Menu
▾
▴
Re: [Astlinux-users] RFC: IMPORTANT astfw changes
|
From: <ast...@el...> - 2007-03-05 00:22:59
|
> > I have been using MASQPORTS=30000-60000 and it has been working > quite well. I am thinking that this should be the default in > AstLinux. The only problem is that #2 (from above) is there for a > reason. Some applications need to use the same port number. I have > yet to run into such an application, but you never know... > > Should MASQPORTS=30000-60000 be default on new AstLinux systems? As long as it you can tweak it in rc.conf, I'm not going to complain. There are places that ask for 10k-30k so people need to adjust pretty easily. This will actually be a sticking point for some people potentially, when they aren't quite sure what their range should be, and have to experiment/tweak (such as when their provider doesn't officially support other hardware and don't feel like telling you the range). Actually, this brings up an ugly point I ran across while fooling around with my WRAP, though maybe I was being dumb. I had it attached to two different networks, one for primary service, and a second network to be a branch office PBX below some other SIP server. The problem is, both primary and office networks required DHCP, and the office network SIP server was on another subnet. I did an ugly hack where I set eth0 to be EXTIF, and I did not set eth2 as a INTIF. Instead I tweaked the iptables setup so I had a third option for the DMZ setup I called intme, which created an internal use connection that linked exclusively to the WRAP and couldn't go downstream into the eth1 internal network, or back upstream and out through eth0. In rc.conf I defined a static IP and associated information. Unfortunately, this did solve all my problems, as I periodically had to undo the setup and set eth2 as EXTIF just to tickle the office DHCP server (it doesn't behave and check an IP before assigning, so I had my IP address stolen before). That, and I had to manually add a route to the office SIP server through the office network gateway, otherwise the WRAP would use the default route and never connect. Is there a cleaner way of setting up a second network link that isn't a failover link, being a DHCP client? I was connecting to a trusted network on the office link so things were okay, but in the future I would want to apply the astfw firewall rules to that second link. It would also be nice to be able to define the additional route information in rc.conf for the office link. I suppose this is unique to devices with three or more interfaces, but it seems like you have the situation of above/below/sideways, and the link situation of "talk to only me"/"talk to me and stuff below"/"talk to only stuff below"/"talk to only above"/"talk to me and above"/"talk to everybody"/"talk to everybody but me". |
