Alex Whiteside wrote: > > > On Sat, Sep 27, 2008 at 12:44 AM, Tom Eastep <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > > Why? The most natural thing to do is to create the bridge and make the > bridge the third interface. The bridge serves to connect the Virtual > Machine to the Firewall. > > > Okay, so what you are saying is > > eth0 has a auto ip, and br0 is set to manual or auto? When br0 is on > auto it gets the same ip as eth0. > > Sorry Im just a bit confused on how to approach this, maybe you can give > some pointers? >
I'm saying, DON'T BRIDGE eth0! > > > > > > > Now lets go back to two interface and change eth1 to br0, Lets say > dont > > allow loc access to (net), what happens? The whole server cannot > see the > > internet, because it is bridged through br0. > > I don't understand that paragraph. > > > Basically, for some reason, when i create a bridge br0 based on eth0, my > whole internet connection wants to route through br0 instead of eth0, so > therefore i cannot control this. DON'T BRIDGE eth0. Given the reduced support for bridges in kernels 2.6.20 and later, I would not use a bridge between the internet and your KVM server. If you bridge eth0, you won't be able to control loc->DMZ traffic separately from loc->net traffic; I don't think you want that restriction. I would rather make the bridge a standalone bridge with an RFC 1918 address, just as I do in the Shorewall KVM article. You can then use port forwarding from eth0 to the server. -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
