On 03/21/2016 10:18 PM, Devin Reade wrote:
However, in this case the host won't have addresses on (based on my above correction) either br2 or br3. It does sound, though, like having enp1so, enp1s0.2, and enpe1s0.3 in the 'DMZ' zone means that filtering rules on the host will affect inbound traffic to the VMs on br2 and br3.
No, because:
/usr/lib/sysctl.d/00-system.conf:# Disable netfilter on bridges. /usr/lib/sysctl.d/00-system.conf:net.bridge.bridge-nf-call-ip6tables = 0 /usr/lib/sysctl.d/00-system.conf:net.bridge.bridge-nf-call-iptables = 0 /usr/lib/sysctl.d/00-system.conf:net.bridge.bridge-nf-call-arptables = 0
(Unless you change the defaults)