Jose M. Sanchez <[EMAIL PROTECTED]> wrote:
>
> In a situation wherein there exists a Linux box connected to a Lan,
> and that same Linux box's ethernet IP is assigned via DHCP (i.e. from
> a BI-DIRECTIONAL cable modem connection) how is Masq configured to
> allow other machines to use the Linux box as a masq gateway?
Probably in exactly the same way that a Linux box using a dial-up PPP
connection with a dynamically-assigned IP address is able to be a
masquerade gateway.
> I'm assuming ALL machines and the cable modem are plugged into a
> single hub, with only one ethernet interface on the Linux machine...
I suppose you could do it this way, or you could plug two NIC's into the
Linux box and have it forward between the two nets.
> If the first thing ipfwadm does is a "deny all", doesn't this prevent
> the linux box itself from sending packets over the internet?
That "first thing" you're talking about is the "default policy" rule,
usually "ipfwadm -F -p reject". It means that, if there is no specific
rule to tell otherwise, the box will reject an attempt to forward a
packet.
Note that this applies to FORWARDING a packet. It only applies when the
Linux box receives a packet, and determines that the packet is not
destined for the Linux box, and needs to be forwarded somewhere else.
Thus, it does not prevent the box from sending packets to the internet.
At any rate, in all cases you've seen on this list, the default policy
rule is immediately followed by a rule which defines that packets SHOULD
be forwarded, if they meet certain criteria, such as being from a
192.168.* address, with the stipulation that they be masqueraded. This
prevents a machine on the Internet from reversing your Linux box, and
masquerading its way INTO your network.
> I'm assuming the eth0 interface becomes the default gateway for all of
> the masq'd machines... is this correct?
A default gateway is given as an IP address, generally. Not an
interface. In this case, the IP address would be the address of the
Linux box on the local LAN.
You (and another poster here) expressed some confusion about the
dynamically-assigned address. Well, how do your local LAN machines talk
to the Linux box when it is not connected to the Internet at all?
Surely your machine has TWO IP addresses: one on the local LAN, and
another on the Internet at large, assigned dynamically. Your local LAN
boxes will forward to the Linux box's local IP address, and it will in
turn forward that traffic out to the Internet via masquerade. Thus,
there should really be no confusion.
Thinking further on what you said above, I don't see how a Linux box
with a cable modem could work, if the cable modem were connected on the
same hub with the rest of the local LAN. If the modem is a "dumb"
device and does not have its own IP address, then there isn't any way
for the Linux box to send it any traffic... is there? It seems to me
that it would need to be on its own subnet, so that it could simply
forward all traffic that it sees, like a bridge device would.
But, I don't have one, so I can't say for sure.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut
sometimes known as David DeSimone || butter quite like unrequited love."
http://www.dallas.net/~fox/ || -- Charlie Brown
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
