Hello all. I'd like to start by saying that I love this code. It works really, really well. I use it at home and will be putting into place at work in coming months. Now, on to my question:
From what I gather from the previous posts/mails, the only (or at least best, working) way to communicate with the bridge is to put an IP on 'br0'. I don't really want to do that. I do, however, want the boxes to log to a central server. Is there any way that this can be accomplished without putting an IP where the outside world can get at it?
I realize that using a 'private-space' subnet would limit visibility, but I'm not sure that this adds any security. With the right iptables rules, you could be pretty certain that only inside hosts can talk to the bridge. However, it would not be too terribly difficult to use a compromised box to 'reflect' packets back at the bridge from the inside. I'm probably moving off into paranoia-land here, but I'd sleep better at night if those boxes weren't accessible to the network at large.
Any ideas?
Maybe I could script the IP address off and on as needed? Maybe I don't actually need an IP, but I'd bet that I do. This area is where my *nix gets pretty weak.
