Menu
▾
▴
Re: [Shorewall-devel] Idea: permit /etc/shorewall/masq to contain zones, as well as interfaces
|
From: Paul G. <pa...@ge...> - 2005-01-25 11:46:10
|
Richard Neill wrote: > ... > > It seems a bit odd - Shorewall's paradigm seemed to me to be about > routing traffic from one zone to another, rather than from one interface > to another. I wondered where exactly the packets would go, if they had > two alternative destinations. Shorewall doesn't control where your packets go - routing does. All shorewall is doing is saying, "For packets that are going from A to B, masquerade them." It doesn't control the fact that they go from A to B. > ... > Thanks. Sorry, I didn't have net access at the time I was setting it up, > and was relying only on the comments in the /etc/shorewall/masq file. > Perhaps this is an example worthy of inclusion? Install the shorewall documentation - it includes the FAQ. > ... > Perhaps it might be worth adding a sentence like the following (but > better written!) into /etc/shorewall/masq, to prevent against this sort > of confusion: > > --------- > # Example 6: > # > # You want all traffic from the local zone to be masqueraded > # and sent out to the net zone. In this case, it is necessary > # to specify interfaces rather than zones, but it is OK to > # have more than one destination. Eg eth1 is the internal network; # > eth0 and/or ppp0 are connected to the Internet. For example, > # a DSL internet connection with a dialup system for backup. > # > # eth0 eth1 > # ppp0 eth1 > # I think that would be a useful addition regardless, since it's a typical situation. Of course, that means it needs to be maintained like documentation, which brings its own problems, right Tom? :-) -- Paul <http://paulgear.webhop.net> -- Tired of paying $600 for Microsoft Office? Running an illegal copy and want to make it legal? Try OpenOffice.org! It's free and does most of the things Microsoft Office does. <http://www.openoffice.org> |
