multi-ISP doc
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3216 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
8232d950b8
commit
e749a66c83
@ -49,7 +49,7 @@
|
|||||||
ethernet interfaces to two different ISPs as in the following
|
ethernet interfaces to two different ISPs as in the following
|
||||||
diagram.</para>
|
diagram.</para>
|
||||||
|
|
||||||
<graphic align="left" fileref="images/TwoISPs.png" />
|
<graphic align="center" fileref="images/TwoISPs.png" valign="middle" />
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
|
|||||||
@ -53,9 +53,14 @@
|
|||||||
boot time by using the <command>xendomains</command> service.</para>
|
boot time by using the <command>xendomains</command> service.</para>
|
||||||
|
|
||||||
<para>Xen virtualizes a network interface named <filename
|
<para>Xen virtualizes a network interface named <filename
|
||||||
class="devicefile">eth0</filename> in each domain. In domain 0, Xen also
|
class="devicefile">eth0</filename><footnote>
|
||||||
creates a bridge (<filename class="devicefile">xenbr0</filename>) and a
|
<para>This assumes the default Xen configuration created by
|
||||||
number of virtual interfaces as shown in the following diagram.</para>
|
<command>xend </command>and assumes that the host system has a single
|
||||||
|
ethernet interface named <filename
|
||||||
|
class="devicefile">eth0</filename>.</para>
|
||||||
|
</footnote> in each domain. In domain 0, Xen also creates a bridge
|
||||||
|
(<filename class="devicefile">xenbr0</filename>) and a number of virtual
|
||||||
|
interfaces as shown in the following diagram.</para>
|
||||||
|
|
||||||
<graphic align="center" fileref="images/Xen1.png" />
|
<graphic align="center" fileref="images/Xen1.png" />
|
||||||
|
|
||||||
@ -90,9 +95,9 @@
|
|||||||
<para>As I state in the answer to <ulink url="FAQ.htm#faq2">Shorewall FAQ
|
<para>As I state in the answer to <ulink url="FAQ.htm#faq2">Shorewall FAQ
|
||||||
2</ulink>, I object to running servers in a local zone because if the
|
2</ulink>, I object to running servers in a local zone because if the
|
||||||
server becomes compromised then there is no protection between that
|
server becomes compromised then there is no protection between that
|
||||||
compromised server and the other local systems. Xen allows you to safely
|
compromised server and the other local systems. Xen allows me to safely
|
||||||
run Internet-accessible servers in your local zone by creating a firewall
|
run Internet-accessible servers in my local zone by creating a firewall in
|
||||||
in (the Extended) Domain 0 to isolate the server(s) from the other local
|
(the Extended) Domain 0 to isolate the server(s) from the other local
|
||||||
systems (including Domain 0).</para>
|
systems (including Domain 0).</para>
|
||||||
|
|
||||||
<para>Here is an example. In this example, we will assume that the system
|
<para>Here is an example. In this example, we will assume that the system
|
||||||
@ -100,15 +105,22 @@
|
|||||||
only have to worry about protecting the local lan from the systems running
|
only have to worry about protecting the local lan from the systems running
|
||||||
in domains other than domain 0.</para>
|
in domains other than domain 0.</para>
|
||||||
|
|
||||||
|
<note>
|
||||||
|
<para>This is the real <ulink url="myfiles.htm">configuration which I
|
||||||
|
run at shorewall.net</ulink>.</para>
|
||||||
|
</note>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
<title>/etc/shorewall/zones</title>
|
<title>/etc/shorewall/zones</title>
|
||||||
|
|
||||||
<para>One thing strange about configuring Shorewall in this environment
|
<para>One thing strange about configuring Shorewall in this environment
|
||||||
is that Domain 0 is defined as two different zones. It is defined as the
|
is that Domain 0 is defined as two different zones. It is defined as the
|
||||||
firewall zone and it is also defined as "all systems connected to
|
firewall zone and it is also defined as "all systems connected to
|
||||||
<filename class="devicefile">xenbr0:vif0.0</filename>. In this case, we
|
<filename class="devicefile">xenbr0:vif0.0</filename>. In this case, I
|
||||||
call this second zone <emphasis role="bold">ursa</emphasis>; that zone
|
call this second zone <emphasis role="bold">ursa</emphasis> (which is
|
||||||
corresponds roughly to what is shown as Extended Domain 0 above.</para>
|
the name given to the virtual system running in Domain 0); that zone
|
||||||
|
corresponds roughly to what is shown as the Extended Domain 0
|
||||||
|
above.</para>
|
||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting># OPTIONS OPTIONS
|
<programlisting># OPTIONS OPTIONS
|
||||||
@ -143,7 +155,9 @@ net eth0 detect dhcp
|
|||||||
zone <emphasis role="bold">net</emphasis>.<blockquote>
|
zone <emphasis role="bold">net</emphasis>.<blockquote>
|
||||||
<programlisting>#ZONE HOST(S) OPTIONS
|
<programlisting>#ZONE HOST(S) OPTIONS
|
||||||
ursa xenbr0:vif0.0
|
ursa xenbr0:vif0.0
|
||||||
dmz xenbr0:vif+
|
dmz xenbr0:vif+<footnote>
|
||||||
|
<para>There is a bug in Shorewall versions prior to 3.0.4 that treats all bridge ports as if they had routeback specified. I recommend that you run a Shorewall verison > 3.0.3 if you run Xen.</para>
|
||||||
|
</footnote>
|
||||||
net xenbr0:peth0
|
net xenbr0:peth0
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||||
</blockquote></para>
|
</blockquote></para>
|
||||||
@ -200,8 +214,7 @@ Ping/ACCEPT dmz net
|
|||||||
Ping/ACCEPT dmz ursa</programlisting>
|
Ping/ACCEPT dmz ursa</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
|
|
||||||
<para>In this example, 192.168.0.0/22 comprises the local
|
<para>Here, 192.168.0.0/22 comprises my local network.</para>
|
||||||
network.</para>
|
|
||||||
|
|
||||||
<para>From the point of view of Shorewall, the zone diagram is as shown
|
<para>From the point of view of Shorewall, the zone diagram is as shown
|
||||||
in the following diagram.</para>
|
in the following diagram.</para>
|
||||||
|
|||||||
@ -446,7 +446,7 @@ Limit #Limit connection rate from each individual Host
|
|||||||
|
|
||||||
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||||
# PORT PORT(S) DEST LIMIT
|
# PORT PORT(S) DEST LIMIT
|
||||||
ACCEPT $MIRRORS
|
ACCEPT $MIRRORS
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -518,7 +518,7 @@ ACCEPT vpn dmz udp
|
|||||||
ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 -
|
ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 -
|
||||||
Ping/ACCEPT vpn dmz
|
Ping/ACCEPT vpn dmz
|
||||||
###############################################################################################################################################################################
|
###############################################################################################################################################################################
|
||||||
# Local network to DMZ
|
# Local network to DMZ
|
||||||
#
|
#
|
||||||
ACCEPT loc dmz udp domain
|
ACCEPT loc dmz udp domain
|
||||||
ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https -
|
ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https -
|
||||||
@ -880,28 +880,28 @@ ACCEPT net $FW tcp 4000:4100
|
|||||||
<programlisting>dev tun
|
<programlisting>dev tun
|
||||||
remote gateway.shorewall.net
|
remote gateway.shorewall.net
|
||||||
up /etc/openvpn/home.up
|
up /etc/openvpn/home.up
|
||||||
|
|
||||||
tls-client
|
tls-client
|
||||||
pull
|
pull
|
||||||
|
|
||||||
ca /etc/certs/cacert.pem
|
ca /etc/certs/cacert.pem
|
||||||
|
|
||||||
cert /etc/certs/tipper.pem
|
cert /etc/certs/tipper.pem
|
||||||
key /etc/certs/tipper_key.pem
|
key /etc/certs/tipper_key.pem
|
||||||
|
|
||||||
port 1194
|
port 1194
|
||||||
|
|
||||||
user nobody
|
user nobody
|
||||||
group nogroup
|
group nogroup
|
||||||
|
|
||||||
comp-lzo
|
comp-lzo
|
||||||
|
|
||||||
ping 15
|
ping 15
|
||||||
ping-restart 45
|
ping-restart 45
|
||||||
ping-timer-rem
|
ping-timer-rem
|
||||||
persist-tun
|
persist-tun
|
||||||
persist-key
|
persist-key
|
||||||
|
|
||||||
verb 3</programlisting>
|
verb 3</programlisting>
|
||||||
</blockquote>
|
</blockquote>
|
||||||
</section>
|
</section>
|
||||||
@ -911,7 +911,7 @@ verb 3</programlisting>
|
|||||||
|
|
||||||
<blockquote>
|
<blockquote>
|
||||||
<programlisting>#!/bin/bash
|
<programlisting>#!/bin/bash
|
||||||
|
|
||||||
ip route add 192.168.1.0/24 via $5 #Access to Home Network
|
ip route add 192.168.1.0/24 via $5 #Access to Home Network
|
||||||
ip route add 206.124.146.177/32 via $5 #So that DNS names will resolve in my
|
ip route add 206.124.146.177/32 via $5 #So that DNS names will resolve in my
|
||||||
#Internal Bind 9 view because the source IP will
|
#Internal Bind 9 view because the source IP will
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user