[Shorewall-users] Shorewall 2

Tom Eastep teastep at shorewall.net
Mon Mar 1 07:38:32 PST 2004


On Monday 01 March 2004 07:22 am, Tom Eastep wrote:
> On Sunday 29 February 2004 11:08 am, Mike Lander wrote:
> > Tom,
> >     Forgive me if I misunderstood, after spending some time reading.
> > It appears that you need someone already running all the stuff for
> > bridging. I would be happy to help still if needed. In fact read my last
> > post with the club.
> > At a quick glace I noticed bridging uses mac address or connects networks
> > as if they where on the
> > same switch??
>
> Effectively, the linux box acts as a switch.
>
> > I am building two shorewall boxes for this club to connect
> > them with open VPN.
> > And I noticed Open vpn supports bridging. What I am not clear about is
> > the advantages
> >  of bridging is it security or what? I noticed that it put intefaces in
> > promiscuous mode.
>
> It gives you the ability to have a firewall inside of a switch. The
> bridge/firewall can be used to partition an existing network without having
> to subnet.

Let's say you have a bridge with two ethernet interfaces and you create the 
bridge 'br0' to bridge the two. In Shorewall, you can then do the following:

/etc/shorewall/zones

z1	Zone1
z2	Zone2

/etc/shorewall/interfaces

-	br0	detect

/etc/shorewall/hosts

z1	br0:eth0
z2	br0:eth1

Note that the ethernet interfaces (eth0 and eth1) are not defined in the 
interfaces file!

The bridge itself can be configured with an IP address so that the bridge may 
communicate with other hosts.

With the above setup, you can now use normal Shorewall policies and rules to 
control traffic through the bridge and between the two zones and the firewall 
itself.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-users mailing list