with the new vzctl bridge patch sent yesterday it is easy to build up
hosts with complex 'virtual' networks. In Proxmox VE we have 9 bridges -
each CT can connect to one or more bridges.
I guess in theory it is possible to run a fully functional firewall
inside a CT. Does somebody has experiences with that?
Also, when you assign ip addresses to the bridges, the host routes
between those bridges. If you want to restrict traffic you need to setup
a firewall on the host. I just tried shorewall, and it seems to work
perfectly. Does somebody else using shorewall with openvz host? - does
it work reliable? Are there other 'simple' solutions besides shorewall?