holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Update the OpenVZ article for 5.0

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-02-18 15:50:48 -08:00
parent 44813f75fd
commit ed29505f67
1 changed files with 22 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
docs/OpenVZ.xml
View File

@ -141,17 +141,16 @@ server:~ # </programlisting>
<para><filename>/etc/shorewall/zones</filename>:</para> <para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>############################################################################### <programlisting>###############################################################################
#ZONE TYPE OPTIONS IN OUT #ZONE TYPE OPTIONS IN_OPTION OUT_OPTIONS
# OPTIONS OPTIONS
net ipv4 net ipv4
vz ipv4</programlisting> vz ipv4</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:</para> <para><filename>/etc/shorewall/interfaces</filename>:</para>
<programlisting>############################################################################### <programlisting>###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS #ZONE INTERFACE OPTIONS
net eth0 - proxyarp=1 net eth0 proxyarp=1
vz venet0 - <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting> vz venet0 <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
</section> </section>
<section> <section>
@ -159,8 +158,8 @@ vz venet0 - <emphasis role="bold">routeback,arp_f
<para>If you run Shorewall Multi-ISP support on the host, you should <para>If you run Shorewall Multi-ISP support on the host, you should
arrange for traffic to your containers to use the main routing table. In arrange for traffic to your containers to use the main routing table. In
the configuration shown here, this entry in /etc/shorewall/rtrules the configuration shown here, this entry in /etc/shorewall/rtrules is
is appropriate:</para> appropriate:</para>
<programlisting>#SOURCE DEST PROVIDER PRIORITY <programlisting>#SOURCE DEST PROVIDER PRIORITY
- 206.124.146.178 main 1000</programlisting> - 206.124.146.178 main 1000</programlisting>
@ -290,7 +289,7 @@ done.
<para>The network diagram is shown below.</para> <para>The network diagram is shown below.</para>
<graphic fileref="images/Network2009c.png" /> <graphic fileref="images/Network2009c.png"/>
<para>The two systems shown in the green box are OpenVZ Virtual <para>The two systems shown in the green box are OpenVZ Virtual
Environments (containers).</para> Environments (containers).</para>
@ -457,8 +456,7 @@ NAME="server"</emphasis></programlisting>
<para><filename>/etc/shorewall/zones</filename>:</para> <para><filename>/etc/shorewall/zones</filename>:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
fw firewall fw firewall
net ipv4 #Internet net ipv4 #Internet
loc ipv4 #Local wired Zone loc ipv4 #Local wired Zone
@ -472,11 +470,11 @@ INT_IF=eth1
<emphasis role="bold">VPS_IF=venet0</emphasis> <emphasis role="bold">VPS_IF=venet0</emphasis>
...</programlisting> ...</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE OPTIONS
net $NET_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis net $NET_IF dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
role="bold">proxyarp=1</emphasis> role="bold">proxyarp=1</emphasis>
loc $INT_IF detect dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags loc $INT_IF dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
<emphasis role="bold">dmz $VPS_IF detect logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis> <emphasis role="bold">dmz $VPS_IF logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
...</programlisting>This is a multi-ISP configuration so entries are required ...</programlisting>This is a multi-ISP configuration so entries are required
in <filename>/etc/shorewall/rtrules</filename>:</para> in <filename>/etc/shorewall/rtrules</filename>:</para>
@ -501,8 +499,7 @@ loc $INT_IF detect dhcp,logmartians=1,routefilter=1
<para>/etc/shorewall/zones:</para> <para>/etc/shorewall/zones:</para>
<programlisting>#ZONE TYPE OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
fw firewall fw firewall
net ipv4</programlisting> net ipv4</programlisting>
@ -526,7 +523,7 @@ net <emphasis role="bold">venet0 </emphasis> detect dhcp,tc
<para>The network diagram is shown below.</para> <para>The network diagram is shown below.</para>
<graphic fileref="images/Network2010.png" /> <graphic fileref="images/Network2010.png"/>
<para>The two systems shown in the green box are OpenVZ Virtual <para>The two systems shown in the green box are OpenVZ Virtual
Environments (containers).</para> Environments (containers).</para>
@ -768,8 +765,7 @@ NAME="server"
<para><filename><filename>/etc/shorewall/zones</filename>:</filename></para> <para><filename><filename>/etc/shorewall/zones</filename>:</filename></para>
<programlisting>#ZONE TYPE OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
fw firewall fw firewall
net ipv4 #Internet net ipv4 #Internet
loc ipv4 #Local wired Zone loc ipv4 #Local wired Zone
@ -783,10 +779,10 @@ INT_IF=eth1
<emphasis role="bold">VPS_IF=vzbr0</emphasis> <emphasis role="bold">VPS_IF=vzbr0</emphasis>
...</programlisting> ...</programlisting>
<para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE INTERFACE OPTIONS
net $NET_IF detect dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0 net $NET_IF dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
loc $INT_IF detect dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags loc $INT_IF dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
dmz $VPS_IF detect logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback dmz $VPS_IF logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
...</programlisting></para> ...</programlisting></para>
<para><filename>/etc/shorewall/proxyarp:</filename></para> <para><filename>/etc/shorewall/proxyarp:</filename></para>
@ -813,15 +809,14 @@ dmz $VPS_IF detect logmartians=0,routefilter=0,nets
<para><filename>/etc/shorewall/zones:</filename></para> <para><filename>/etc/shorewall/zones:</filename></para>
<programlisting>#ZONE TYPE OPTIONS IN OUT <programlisting>#ZONE TYPE OPTIONS IN_OPTIONS OUT_OPTIONS
# OPTIONS OPTIONS
fw firewall fw firewall
net ipv4</programlisting> net ipv4</programlisting>
<para><filename>/etc/shorewall/interfaces:</filename></para> <para><filename>/etc/shorewall/interfaces:</filename></para>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE OPTIONS
net <emphasis role="bold">eth0 </emphasis> detect dhcp,tcpflags,logmartians,nosmurfs</programlisting> net <emphasis role="bold">eth0 </emphasis> dhcp,tcpflags,logmartians,nosmurfs</programlisting>
</section> </section>
</section> </section>
</article> </article>