-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
J.A. Magallon wrote: | On 09.05, Jan Ciger wrote: | | | Yes, it has. The problem is that I just wanted to share my internet | connection, but the tool used for that is shorewall. So you have to | configure a full firewall just for sharing a network connection. | | Suppose you just have two separate subnets on your work, and just | want to forward things from one to the other. Or the most and famous | case, you have your destop box at home, with two network cards, | one to the cablemodem and one to plug your laptop. | | Say, 'I just want my laptop to access the internet. | God damn security. My OSX has its own firewall'. That is done with | a simple /etc/sysconfig/iptables, and starting iptables:
You could do this just as well with one line in /etc/shorewall/masq file
eth0 192.168.129.0/24
eth0 is my outgoing interface and the local network is attached to usb0 in my case (Sharp Zaurus connected over a USB cable). Plus you have all the security of the firewall. It is infinitely easier to do it like this as opposed to the hack with iptables directly. If the /etc/shorewall/policy is set up properly, you do not have to touch anything else and it works out of the box. The "overhead" of using a full firewall for this is actually zero, since Shorewall will just generate the same set of rules as you did by hand, but keep the configuration simple and reduce the chance of errors (like an omitted ACCEPT rule somewhere causing a lot of aggravation).
That hack of yours is also recipe for problem, if somebody enables that + shorewall at the same time.
Problem is just that Shorewall has to ship with a decent default config. Configuring it from scratch is not difficult for most common setups (I am talking about 10min of hand editing files in /etc/shorewall, it consists of adding a line here or there mostly), but it should be pre-configured with things like zones, interfaces and policy files. And with a proper GUI it would rock. I do not use DrakFirewall, perhaps it does this job already, except of the default settings.
Jan
- --
Jan Ciger VRlab EPFL Switzerland GPG public key : http://www.keyserver.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/WR1Tn11XseNj94gRAld7AKCzYTuy6HbqPrF7dTlPIe5ulgsp5QCfbRdp 87/ok4SY12mgr/MS7o5jJ/o= =gWkt -----END PGP SIGNATURE-----
