From ec7fa4adcb4cf3986fbf6a2c487e2c5de3134dd7 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Sun, 12 Feb 2006 16:11:41 +0000
Subject: [PATCH] Update Xen Documentation

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3479 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall-docs2/MultiISP.xml |  4 ++--
 Shorewall-docs2/Xen.xml      | 28 +++++++++++++++++++++++-----
 2 files changed, 25 insertions(+), 7 deletions(-)

diff --git a/Shorewall-docs2/MultiISP.xml b/Shorewall-docs2/MultiISP.xml
index 7f5c5dc9b..ef337e45d 100644
--- a/Shorewall-docs2/MultiISP.xml
+++ b/Shorewall-docs2/MultiISP.xml
@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2006-01-02</pubdate>
+    <pubdate>2006-02-06</pubdate>
 
     <copyright>
       <year>2005</year>
@@ -212,7 +212,7 @@
                   be tracked so that responses may be routed back out this
                   same interface.</para>
 
-                  <para>You want specify 'track' if internet hosts will be
+                  <para>You want to specify 'track' if internet hosts will be
                   connecting to local servers through this provider. Any time
                   that you specify 'track', you will also want to specify
                   'balance' (see below).</para>
diff --git a/Shorewall-docs2/Xen.xml b/Shorewall-docs2/Xen.xml
index a28efc9fa..efc752a6e 100644
--- a/Shorewall-docs2/Xen.xml
+++ b/Shorewall-docs2/Xen.xml
@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2006-01-01</pubdate>
+    <pubdate>2006-02-02</pubdate>
 
     <copyright>
       <year>2006</year>
@@ -110,6 +110,17 @@
       run at shorewall.net</ulink>.</para>
     </note>
 
+    <section>
+      <title>/etc/shorewall/shorewall.conf</title>
+
+      <para>Because Xen uses normal Linux bridging, you must enable bridge
+      support in shorewall.conf</para>
+
+      <blockquote>
+        <programlisting>BRIDGING=Yes</programlisting>
+      </blockquote>
+    </section>
+
     <section>
       <title>/etc/shorewall/zones</title>
 
@@ -119,8 +130,8 @@
       <filename class="devicefile">xenbr0:vif0.0</filename>. In this case, I
       call this second zone <emphasis role="bold">ursa</emphasis> (which is
       the name given to the virtual system running in Domain 0); that zone
-      corresponds roughly to what is shown as the Extended Domain 0
-      above.</para>
+      corresponds to Domain 0 as seen from the outside in the diagram above
+      (see more <link linkend="zones">below</link>).</para>
 
       <blockquote>
         <programlisting>#                                       OPTIONS                 OPTIONS
@@ -216,10 +227,17 @@ Ping/ACCEPT     dmz                ursa</programlisting>
 
       <para>Here, 192.168.0.0/22 comprises my local network.</para>
 
-      <para>From the point of view of Shorewall, the zone diagram is as shown
-      in the following diagram.</para>
+      <para id="zones">From the point of view of Shorewall, the zone diagram
+      is as shown in the following diagram.</para>
 
       <graphic align="center" fileref="images/Xen2.png" />
+
+      <para>Note that the <emphasis role="bold">ursa</emphasis> zone subsumes
+      the <emphasis role="bold">fw</emphasis> zone because the <emphasis
+      role="bold">ursa</emphasis> zone is defined to be all systems that
+      interface to xenbr0's vif0.0 port — it is the rules governing traffic
+      to/from the <emphasis role="bold">ursa</emphasis> zone that protect the
+      firewall in this configuration.</para>
     </section>
   </section>
 </article>
\ No newline at end of file