Tom Eastep wrote:
> There actually *is* a way.
>
> Change your interfaces file to look like this:
>
> world br0 detect bridge,routeback
> - br0:eth0 detect
> loc br0:vnet0 detect
>
> And add a hosts file as follows:
>
> net eth0:0.0.0.0/0 blacklist
>
Cool, thanks for your tip I can confirm it to be working.
So which of the two ways is the preferred way, the two interface way
with proxyarp or the bridge way?
I guess as regards to security there's no difference.
What about future versions of shorewall, which way will be "more
compatible"?
If you'd like to include my bridge example in the docs, see below.
Regards
Michael
PS: Here's my setup:
====================================
blacklist
210.107.0.0/17 #"boranet"
....... (long blacklist)
====================================
hosts
net eth0:0.0.0.0/0 blacklist
====================================
interfaces
world br0 detect bridge,routeback
- br0:eth0 detect
kvm br0:vnet0 detect
====================================
policy
kvm net ACCEPT
net all DROP info
all kvm DROP info
all $FW DROP info
$FW all ACCEPT
all all REJECT info
====================================
routestopped
eth0 -
====================================
rules
SSH/ACCEPT net $FW
Ping/ACCEPT net $FW
SSH/ACCEPT net kvm
... lots of other rules
====================================
shorewall.conf
STARTUP_ENABLED=Yes
VERBOSITY=1
SHOREWALL_COMPILER=perl
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGRATE=
LOGBURST=
LOGALLNEW=
BLACKLIST_LOGLEVEL=info
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
LOG_MARTIANS=keep
IPTABLES=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
MODULESDIR=
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
RESTOREFILE=
IPSECFILE=zones
LOCKFILE=
DROP_DEFAULT="Drop"
REJECT_DEFAULT="Reject"
ACCEPT_DEFAULT="none"
QUEUE_DEFAULT="none"
NFQUEUE_DEFAULT="none"
RSH_COMMAND='ssh ${ro...@${system} ${command}'
RCP_COMMAND='scp ${files} ${ro...@${system}:${destination}'
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
RETAIN_ALIASES=No
TC_ENABLED=Internal
TC_EXPERT=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=No
ROUTE_FILTER=No
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
DELAYBLACKLISTLOAD=No
MODULE_SUFFIX=
DISABLE_IPV6=Yes
BRIDGING=No
DYNAMIC_ZONES=No
PKTTYPE=Yes
RFC1918_STRICT=No
MACLIST_TABLE=filter
MACLIST_TTL=
SAVE_IPSETS=No
MAPOLDACTIONS=No
FASTACCEPT=No
IMPLICIT_CONTINUE=Yes
HIGH_ROUTE_MARKS=No
USE_ACTIONS=Yes
OPTIMIZE=1
EXPORTPARAMS=No
EXPAND_POLICIES=No
EXPAND_POLICIES=Yes
KEEP_RT_TABLES=No
DELETE_THEN_ADD=Yes
MULTICAST=No
DONT_LOAD=
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
====================================
zones
fw firewall
world ipv4
net:world bport
kvm:world bport
------------------------------------------------------------------------------
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
