Hi, > That having been said, there are a couple of things to keep in mind > when considering using bridges with Shorewall. > > - You can define zones by bridge port. > - You can filter traffic originating from those 'bridge-port' zones. > - You cannot filter traffic from non-bridge-port zones to individual > 'bridge-port' zones. This restriction is imposed by Netfilter, not > Shorewall.
Alright, this is interesting to me as well. But what is an individual bridge port? I assume that it's one ethernet device that has been added to the bridge. So then, does this mean that filtering between, say, eth1 and vzone1 cannot be done? > Example 1 (routed firewall): (..snip..) > Example 2 (bridged firewall) (..snip..) Am I right when I assume that the bridge in example 1 has no IP? I have wondered whether Linux could be configured to have a bridge with no IP and a dummy device that functions as a port for connections from firewall to bridge. Is the bridge in example 2 the firewall/fw zone? Last question: Xen currently suggests to disable arp on the bridgeport (so if I have a bridge br0 and eth0 is a member of it, one would do 'ip link set dev eth0 arp off') and to give the ports a mac of fe:ff:ff:ff:ff:ff. Any thoughts on this? Clearly I'm almost getting it. :) Mark. ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
