Re: IP-Masquerade
Hi,
It sounds to me as if when you did the first set-up for some reason the packets were getting through the rule and hitting the default deny. In the second instance you have a default allow so it should match any traffic.
The first example is better as it is more specific. Hopefully the 192.168.0.0 network is your inside network, right? The best thing to do is to use the -o flag on the end so you can see in the log WHY it is denying the packets. Also the -n flag is useful as you can use it to see what would happen to a packet if it hit the masquerading box. In general your rules should be as specific as possible so using -W to specify the interface is useful.
Your second example works fine for any traffic that hits any interface that is trying to get to an external address. If you are on a cable modem class C this could be of significance otherwise probably not. Using the -W flag would probably be useful as you can then specify that the inside interface should be the only one to masquerade.
There are some good tools for auto-generating rules which you may find useful: no urls at hand but you should be able to find something from the Linux Documentation Project links page.
Hope this helps,
Steve
On Tue, Aug 17, 1999 at 04:56:23PM -0300, Guilherme Soares Zahn wrote:
<snip>
> The HOWTO suggested I should try something like
>
> ipfwadm -F -p deny (setting 'deny' as the default rule)
> ipfwadm -F -a masquerade -P tcp 192.168.0.0/255.255.0.0 -D 0.0.0.0/0
> (and the same for udp)
>
> I removed both lines and tried:
>
> ipfwadm -F -p accept -m (default policy: accept, masquerading)
>
> Now everuthing works fine, but I'm somehow suspicious this may open a
> whole in our security... does it? Is there a safer way to do it?
>
> []'s
>
> Guilherme Zahn
>
>
> --
> Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
>
Reply to: