Simon Walter <si...@gikaku.com> wrote: > After some testing, I have a question about an option in > /etc/default/shorewall: > wait_interface > If I add the bridge interface to that line, shorewall will not start unless a > container is brought up. I suppose that is why I was thinking of bridging the > bridge inerface with a tap interface so that it's always available. > > It seems that bridges do not start with ifup (-a) unless one of their bridged > interfaces are up.
I don't think I've used "isolated" bridges so it's never come up for me. Do you need to specify wait_interface for it ? > Or I could do as Mr. Hobson does and run shorewall in a container. Would that > actually be a more insulated "secure" approach? "Security" is a relative thing, and depends on your priorities. Putting the firewall in it's own VM would improve isolation (the netfilter rules will be processed in the VM) - but the traffic still goes through the host Dom0. You can, AIUI, reduce this latter bit by running a separate driver domain to own the virtual interfaces and further insulate the traffic from Dom0. You could also use PCI passthrough to make a NIC owned by a VM - so Dom0 doesn't handle the packets. But this all depends on your priorities (or level of paranoia !). I don't think handling the network traffic in Dom0 is "insecure" - just not as secure as if it doesn't handle it. _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
