Summarize how to move from physdev->ip addresses for kernel 2.6.20

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5633 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-22 22:05:46 +00:00
parent 2f40bcd8e1
commit 627a5afe57
2 changed files with 33 additions and 10 deletions

View File

@ -44,10 +44,6 @@
later. If you are running a version of Shorewall earlier than Shorewall
3.3.3 then please see the documentation for that
release.</emphasis></para>
<para><emphasis role="bold">This configuration is not as secure as the one
described in <ulink url="bridge.html">another article</ulink> but it has
the advantage that it works with all kernel versions.</emphasis></para>
</caution>
<section>
@ -85,6 +81,33 @@
</note>
</listitem>
</orderedlist>
<para>The technique described in this article differs from that in <ulink
url="bridge.html">Shorewall and Bridged Firewalls</ulink> in that it
defines zones in terms of ip addresses (networks, hosts, and/or ranges)
accessed through the bridge device rather than in terms of ports on the
bridge. While using ports is more convenient, it requires a
fully-functional <emphasis>physdev match </emphasis> capability in your
kernel and iptables. Beginning with Linux kernel version 2.6.20, the
physdev match capability was reduced in function to the point where in can
no longer be used for Shorewall zone definition. To work around this
functional step backward, the technique described below can be
used.</para>
<para>To summarize the changes required required to move from a
<emphasis>Shorewall and Bridged Firewalls</emphasis> configuration to this
new type:</para>
<orderedlist>
<listitem>
<para>Set BRIDGING=No in shorewall.conf</para>
</listitem>
<listitem>
<para>Modify your <filename>/etc/shorewall/hosts</filename> file to
use IP addresses rather than bridge ports to define your zones.</para>
</listitem>
</orderedlist>
</section>
<section>

View File

@ -87,14 +87,14 @@
<warning>
<para><emphasis role="bold">SUPPORT FOR BRIDGING AS DESCRIBED IN THIS
ARTICLE MIGHT BE DISCONTINUED IN THE FUTURE.</emphasis> The underlying
Netfilter features that Shorewall Bridge/Firewall support relies on are
being removed and it is not certain whether Shorewall will be able to
continue to support bridge/firewalls in the way described here.</para>
ARTICLE IS DISCONTINUED IN LINUX KERNEL 2.6.20.</emphasis> The
underlying Netfilter features that Shorewall Bridge/Firewall support
relies on were removed from Netfilter and it is no longer possible to
define Shorewall zones in terms of physical bridge ports.</para>
<para>In <ulink url="NewBridge.html">another article</ulink>, I describe
how to configure a bridge/firewall which will work with future kernel
versions.</para>
how to configure a bridge/firewall which will work with kernel 2.6.20
and later versions.</para>
</warning>
<para>Note that if you need a bridge but do not need to restrict the