/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */
On Sun, 2001-11-11 at 15:41, David Ranch wrote: > Totally agreed. I have a new IPMASQ howto read to go with > the awaited rc.firewall-2.4-stronger ruleset but it isn't > as tested as I would like. > > Do I have any interested testers or auditors out there? > The new ruleset seems to work well for everything I've tested > but I want it as robust as possible. Sure. I'll give it a look over and testing. > >echo -n "Forwarding $EXT_F to $INT_F:" > >$IPTABLES -t filter -I FORWARD -p tcp -d $INT_IP \ > > --dport $INT_PORT -j ACCEPT && \ > > Why are you backgrounding every rule? You'll note that they are &&'d not &'d this creates a logical AND chain where the following parts will not be executed unless the previous parts succeed. This allows for accurate success and failure notifications. The rules are not backgrounded. > >$IPTABLES -t filter -I FORWARD -p udp -d $INT_IP \ > > --dport $INT_PORT -j ACCEPT && \ > > Do not PORTFW both UDP and TCP traffic unless the > protocol requires it. I agree. I've been looking into an easy means of doing this in my script format. For now, I see the forwarding of both to be the lesser of two evils. > >$IPTABLES -t mangle -I PREROUTING -p tcp -d $EXT_IP \ > > --dport $EXT_PORT -j ACCEPT && \ > >$IPTABLES -t mangle -I PREROUTING -p udp -d $EXT_IP \ > > --dport $EXT_PORT -j ACCEPT && \ > > Why are you mangling the traffic? As I understand > it, this PORTFWed traffic will never hit this > rule. My experience has shown this is not the case. The mangle chain is actually one of the first hit by all traffic. Jamin W. Collins -- "Life is the art of drawing without an eraser." - John Gardner _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
