On Sun, 2008-03-30 at 08:06 +0100, Andrew Suffield wrote: > If ip_forward is never enabled until shorewall has started, then no > packets will ever pass through the system.
Interestingly simple solution -- for forwarded packets. > You're then left with just > local stuff on the firewall itself, which shouldn't really be an issue > (since you shouldn't be running anything at that point). Anything running locally should not need (S)NAT anyway. With the exception of the "other interfaces source address" SNAT that is done for MultiISP configurations, but even then, perhaps that situation is minimal. > This should be the default behaviour, so I'd be looking into why that > didn't happen. Indeed. Just to be clear, Shorewall will set "net.ipv4.ip_forward=1" during it's set up, so /etc/sysctl should have it =0, yes? b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
