Re: Timing Shorewall's startup

To: debian-user@lists.debian.org
Subject: Re: Timing Shorewall's startup
From: Pascal Hambourg <pascal@plouf.fr.eu.org>
Date: Sat, 17 Aug 2013 12:26:33 +0200
Message-id: <[🔎] 520F4FD9.5080009@plouf.fr.eu.org>
In-reply-to: <[🔎] 520E3DD0.7090102@jorgensen.org.uk>
References: <[🔎] CAGZ55DREWmi0H7rOCsjQ1OyG1_PG7FQe3TU8Wgf6vs+rAF3x_w@mail.gmail.com> <[🔎] 520E139F.1040406@nice.com> <[🔎] 520E1718.6010909@plouf.fr.eu.org> <[🔎] 520E3DD0.7090102@jorgensen.org.uk>

Karl E. Jørgensen a écrit :
> 
> On 16/08/13 13:12, Pascal Hambourg wrote:
>>
>> Karl E. Jørgensen a écrit :
>>>
>>> Why do you need shorewall to wait for the interface?
>> Maybe because it needs to know its IP address ?
> 
> Yes - that's sort of what I was alluding to. If the box is a router,
> then (I thought) that people normally set it up to do masquerading,
> rather than SNAT with a specific IP, as masquerading picks the IP
> address on the outgoing interface...

Sometimes the IP address is required, e.g. for tightened filtering
rules, or when you set port forwarding and you want it to work
seamlessly from within the LAN, so instead of :

iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport xx -j DNAT...

you need

iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport xx -j DNAT...

Reply to:

References:
- Timing Shorewall's startup
  - From: Johann Spies <johann.spies@gmail.com>
- Re: Timing Shorewall's startup
  - From: "Karl E. Jørgensen" <karl.jorgensen@nice.com>
- Re: Timing Shorewall's startup
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: Timing Shorewall's startup
  - From: "Karl E. Jørgensen" <karl@jorgensen.org.uk>

Prev by Date: Re: wheezy on T43
Next by Date: Re: Quoting Style
Previous by thread: Re: Timing Shorewall's startup
Next by thread: Re: Timing Shorewall's startup
Index(es):
- Date
- Thread