> > The first option is easier to setup, while the later is likely to have fewer > > potentially nasty side effects (since you're not trying to replace any of > > the existing ruleset functionality, you're just adding a bit of extra > > filtering.
> Can you explain the "nasty side effects"? If its just that some applications > won't work, that's fine with me - I'll resolve those. But obviously, it that > means additional vulnerabilities, that's a whole different matter. I'll nmap > the server (obviously from somewhere on the net) to be sure, but hey, even > nmap can miss something... You shouldn't have too much trouble, but you will need to keep in mind that you've replaced the functionality of the existing masqerade rule for the internal network without removing the old rule, and you've also changed where in the rulechain the internal net gets masqueraded to the output interface. I don't offhand know of anything that will break due to this, but it's possible something will get confused, especially if you setup a DMZ network. Realistically, I'd give you a 90% or so chance of not having any problems at all, just remember you added some customizations if you *do* start having problems... Personally, I'd try the additional IP Chain option first...it's a lot more flexible, espeically if you plan on adding a DMZ. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
