forked from extern/shorewall_code
Summarize how to move from physdev->ip addresses for kernel 2.6.20
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5633 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
2f40bcd8e1
commit
627a5afe57
@ -44,10 +44,6 @@
|
||||
later. If you are running a version of Shorewall earlier than Shorewall
|
||||
3.3.3 then please see the documentation for that
|
||||
release.</emphasis></para>
|
||||
|
||||
<para><emphasis role="bold">This configuration is not as secure as the one
|
||||
described in <ulink url="bridge.html">another article</ulink> but it has
|
||||
the advantage that it works with all kernel versions.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
@ -85,6 +81,33 @@
|
||||
</note>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>The technique described in this article differs from that in <ulink
|
||||
url="bridge.html">Shorewall and Bridged Firewalls</ulink> in that it
|
||||
defines zones in terms of ip addresses (networks, hosts, and/or ranges)
|
||||
accessed through the bridge device rather than in terms of ports on the
|
||||
bridge. While using ports is more convenient, it requires a
|
||||
fully-functional <emphasis>physdev match </emphasis> capability in your
|
||||
kernel and iptables. Beginning with Linux kernel version 2.6.20, the
|
||||
physdev match capability was reduced in function to the point where in can
|
||||
no longer be used for Shorewall zone definition. To work around this
|
||||
functional step backward, the technique described below can be
|
||||
used.</para>
|
||||
|
||||
<para>To summarize the changes required required to move from a
|
||||
<emphasis>Shorewall and Bridged Firewalls</emphasis> configuration to this
|
||||
new type:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Set BRIDGING=No in shorewall.conf</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Modify your <filename>/etc/shorewall/hosts</filename> file to
|
||||
use IP addresses rather than bridge ports to define your zones.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
@ -87,14 +87,14 @@
|
||||
|
||||
<warning>
|
||||
<para><emphasis role="bold">SUPPORT FOR BRIDGING AS DESCRIBED IN THIS
|
||||
ARTICLE MIGHT BE DISCONTINUED IN THE FUTURE.</emphasis> The underlying
|
||||
Netfilter features that Shorewall Bridge/Firewall support relies on are
|
||||
being removed and it is not certain whether Shorewall will be able to
|
||||
continue to support bridge/firewalls in the way described here.</para>
|
||||
ARTICLE IS DISCONTINUED IN LINUX KERNEL 2.6.20.</emphasis> The
|
||||
underlying Netfilter features that Shorewall Bridge/Firewall support
|
||||
relies on were removed from Netfilter and it is no longer possible to
|
||||
define Shorewall zones in terms of physical bridge ports.</para>
|
||||
|
||||
<para>In <ulink url="NewBridge.html">another article</ulink>, I describe
|
||||
how to configure a bridge/firewall which will work with future kernel
|
||||
versions.</para>
|
||||
how to configure a bridge/firewall which will work with kernel 2.6.20
|
||||
and later versions.</para>
|
||||
</warning>
|
||||
|
||||
<para>Note that if you need a bridge but do not need to restrict the
|
||||
|
Loading…
Reference in New Issue
Block a user