-Inbound rules with source IP does not work, because shorewall
-does not allow rules like:
-
- SSH(ACCEPT) all:IP_ADDRESS $ZVMBR0VM100:tap100i0
-
-As workaroud, we create one rule for each BP zone on the same
-bridge:
-
- SSH(ACCEPT) $ZVMBR0:IP_ADDRESS $ZVMBR0VM100:tap100i0
- SSH(ACCEPT) $ZVMBR0VM777:IP_ADDRESS $ZVMBR0VM100:tap100i0
- SSH(ACCEPT) $ZVMBR0EXT:IP_ADDRESS $ZVMBR0VM100:tap100i0
-
-
-
-
-
-
-
+There are a number of restrictions when using iptables to filter
+bridged traffic. The physdev match feature does not work correctly
+when traffic is routed from host to bridge:
+
+ * when a packet being sent through a bridge entered the firewall on another interface
+ and was being forwarded to the bridge.
+
+ * when a packet originating on the firewall itself is being sent through a bridge.
+
+So we disable the firewall if we detect such case (bridge with assigned IP address).
+You can enable it again (if you do not care) by setting "allow_bridge_route: 1" in "host.fw".
+
+The correct workaround is to remove the IP address from the bridge device, and
+use a veth device which is plugged into the bridge:
+
+---/etc/network/interfaces----
+
+...
+
+auto vmbr0
+iface vmbr0 inet manual
+ bridge_ports bond0
+ bridge_stp off
+ bridge_fd 0
+
+# this create the veth device and plug it into vmbr0
+auto pm0
+iface pm0 inet static
+ address 192.168.10.10
+ netmask 255.255.255.0
+ gateway 192.168.10.1
+ VETH_BRIDGETO vmbr0
+
+auto vmbr1
+iface vmbr1 inet manual
+ bridge_ports none
+ bridge_stp off
+ bridge_fd 0
+
+# setup masqueraded bridge port vmbr1/pm1
+auto pm1
+iface pm1 inet static
+ address 10.10.10.1
+ netmask 255.255.255.0
+ VETH_BRIDGETO vmbr1
+ post-up iptables -t raw -A PREROUTING -s '10.10.10.0/24' -i vmbr1 -j CT --zone 1
+ post-up iptables -t raw -A PREROUTING -d '10.10.10.0/24' -i vmbr1 -j CT --zone 1
+ post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j MASQUERADE
+ post-down iptables -t nat -F POSTROUTING
+ post-down iptables -t raw -F PREROUTING
+
+...
+
+--------------------------------