shorewall

bridge on debian with shorewall

man bridge-utils-interfaces

bridge config
/etc/network/interfaces

iface br0 inet static
    bridge_ports eth1 tap0
    address 10.10.10.10
    netmask 255.0.0.0

routeback option for br0
/etc/shorewall/interfaces

#ZONE   INTERFACE       BROADCAST       OPTIONS
loc     br0            detect          routeback