On 28/Jun/2010 01:18 Joaquim Homrighausen <joho@...> wrote ..
> Would it be possible for Webmin to WARN in BOLD RED letters that the
> ip_forward (and IPV6) KERNEL flag is set to ZERO (0) when I enter the
> Firewall/IPTABLES configuration screen? :-)
Technically, yes .. but it is quite possible that you would want to
configure a firewall even when forwarding is not enabled, such as to
protect local services.
Fair enough -- how about checking if the forward chain/ruleset is empty
or not before issuing the warning then? Checking the ip_forward flag
first might make sense.
I mean, the warning doesn't have to be annoyingly obvious, perhaps
NOTE: A forward chain/ruleset is active, but the ip_forward kernel flag
is disabled (=0)
It's no big deal if you don't want to do it, I just thought it might
help others to catch a rather obvious but subtle "annoyance".
Well, it turns out there are :-)
We were troubleshooting a firewall/router Linux box and couldn't for the
life of us figure out why the forward chain wasn't receiving any packets
.. until I checked ip_forward, which for some unknown reason had been
reset by someone/something.
So it seems like IPTABLES at least doesn't care.
On 06/29/2010 12:43 AM, Jamie Cameron wrote:
> Is there any possible situation in which you could have FORWARD chain
> rules but not actually have IP forwarding enabled?
> If not, adding a warning seems reasonable..