Autor: Simon Hobson Data: A: dng@lists.dyne.org Assumpte: Re: [DNG] ifconfig vs ip
Simon Walter <simon@???> wrote:
>> You don't need the tap port for that, the bridge will happily work
>> without any ports statically assigned to it.
>
> And will I be able to set up iptables with just the bridge? I was thinking of using shorewall. I've never used it before, but it seems like it's configuration is easy to maintain. Therein lies my concern. There are zones with interfaces for each zone. For some reason I thought a bridge needs to at least have one interface that it is bridging for it to be up. Can I bring a bridge up and do iptables stuff with it having no interfaces that it bridges?
In Shorewall you would declare the bridge as the interface for a zone. Note that Shorewall will filter packets in/out of that interface - not between interfaces in the bridge.
>> want to filter packets between physical NIC (WAN, eth0) and a virtual internal network (LAN, br0/tap0???). I am basically creating an isolated virtual network with virtual machines all inside one machine. Each container will have just enough software to carry out it's place in the network. Thereby isolating everything as much as possible, allowing for independent updates, modifications, hotswaps, etc.
How you want to do this affects the answer !
If you want to route traffic between two (or more) bridges, then you just declare each bridge as an interface for Shorewall and define the policies/rules for traffic between them. This can be done either in the host, or (as I have it) as a small VM running as a 2 port router.
If you want to do inter-port security within the switch then that's a bit harder and not something I've done. I think you can probably only do that with ebtables - and of course you have the dynamic nature of the interfaces to consider.
For Shorewall specific questions you'd be better asking over at Shorewall Users shorewall-users@???