Tom Eastep wrote: > Vieri Di Paola wrote: > >> Too bad for me that they introduced a major handicap. >> In my case, I need the bridge but I also need an IPsec >> tunnel which only works on 2.6.20 when bridged. > > It turns out that fixing IPSec required that physdev match be modified in > the way that it was. > > I'm beginning to think about how to make use of the reduced-function physdev > match in Shorewall. Whatever I do will only be supported by Shorewall Perl. > > I will probably introduce a new type of zone to represent bridge ports. > Current functionality will be available *from* this new type of zone to any > other zone but traffic from other zone types will not be allowed to the new > zone type. Rather the new zone type must be nested in a normal ipv4 zone > that that is defined only by the bridge itself (and possibly by address > groups, a la the current 'NewBridge' technique) and rules/policies whose > destination is the bridge will be governed by the parent zone. > > Something along the following lines: > > /etc/shorewall/zones: > > fw firewall > net ipv4 > lan ipv4 > a:lan port > b:lan port > > /etc/shorewall/interfaces: > > net eth0 - ... > lan br0 - ... > > /etc/shorewall/hosts: > > a br0:eth1 ... > b br0:eth1 ... >
That should have been:
b eth0:eth2
----
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
