On Mon, 2011-11-14 at 00:31 +0000, Mark van Dijk wrote: > > I should add that it would be challenging to configure Shorewall to > > accommodate this configuration. I'll see what I can do about that for > > 4.4.26.
I've looked at this a bit more and adding the back-to-back veth
interfaces doesn't help all that much.
---- z1
/
net <-> firewall vethI <-> vethJ -- bridge ---- z2
\
---- z3
While we can filter traffic entering the bridge via vethJ to the
individual zones zN, we can't tell whether that traffic came from the
net or from the firewall itself.
In the case where the zN are virtual machines, each VM typically has a
fixed IP address. In that case, it is already easy to limit traffic from
the net and firewall to the individual VMs using their IP address,
without the need for bport zones at all:
---- vm1
/
net <-> firewall br0 ---- vm2
\
---- vm3
zones:
fw firewall
net ipv4
vms ipv4
policy
fw vms REJECT
net vms DROP
...
interfaces:
net ethN ...
vms br0 ...
params:
VMIP1=w.z.y.z1
VMIP2=w.z.y.z2
...
VM1=vms:$VMIP1
VM2=vms:$VMIP2
...
rules:
ACCEPT net $VM1 tcp 80
ACCEPT fw,net $VM2 tcp 25
...
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
