On Wednesday, September 19, 2012 08:42:57 PM lee wrote:
> Neal Murphy <neal.p.mur...@alum.wpi.edu> writes:
> > On Tuesday, September 18, 2012 05:59:47 PM lee wrote:
> >> Neal Murphy <neal.p.mur...@alum.wpi.edu> writes:
> >> > So yes, if you want 'real' networking, you'll need bridges and taps.
> >>
> >> Thank you, I'll have to look into taps then.
> >>
> >> Do you think it's a good idea to just create a bridge device with the
> >> unused eth0 for this? I could leave eth1 as is and would basically only
> >> have to add a zone and appropriate policy and rules in the shorewall
> >> configuration.
> >
> > If that is the only firewall method you have then yes, enable forwarding,
> > add the bridge to a second shorewall zone, and add iptables rules that
> > drop, reject, allow and deny traffic as you desire. All of your VMs can
> > easily be tapped into the bridge.
>
> The router has a firewall and I'm running shorewall on the host behind
> that. It should be save enough, and it gives me some things like
> traffic shaping which the router doesn't do. I'm not doing firewall
> testing and like to keep things simple.
>
> So now I know which way to go and what to read about, thanks :)
o Remember to put the bridge and VMs in a LAN different from your NIC.
And be sure there's a route to the bridge LAN on your router/FW so
it knows where to send reply packets; if you wanted to be fancy, you
could NAT the bridge from ethX, but that's a lot more work (port
forwarding, SNAT, DNAT, et alia.)
o The bridge's IP addr (on the host) is the default gateway for all VMs
on that bridge.
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201209192159.27665.neal.p.mur...@alum.wpi.edu
