Tom, Thanks for fast answer. Now you started new day but my day is ending. So:
Tom Eastep wrote: > Tom Eastep wrote: >>Note that placing 'Yes' in the ALL INTERFACES column may have satisfied >>your requirements without this change. > > For the 'nat' file, that is. > > -Tom Yes. That rules go to chains: nat_in and nat_out instead <iface>_in and <iface>_out. But this will translate packets from DMZ and other interfaces too. And if that interfaces are normally NOT translated (as in my situation), because they have numbers from subclass of external class "C", transmission between LAN (translated) and DMZ (not translated) will be NAT-ed but it is not must. Transmission betwen not translated DMZ and translated LAN can be routed only, without NAT. Especially if it should be NAT-T. So this TOTAL translation isn't elegant and may be not convenient. I think, better solution is grouping interfaces or enumerating interfaces according to your suggestion. Yes, in Shorewall conception zone can be subset or superset of interfaces. So you right: it isn't good solution to allow use zones as general group of interfaces. But maybe other grouping tool is good solution. Years ago I programmed iptools using Monmotha script and for my needs I modified it and looped through list of external interfaces for duplicating rules. It was some method of enumerating interfaces. From other hand, "net" zone obtainable by some number of BGP interfaces is equivalent to one security (or unsecurity) zone, so in this situation maybe interfaces group is not necessary and maybe zone as specific group of interfaces is sufficient... (if it is superset of interfaces, not subset). Anyway, for BGP on number of interfaces we need notion: "group of interfaces" instead of one interface only. Ofcourse, BGP on client side is rare solution and ISPs are using mainly Cisco. But this needn't be to the end of World... Regards Andrzej Odyniec Warsaw, Poland ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
