On 2/16/19 8:54 AM, Vieri Di Paola wrote: > The Shorewall firewall is the default gateway for every host in both > the lan zone (enp10s0) and the dmz zone (enp5s0). > > An example host in the lan zone has these settings: > > inet 10.215.144.2/16 brd 10.215.255.255 scope global eth0 > > default via 10.215.144.91 dev eth0 > > An example host in the dmz zone (eg. dmz11) has these settings: > > inet 192.168.210.2 brd 192.168.210.255 scope global eth0 > > default via 192.168.210.1 dev eth0 > > The only big difference between Configuration 1 and Configuration 2 is > that while in the first (working) setup the Shorewall box's lan > interface (enp10s0) is not in bridge mode and has no vlans defined, in > the second (failing) setup the lan interface is a bridge with vlans. > > Configuration 1: > enp10s0 has IP addresses 10.215.144.91/32 10.215.144.6/32 > 10.215.246.91/32 192.168.144.91/24 10.215.145.241/32 10.215.145.242/32 > 10.215.145.81/32 > and the following route entries: > 10.215.144.0/22 dev enp10s0 proto kernel scope link src 10.215.144.91 metric 1 > 10.215.246.0/23 dev enp10s0 proto kernel scope link src 10.215.144.91 metric 1 > 10.215.248.0/24 dev enp10s0 proto kernel scope link src 10.215.144.91 metric 1 > > Configuration 2: > Bridge "lanbr" bridges the interfaces "enp10s0 enp5s0.12 enp10s0.1 > enp10s0.12 enp10s0.13 enp10s0.14 enp10s0.15" (where enp5s0.12 is one > of the dmz interface's vlans). > lanbr has the same IP addresses and route entries as in Configuration 1 > > This is basically it. > > I am putting in a dmz vlan interface within lanbr in Configuration 2, > but I don't believe that may have any unwanted side-effects. This dmz > vlan interface is only in lanbr. > > Once the interfaces and zones are defined in Shorewall the rest of the > rules and policies are basically the same. >
But the routing is very different! The Shorewall box won't route (l343) between ports on a bridge, so unless you change the routing on all of the VLAN hosts, communication between hosts in lan0 and the other lan* zones will be impossible. Not to mention that the MAC address of lanbr changes when you activate configuration 2. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
