extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-24 19:51:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Summarize how to move from physdev->ip addresses for kernel 2.6.20

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5633 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-22 22:05:46 +00:00
parent 2f40bcd8e1
commit 627a5afe57
2 changed files with 33 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
docs/NewBridge.xml
View File

@ -44,10 +44,6 @@
later. If you are running a version of Shorewall earlier than Shorewall later. If you are running a version of Shorewall earlier than Shorewall
3.3.3 then please see the documentation for that 3.3.3 then please see the documentation for that
release.</emphasis></para> release.</emphasis></para>
<para><emphasis role="bold">This configuration is not as secure as the one
described in <ulink url="bridge.html">another article</ulink> but it has
the advantage that it works with all kernel versions.</emphasis></para>
</caution> </caution>
<section> <section>
@ -85,6 +81,33 @@
</note> </note>
</listitem> </listitem>
</orderedlist> </orderedlist>
<para>The technique described in this article differs from that in <ulink
url="bridge.html">Shorewall and Bridged Firewalls</ulink> in that it
defines zones in terms of ip addresses (networks, hosts, and/or ranges)
accessed through the bridge device rather than in terms of ports on the
bridge. While using ports is more convenient, it requires a
fully-functional <emphasis>physdev match </emphasis> capability in your
kernel and iptables. Beginning with Linux kernel version 2.6.20, the
physdev match capability was reduced in function to the point where in can
no longer be used for Shorewall zone definition. To work around this
functional step backward, the technique described below can be
used.</para>
<para>To summarize the changes required required to move from a
<emphasis>Shorewall and Bridged Firewalls</emphasis> configuration to this
new type:</para>
<orderedlist>
<listitem>
<para>Set BRIDGING=No in shorewall.conf</para>
</listitem>
<listitem>
<para>Modify your <filename>/etc/shorewall/hosts</filename> file to
use IP addresses rather than bridge ports to define your zones.</para>
</listitem>
</orderedlist>
</section> </section>
<section> <section>

12
docs/bridge.xml
View File

@ -87,14 +87,14 @@
<warning> <warning>
<para><emphasis role="bold">SUPPORT FOR BRIDGING AS DESCRIBED IN THIS <para><emphasis role="bold">SUPPORT FOR BRIDGING AS DESCRIBED IN THIS
ARTICLE MIGHT BE DISCONTINUED IN THE FUTURE.</emphasis> The underlying ARTICLE IS DISCONTINUED IN LINUX KERNEL 2.6.20.</emphasis> The
Netfilter features that Shorewall Bridge/Firewall support relies on are underlying Netfilter features that Shorewall Bridge/Firewall support
being removed and it is not certain whether Shorewall will be able to relies on were removed from Netfilter and it is no longer possible to
continue to support bridge/firewalls in the way described here.</para> define Shorewall zones in terms of physical bridge ports.</para>
<para>In <ulink url="NewBridge.html">another article</ulink>, I describe <para>In <ulink url="NewBridge.html">another article</ulink>, I describe
how to configure a bridge/firewall which will work with future kernel how to configure a bridge/firewall which will work with kernel 2.6.20
versions.</para> and later versions.</para>
</warning> </warning>
<para>Note that if you need a bridge but do not need to restrict the <para>Note that if you need a bridge but do not need to restrict the