I have one Debian server with one network interface, I've configured a bridge for KVM and shorewall with two zones in the same interface so I have the "net" zone and the "kvm" for kvm guests, here is the relevant files in /etc/shorewall:
interfaces
#ZONE INTERFACE OPTIONS
net br0 tcpflags,logmartians,nosmurfs,sourceroute=0,dhcp
zones
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
kvm:net ipv4
hosts
#ZONE HOSTS OPTIONS
kvm br0:192.168.1.0/24 -
the kvm zone is a sub-zone for the net zone, now I want to provide network access to kvm guests:
snat
#ACTION SOURCE DEST
MASQUERADE 192.168.1.0/24 br0
and finally this is the policy file:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW all ACCEPT
kvm net ACCEPT
kvm $FW DROP info
net all DROP #info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT #info
I've also configured a dhcp server to provide IP to the guests, and allowed ip_forward in shorewall.conf
everything is working, but I'm seeing a lot of neighbour servers making requests to the dhcp server and getting IP from it.
If I am understanding this correctly, every neighbor that uses my kvm IP range is part of my kvm zone and is getting Internet access through my firewall
I thought in filtering kvm zone members by mac address but I don't think it is a good solution since mac addresses can be set easily, how can I solve this?