If you connect br-ex to eth0 you should be able to assign your 'management' public ip to br-ex directly. You will then probably need to remove the default route for eth0 as well.

The bottom line however is: if you don't need to keep eth0 on the internet why are you insisting on giving it a publicly routable ip address?