Andrei Verovski (aka MacGuru) wrote: > > The questions are (based on the http://www.shorewall.net/bridge.html): >
That URL no longer exists. The information previously contained there is available at http://www.shorewall.net/3.0/bridge.html. In that article is the following large warning: Warning SUPPORT FOR BRIDGING AS DESCRIBED IN THIS ARTICLE IS DISCONTINUED IN LINUX KERNEL 2.6.20. The underlying Netfilter features that Shorewall Bridge/Firewall support relies on were removed from Netfilter and it is no longer possible to define Shorewall zones in terms of physical bridge ports. So surely you don't want to base your new infrastructure on a facility that isn's supported by current and future kernels. I'll try to answer your questions with respect to http://www.shorewall.net/bridge-Shorewall-perl.html which describes the preferred method of supporting bridge/firewalls. > 1) What should be included in /etc/shorewall/interfaces > and /etc/shorewall/hosts - "br0" or "qtap0", "qtap1", etc? br0, br0:qtap0, br0:qtap1 -- that's assuming that you want to define Shorewall policies and rules that control connections through the bridge. If you don't have that requirement then use a simple bridge (http://www1.shorewall.net/SimpleBridge.html) and just define br0 in /etc/shorewall/interfaces. > > 2) Why the author of this script used "$USERID" in "tunctl -b -u $USERID -t > qtap$i"? You'll have to ask the author of that script. If the user is non-root, may it somehow affect Shorewall bridging setup? Not unless your Shorewall configuration limits access to particular users using the USER/GROUP column in the rules file. Note that such limits only apply to traffic originating on the firewall -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
