Chris Davies <chris-use...@roaima.co.uk> writes: > lee <l...@yun.yagibdah.de> wrote: > > No, not really. A bridge on your host is more like this: > > |--- con1+shorewall --- host > Internet --- eth1+shorewall --- [switch] ---|--- con2+shorewall --- guest A > |--- con3+shorewall --- guest B > |--- conN+shorewall --- guest N-1 > > Notice that shorewall applies to the interfaces, rather than only to > the host itself.
Yes and when I replace the interface I have now (eth1) with a bridge device (br1), then how do I tell shorewall that the guest is in the dmz (for example)? Now I have in shorewalls rules file: ,---- | #ZONE INTERFACE BROADCAST OPTIONS | net eth1 detect tcpflags,logmartians=1,nosmurfs `---- The replacement would be something like: ,---- | #ZONE INTERFACE BROADCAST OPTIONS | net br1 detect tcpflags,logmartians=1,nosmurfs | dmz br1 detect tcpflags,logmartians=1,nosmurfs `---- ... which doesn't make sense. You cannot put a firewall/router between computers that are all plugged into the same switch because they are connected to each other by the switch (unless you separate the connectors the switch has from each other and the firewall/router is in the switch itself). With a bridge device, the computers are even connected transparently as if there was no switch. You say shorewall applies to interfaces and not to hosts and you say I should have only one interface for several hosts. I could conclude that shorewall doesn't apply to any of the hosts then because it applies to interfaces. Therefore, I cannot have a firewall between the hosts because they do not have distinct interfaces shorewall would apply to, can I? And I must be missing something unless you really need a physical interface for each guest (or at least for every zone) to turn into a bridge device and one interface for the host itself so that shorewall can apply to all of them through their interfaces. Or is it what you're saying, that I do need physical interfaces for what I'm trying to do? >> Ideally, I would bundle "Internet A" and "Internet B" to increase the >> available bandwidth. > > That's a different issue. But there's no reason in principle why you > couldn't, for example, have the host using eth0 and the guests aggregated > via eth1. You can connect the NICs corresponding to eth0 and eth1 > whereever you like. In my case, I would really want to bundle the two lines to one line that has more bandwidth. It's a different issue I looked into a while ago and didn't exactly find worthwhile after getting an idea about how complicated that would be. -- Debian testing amd64 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87pq5kzbr0....@yun.yagibdah.de
