On Wed, 11 Sep 2002 10:32:30 +0530 S Mohan wrote:
> Shorewall by default disables ping - is it not? That statement is somewhat ambiguous. There are also two defaults to consider: Jacques' modified shorwall.lrp and Tom's original shorwall.lrp. Even if some ICMP traffic was restricted by default, it seems unlikely that such behavior would override an ACCEPT policy. (Obviously assuming that Kyle is using ACCEPT for loc -> net.) > But you say you are able to > ping from both internal and external networks! Maybe you should first try a > masquerade without limiting services. If it works, then try other services. Or just verify that masquerading is enabled via /etc/shorewall/masq . I should have mentioned that in my previous posting. > I also think Shorewall disables forwarding by echoing 0 into rp_filter of > each device. This is again a security measure. Is that creating problems? Did you mean "ip_forward"? The summarizing the kernel documentation[1] rp_filter determines if source validation is done and can be used to help prevent spoofing attacks. Shorewall does control ip_forward, but as long as you have shorewall configured properly, there shouldn't be any reason to adjust it manually. --Brad [1] /usr/src/kernel-source-2.4.18/Documentation/filesystems/proc.txt > Check this out. The way I would go about this is to first stop shorewall, > turn on masquerading in iptables by hand and see if what you want works. If > it does, then I would start up shorewall and try the same in shorewall. > > HTH > > Mohan ------------------------------------------------------- In remembrance www.osdn.com/911/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
