Hey folks; (and Tom) I just brought up a new two interface bridge and decided NOT to add an IP to it (for some strange reason that I am not quite sure of yet ;-)). While I was testing it I was able to use a different subnet bound to that interface without a problem but when I made the change to use an IP from the same subnet that is configured for the bridge (eth0, eth1) I saw that shorewall had an error. (Can''t remember exactly what but I thrashed around with some combinations of exclusions in the hosts and interface files without success). My question is merely ''Can a single IP bound to an interface be used on a separate interface if it''s ALSO part of the subnet in use between the bridge (int eth0, eth1) and if so, what change is needed to accomplish this''. When I configured a bridge (a while ago) I believe I followed the docs on the shorewall site for configuring it and just recently copied my configs from that ''test'' box and as I stated earlier it DOES work provided that the eth2 interface ISN''T part of the subnet used on the bridge but I am sure things have changed since then (due to Toms perpetual diligence). I am using shorewall 2.1 series and was going to attempt the newest RC version but I would rather wait until a ''true'' release version is out (although I can certainly load it up if it contains the changes needed). As I think about it the config DOES sound weird and I can see how it _might_ pose a problem to routing but I also have seen weird tricks like this asked and answered by the use of shorewall in the past. (the bash script is a work of art...thanks Tom) Anyone (other than Tom) know offhand? (failing that how about you Tom?) Thanks in advance. Jeff
Me again; After re-reading my post I don''t think I made it clear but I am trying to add another (separate) management interface (eth2) to an existing bridge using eth0 and eth1 but ALSO using an IP in the subnet that is in use on that bridge... ----- Original Message ----- From: "Jeff" <jsoehner@the-techy.com> To: "Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Thursday, January 13, 2005 5:05 PM Subject: [Shorewall-users] Adding another interface to manage the bridge> Hey folks; (and Tom) > > I just brought up a new two interface bridge and decided NOT to add an IP > to it (for some strange reason that I am not quite sure of yet ;-)). WhileI> was testing it I was able to use a different subnet bound to thatinterface> without a problem but when I made the change to use an IP from the same > subnet that is configured for the bridge (eth0, eth1) I saw that shorewall > had an error. (Can''t remember exactly what but I thrashed around with some > combinations of exclusions in the hosts and interface files without > success). > > My question is merely ''Can a single IP bound to an interface be used on a > separate interface if it''s ALSO part of the subnet in use between thebridge> (int eth0, eth1) and if so, what change is needed to accomplish this''. > > When I configured a bridge (a while ago) I believe I followed the docs on > the shorewall site for configuring it and just recently copied my configs > from that ''test'' box and as I stated earlier it DOES work provided thatthe> eth2 interface ISN''T part of the subnet used on the bridge but I am sure > things have changed since then (due to Toms perpetual diligence). I amusing> shorewall 2.1 series and was going to attempt the newest RC version but I > would rather wait until a ''true'' release version is out (although I can > certainly load it up if it contains the changes needed). As I think aboutit> the config DOES sound weird and I can see how it _might_ pose a problem to > routing but I also have seen weird tricks like this asked and answered by > the use of shorewall in the past. (the bash script is a work ofart...thanks> Tom) > > Anyone (other than Tom) know offhand? > > (failing that how about you Tom?) > > Thanks in advance. > > Jeff > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Jeff wrote:> Me again; > > After re-reading my post I don''t think I made it clear but I am trying to > add another (separate) management interface (eth2) to an existing bridge > using eth0 and eth1 but ALSO using an IP in the subnet that is in use on > that bridge... >Can''t do that. Make eth2 part of the bridge and assign the IP address to the bridge. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thanks for the input Tom, I think I will end up removing the third NIC. My idea _started_ by my thinking I would be able to have separate rules/zones and be able to use tcpdump, etc on a separate interface but after trying your suggestion I find that I will end up needing a hub between the T1 router and the ''net'' interface of this bridge and this is not currently desirable. On second thought I would ''rarely'' need to connect remotely and trouble shoot this thing (thanks again Tom for shorewall!). I think I will keep it at two interfaces and bind the bridge with an IP so I won''t need another hub/switch but I will consider your suggestion for the future. cheers. ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Thursday, January 13, 2005 5:52 PM Subject: Re: [Shorewall-users] Adding another interface to manage the bridge> Jeff wrote: > > Me again; > > > > After re-reading my post I don''t think I made it clear but I am tryingto> > add another (separate) management interface (eth2) to an existing bridge > > using eth0 and eth1 but ALSO using an IP in the subnet that is in use on > > that bridge... > > > > Can''t do that. Make eth2 part of the bridge and assign the IP address to > the bridge. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >