On Tue, 2011-11-01 at 20:27 -0700, Tom Eastep wrote: > > If you create a rational IP configuration, Shorewall can handle it. > > In short -- this isn't a Shorewall question.
That having been said, there are a couple of things to keep in mind when
considering using bridges with Shorewall.
- You can define zones by bridge port.
- You can filter traffic originating from those 'bridge-port' zones.
- You cannot filter traffic from non-bridge-port zones to individual
'bridge-port' zones. This restriction is imposed by Netfilter, not
Shorewall.
Example 1 (routed firewall):
_________
| |--vzone1
net<--eth0->firewall<--->| bridge |--vzone2
|_________|--vzone3
You can write rules for vzoneN->net
You can write rules for vzoneN->vzoneM
You can write rules for vzoneN->firewall
You can write rules for firewall->vzone* only
You can write rules for net->vzone* only
Example 2 (bridged firewall)
_________
| |--vzone1
net<--eth0-->| bridge |--vzone2
|_________|--vzone3
You can write rules for all zone pairs except for fw->vzoneN; you can
only write rules for fw->vzone*.
Hope this helps,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ RSA® Conference 2012 Save $700 by Nov 18 Register now! http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
