[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall Startup Configuration files


Au 2003-11-04 15:01 (local), Peter Robb écrivait :
> There isn't anything going into the network behind the firewall coz there
> aren't any DNAT rules loaded to direct them there..
> Only place they can go is down the INPUT chain...
> And the same for outgoing connections, there isn't any masquerade to give
> them an internet number for replies..
> So it kind of makes sense to leave it in the /etc/sysctl.conf file, but
> delay loading the DNAT and SNAT rules until the end of the
> rule lists to make sure the filtering is active before anything can connect.

You seems to forget people having enough IP addresses to put routable
ones on all their computers... And even without talking of them (which are
lucky to not have protocoled locked by lack of NAT support), most people
would have a servers with routable IP addresses on their DMZ, isn't it?

Regards, J.C.

P.S. : don't misread me: I love NAT! ;-)
J.C. 《プログフ》 ANDRÉ <jean-christophe.andre@auf.org> http://www.vn.refer.org/
Coordonnateur technique régional / Associé technologie projet Reflets (CODA)
Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP)
Adresse postale : AUF, 21 Lê Thánh Tông, T.T. Hoàn Kiếm, Hà Nội, Việt Nam
Tél. : +84 4 9331108   Fax : +84 4 8247383   Mobile : +84 91 3248747
⎧ Note personnelle : merci d'éviter de m'envoyer des fichiers PowerPoint   ⎫
⎩ ou Word ; voir http://www.fsf.org/philosophy/no-word-attachments.fr.html

Reply to: