On Sun, 2 Dec 2001 11:36:20 +1000, mdevin@ozemail.com.au wrote: > I am trying to figure out which is the best way to do some > masquerading of my internal LAN. <snip> > Which would be the best way in terms of efficiency and security? SNAT would be. However, you better make sure that each time the IP address of your interface changes, your firewall script runs. You could do this in Debian by putting your firewall script in /etc/ppp/ip-up.d/. But also please keep in mind that your firewall rules should be put in place *before* any external interfaces are brought on-line. Since you can't determine the IP address without the interface being on-line, your firewall should run in two parts; first, setting the strict don't-accept-any-of-these-connections rules(in my case, I set the policy of INPUT and FORWARD to DROP), a second script to set up the NAT. -- .--=====-=-=====-=========----------=====-----------=-=-----=. / David Barclay Harris Aut agere, aut mori. \ \ Clan Barclay Either action, or death. / `-------======-------------=-=-----=-===-=====-------=--=----'
Attachment:
pgptirwcqGoYA.pgp
Description: PGP signature