Chris Davies <chris-use...@roaima.co.uk> writes: > lee <l...@yun.yagibdah.de> wrote: >> Yes and when I replace the interface I have now (eth1) with a bridge >> device (br1), then how do I tell shorewall that the guest is in the dmz >> (for example)? > > You need "bridge" and "routeback" set in your shorewall interfaces file.
Ok, all the examples in the shorewall documentation I'm seeing say that I need the "routeback" option with bridge devices. I'm fine with that. This option doesn't tell me how to treat the bridge device as two different interfaces which seem to be needed for shorewall to work. All the examples in the shorewall documentation I'm seeing assume that I would have several interfaces rather than only one. > Take a look at http://www.shorewall.net/SimpleBridge.html and This example uses two interfaces while I would have only one. > http://www.shorewall.net/KVM.html. This example isn't really explained. It refers you to [1], which also requires two interfaces. There is other information linked to it which brings tunneling/tapping stuff into the setup and doesn't explain anything about that. The example script it refers to is probably deprecated: It's 4 years old, and there are already start-scripts for qemu/kvm in effect in Debian. Do I need tunneling/tapping? [1]: http://www.shorewall.net/two-interface.htm > I think that the second reference will be particularly useful for you > - ignore the references to wlan0, and replace "eth0" and "br0" with > "eth1" and "br1" respectively. Well, [2] even says clearly: 1.) "IP addresses are properties of systems, not of interfaces." 2.) "All IP addresses configured on firewall interfaces are in the $FW (fw) zone." Number 2.) is definitely *not* what I want. Would I need to create a tunneling/tapping interface for the host and one for each guest to circumvent 2.)? Would that be safe to do? Would that be better than using the currently unused physical interface eth0 instead of the currently used eth1 to make a(n independent) bridge device? --- I'm probably not going to have more than two guests running at the same time. [2]: http://www.shorewall.net/two-interface.htm -- Debian testing amd64 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87k3vrt9om....@yun.yagibdah.de
