Andrew Suffield wrote: > On Sat, Feb 10, 2007 at 11:54:45AM -0800, Tom Eastep wrote: >> Brian J. Murrell wrote: >> >>> I think I already posted a tcpdump in this thread that showed the actual >>> packets that were being considered martians and at tcpdump time, there >>> were being addressed to the correct address. In this message: >>> >>> http://article.gmane.org/gmane.comp.security.shorewall/15379 >> I see. So it would seem that martian filtering is occurring *after* the >> destination address is getting rewritten. That seems bogus. > > It runs as part of the routing decision, wherever that fits into the > process.
That's consistent with what we're seeing. The best way to work around this is to configure applications on the firewall so that they use the local IP address that corresponds to the interface that you want them to use. That approach is mentioned on the Multi-ISP page in the section entitles "Applications running on the Firewall" -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
