I use Debian extensively and Shorewall as my preferred firewall.
I have more than a couple dozen of these boxes in production, in a health care environment with thousands of rule sets.
Recently while working with a noob on setting up a new FW, I became aware that the 2.6.20+ kernels do not have bridging as a default. Ouch..
Using a Bridge firewall methodology, without bridging, becomes alot more difficult to set up and secure.
I really try to keep things as simple as possible, and now I am faced with a few not-so-desirable choices.
FYI I am a working manager, terribly understaffed, and in process of training unfamiliar, entry level staff on the hows and whys of Linux firewalls.
The workarounds provided by Tom Eastep look complete, however I have given em a go on a couple of "fit pc" boxes, but havent produced a working firewall yet. This looks fairly complex. I am not happy!.
Choices I see:
Build future firewalls with older versions of Debian, pre 2.6.20 kernels, and keep doing things the same way.
Follow the instructions provided by T. Eastep's regarding "workarounds" for Shorewall. (complex, easy to get it wrong, hard to know if it's wrong)
Put together a custom kernel *ugh*
Switch firewall software altogether (lost training investment)
Am I missing something obvious? Is there an appeal process to the Debian Gods?