Tom Eastep wrote: > There actually *is* a way. > > Change your interfaces file to look like this: > > world br0 detect bridge,routeback > - br0:eth0 detect > loc br0:vnet0 detect > > And add a hosts file as follows: > > net eth0:0.0.0.0/0 blacklist > >
Oh, delighted to know that there is one! :-) I will try it and give you feedback, but first I'd like to give you feedback on your other mail ... (I accidentally posted this with another account, so it didn't get through to the list, you may discard it if it isn't being done automatically). Tom Eastep wrote: > > Michael Kress wrote: > > > >> >> So how could I block individuals with my setup as posted before? >> >> >> > > > > In Shorewall 4.2.7, you will be able to specify the 'blacklist' option > > (among others) on a bridge port. Would you like to try an early release? > > > Hi Tom, I'm sorry, but I won't have the time to test this as this server is going into production soon. I succeeded now with the setup below. (I hope this is secure enough.) The trick was to use two interface setup with proxyarp. I have explicitly omitted eth0 from the bridge. blacklisting works like a charm now, which was my original question. Thanks for pointing me to the solution for my prob. Regards Michael $ brctl show bridge name bridge id STP enabled interfaces dmz0 8000.00ff01953a0e yes vnet0 virbr0 8000.000000000000 yes ================================= interfaces: net eth0 detect tcpflags,routefilter,nosmurfs,logmartians,blacklist kvm dmz0 detect blacklist,routeback,nosmurfs ================================= policy: kvm net ACCEPT net all DROP info $FW net ACCEPT all all REJECT info ================================= proxyarp: 192.168.2.149 dmz0 eth0 no yes ================================= rules: SSH/ACCEPT net $FW SSH/ACCEPT net kvm HTTP/ACCEPT net kvm HTTPS/ACCEPT net kvm ... and so on ================================= zones: fw firewall net ipv4 kvm ipv4 -- Michael Kress, [email protected] http://www.michael-kress.de / http://kress.net P E N G U I N S A R E C O O L ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
