Simon Walter <si...@gikaku.com> wrote: >> You don't need the tap port for that, the bridge will happily work >> without any ports statically assigned to it. > > And will I be able to set up iptables with just the bridge? I was thinking of > using shorewall. I've never used it before, but it seems like it's > configuration is easy to maintain. Therein lies my concern. There are zones > with interfaces for each zone. For some reason I thought a bridge needs to at > least have one interface that it is bridging for it to be up. Can I bring a > bridge up and do iptables stuff with it having no interfaces that it bridges?
In Shorewall you would declare the bridge as the interface for a zone. Note that Shorewall will filter packets in/out of that interface - not between interfaces in the bridge. >> want to filter packets between physical NIC (WAN, eth0) and a virtual >> internal network (LAN, br0/tap0???). I am basically creating an isolated >> virtual network with virtual machines all inside one machine. Each container >> will have just enough software to carry out it's place in the network. >> Thereby isolating everything as much as possible, allowing for independent >> updates, modifications, hotswaps, etc. How you want to do this affects the answer ! If you want to route traffic between two (or more) bridges, then you just declare each bridge as an interface for Shorewall and define the policies/rules for traffic between them. This can be done either in the host, or (as I have it) as a small VM running as a 2 port router. If you want to do inter-port security within the switch then that's a bit harder and not something I've done. I think you can probably only do that with ebtables - and of course you have the dynamic nature of the interfaces to consider. For Shorewall specific questions you'd be better asking over at Shorewall Users shorewall-us...@lists.sourceforge.net _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
