Thomas <74cmo...@gmail.com> wrote: > With regards to the transparent / bridge firewall I think to skip this > because I cannot determine if my ISP is offering WAN-routing that is a > pre-requisite for a transparent / bridge firewall.
I think you may have this the other way around. A transparent bridge looks just like a network switch to the rest of the network - i.e. traffic passes through it without modification. Hence anywhere you can use an ethernet connection you can insert a bridge. The biggest problem is where you have it between your ISP router and your internal router. In that case, it only sees traffic after it’s been through any NAT (or other packet mangling) in your router - hence you can’t (for example) permit/block traffic to/from specific devices unless you do it by protocol alone. It’s typically easier to do the filtering in the same device that’s doing the mangling. If the ISP offers friendly routing options (e.g. they offer a /30 to use for link addresses between their router and yours, and route traffic to a different subnet via your router IP), then it’s much easier to use a device in routed mode. I’ve never seen this on “home” services, and on “business” services I’ve seen different suppliers offer some “interesting” options regarding this. Simon Note: Although it’s not related to your query, I stopped using Debian after Squeeze - i.e. several releases ago - as I’m not prepared to allow SystemD onto anything I’m responsible for maintaining. While I’m only doing this for home use now (used to do it professionally until about 4 years ago) I only use Devuan for new installs. Without looking at any details, I suspect that running a “small” installation for the sort of hardware under discussion is somewhat harder now with the hard dependency on SystemD baked into Debian. _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users