Shorewall users - Jun 2010 - Proper setup for a router with 2 interfaces and a bridge on one?

I''m working on setting up a new router/server/etc. box.
I''m using Proxmox as the base system (Debian Lenny basically).
I''m trying to figure out the right way to configure Shorewall on it.
I''ve looked at some of the bridging info but they seem to all be  
talking about single-interface setups.
Could someone look over my setup and give me some input into the  
proper way to set this up so that I can do all the normal Shorewall  
things properly like blocking like normal, port forwards, etc. ?

I think my current setup mostly works, but I''m seeing messages like:

Shorewall:FORWARD:REJECT:IN=vmbr0 OUT=vmbr0 PHYSIN=vmtab101i0  
PHYSOUT=vmtab102i0 SRC=10.10.42.3 DST=10.10.42.2 LEN=60 TOS=0x00  
PREC=0x00 TTL=64 ID=61722 DF PROTO=TCP SPT=47118 DPT=3260 WINDOW=5840  
RES=0x00 SYN URGP=0

(some of these are from external machines to a virtual machine and  
mention eth1 as the physical - this one is both virtual machines)

I''m assuming something isn''t setup quite right.  :)

My setup is:
eth0 - external (internet)
eth1 - internal (not configured - the physical interface to the lan)
vmbr0 - the ProxMox bridge interface on eth1

/etc/network/interfaces:

# network interface settings
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

iface eth1 inet manual

auto vmbr0
iface vmbr0 inet static
         address  10.10.42.1
         netmask  255.255.255.0
         broadcast 10.10.42.255
         bridge_ports eth1
         bridge_stp off
         bridge_fd 0
##################################3
/etc/shorewall/interfaces
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect            
dhcp,tcpflags,routefilter,nosmurfs,logmartians
loc     vmbr0            detect         tcpflags,dhcp,nosmurfs
#####################################################
/etc/shorewall/policy (wide open for now, but obviously should be  
locked later)
################
#Testing Section
# Policies for traffic originating from the local LAN (loc)
#
# If you want to force clients to access the Internet via a proxy server
# on your firewall, change the loc to net policy to REJECT info.
loc             net             ACCEPT
loc             $FW             ACCEPT
loc             all             ACCEPT

#
# Policies for traffic originating from the firewall ($FW)
#
# If you want open access to the Internet from your firewall, change the
# $FW to net policy to ACCEPT and remove the ''info'' LOG LEVEL.
# This may be useful if you run a proxy server on the firewall.
$FW             net             ACCEPT
$FW             loc             ACCEPT
$FW             all             ACCEPT

#
# Policies for traffic originating from the Internet zone (net)
#
net             $FW             ACCEPT
net             loc             ACCEPT
net             all             ACCEPT


##################################################
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info

#########################################################
Thanks!

Mark II

-- 
Mark D. Montgomery II
http://www.techiem2.net



------------------------------------------------------------------------------
ThinkGeek and WIRED''s GeekDad team up for the Ultimate 
GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo

On 6/20/10 6:45 AM, Mark D. Montgomery II wrote:
> I''m working on setting up a new router/server/etc. box.
> I''m using Proxmox as the base system (Debian Lenny basically).
> I''m trying to figure out the right way to configure Shorewall on
it.
> I''ve looked at some of the bridging info but they seem to all be
talking
> about single-interface setups.
> Could someone look over my setup and give me some input into the proper
> way to set this up so that I can do all the normal Shorewall things
> properly like blocking like normal, port forwards, etc. ?
> 
> I think my current setup mostly works, but I''m seeing messages
like:
> 
> Shorewall:FORWARD:REJECT:IN=vmbr0 OUT=vmbr0 PHYSIN=vmtab101i0
> PHYSOUT=vmtab102i0 SRC=10.10.42.3 DST=10.10.42.2 LEN=60 TOS=0x00
> PREC=0x00 TTL=64 ID=61722 DF PROTO=TCP SPT=47118 DPT=3260 WINDOW=5840
> RES=0x00 SYN URGP=0
Shorewall FAQs 17 and 35.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
ThinkGeek and WIRED''s GeekDad team up for the Ultimate 
GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo

Quoting Tom Eastep <teastep@shorewall.net>:
>
> Shorewall FAQs 17 and 35.
Thanks.  I found the routeback option a bit later after digging around  
some more, so it seems to be behaving properly now (it''s not good to  
block your iscsi target and initiator from talking to each other... :P  
).
Now I just have to start locking it down and testing forwards and such.
>
> -Tom
Mark II

-- 
Mark D. Montgomery II
http://www.techiem2.net



------------------------------------------------------------------------------
ThinkGeek and WIRED''s GeekDad team up for the Ultimate 
GeekDad Father''s Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo