Re: [Astlinux-users] RFC: IMPORTANT astfw changes

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

>
>   I have been using MASQPORTS=30000-60000 and it has been working
> quite well.  I am thinking that this should be the default in
> AstLinux.  The only problem is that #2 (from above) is there for a
> reason.  Some applications need to use the same port number.  I have
> yet to run into such an application, but you never know...
>
>   Should MASQPORTS=30000-60000 be default on new AstLinux systems?

As long as it you can tweak it in rc.conf, I'm not going to complain.
There are places that ask for 10k-30k so people need to adjust pretty
easily. This will actually be a sticking point for some people
potentially, when they aren't quite sure what their range should be, and
have to experiment/tweak (such as when their provider doesn't officially
support other hardware and don't feel like telling you the range).

Actually, this brings up an ugly point I ran across while fooling around
with my WRAP, though maybe I was being dumb. I had it attached to two
different networks, one for primary service, and a second network to be a
branch office PBX below some other SIP server. The problem is, both
primary and office networks required DHCP, and the office network SIP
server was on another subnet. I did an ugly hack where I set eth0 to be
EXTIF, and I did not set eth2 as a INTIF. Instead I tweaked the iptables
setup so I had a third option for the DMZ setup I called intme, which
created an internal use connection that linked exclusively to the WRAP and
couldn't go downstream into the eth1 internal network, or back upstream
and out through eth0. In rc.conf I defined a static IP and associated
information. Unfortunately, this did solve all my problems, as I
periodically had to undo the setup and set eth2 as EXTIF just to tickle
the office DHCP server (it doesn't behave and check an IP before
assigning, so I had my IP address stolen before). That, and I had to
manually add a route to the office SIP server through the office network
gateway, otherwise the WRAP would use the default route and never connect.

Is there a cleaner way of setting up a second network link that isn't a
failover link, being a DHCP client? I was connecting to a trusted network
on the office link so things were okay, but in the future I would want to
apply the astfw firewall rules to that second link. It would also be nice
to be able to define the additional route information in rc.conf for the
office link.

I suppose this is unique to devices with three or more interfaces, but it
seems like you have the situation of above/below/sideways, and the link
situation of "talk to only me"/"talk to me and stuff below"/"talk to only
stuff below"/"talk to only above"/"talk to me and above"/"talk to
everybody"/"talk to everybody but me".