Vieri Di Paola wrote: > > Too bad for me that they introduced a major handicap. > In my case, I need the bridge but I also need an IPsec > tunnel which only works on 2.6.20 when bridged.
It turns out that fixing IPSec required that physdev match be modified in the way that it was. I'm beginning to think about how to make use of the reduced-function physdev match in Shorewall. Whatever I do will only be supported by Shorewall Perl. I will probably introduce a new type of zone to represent bridge ports. Current functionality will be available *from* this new type of zone to any other zone but traffic from other zone types will not be allowed to the new zone type. Rather the new zone type must be nested in a normal ipv4 zone that that is defined only by the bridge itself (and possibly by address groups, a la the current 'NewBridge' technique) and rules/policies whose destination is the bridge will be governed by the parent zone. Something along the following lines: /etc/shorewall/zones: fw firewall net ipv4 lan ipv4 a:lan port b:lan port /etc/shorewall/interfaces: net eth0 - ... lan br0 - ... /etc/shorewall/hosts: a br0:eth1 ... b br0:eth1 ... fw->lan and net->lan rules/policies would be allowed but fw->a/b and net->a/b would not be allowed. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
