From 5652cae6f3e44d9ec6a899b16cb673ead7d0cdba Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 28 Dec 2006 17:52:20 +0000 Subject: [PATCH] Clarify new bridge configuration git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5169 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/NewBridge.xml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/docs/NewBridge.xml b/docs/NewBridge.xml index 843d1cde5..c52f6ea92 100644 --- a/docs/NewBridge.xml +++ b/docs/NewBridge.xml @@ -504,8 +504,8 @@ net ipv4 loc:net ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE - Note that the loc zone is defined to be a sub-zone of the net - zone. + Note that the loc zone is defined + to be a sub-zone of the net zone. A conventional two-zone policy file is appropriate here — /etc/shorewall/policy: @@ -524,7 +524,7 @@ all all REJECT info net br0 192.168.1.255 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE - The loc zone is defined using the + The loc zone is defined using the /etc/shorewall/hosts file. Assuming that the router is connected to eth0 and the switch to eth1: @@ -533,6 +533,13 @@ net br0 192.168.1.255 loc br0:192.168.1.0/24!192.168.1.10/31,192.168.1.254 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE + + 192.168.1.10/31 consists of the two local systems outside the + firewall; namely, 192.168.1.10 and 192.168.1.11. Those systems must be + excluded from the loc zone as must the + router (192.168.1.254). + + When Shorewall is stopped, you want to allow only local traffic through the bridge — /etc/shorewall/routestopped: