>> Using iptables for RFC1918 filtration really isn't the best approach in
>>many cases. It's generally better to null-route the RFC 1918 ranges:
>>
>> ip route add unreachable 10.0.0.0/8
>> ip route add unreachable 172.16.0.0/8
>> ip route add unreachable 192.168.0.0/16
>>
>> and enable route filtering on your external interface(s).
>>
>> This approach is not without its hazards though. Consider if you were a
>>customer of an ISP who uses RFC 1918 addresses for its DHCP servers.
>
> Thank you very much for help Tom.
> I made follow:
>
> 1. add options 'routefilter' and 'logmartians' for external interface
> in 'interfaces' file
> 2. add your lines above to 'init' file (i create it self) in Shorewall
> config directory (only change 172.16.0.0/8 to 172.16.0.0/12)
Sorry Tom but for this configuration i have one question. Where i
must to insert 'ip route del unreachable ...' commands? I try 'stop'
and 'stopped' files but they work for 'shorewall stop' but not for
'shorewall restart'. When i run 'shorewall restart' i see messages:
...
Processing /etc/shorewall/init ...
RTNETLINK answers: File exists
RTNETLINK answers: File exists
RTNETLINK answers: File exists
...
Therefore i make conclusion that 'stop'/'stopped' don't work in
this case.
Thank you,
Alex
----
Доставка на дом и в офис пиццы, суши, шашлыка, напитков круглосуточно.
Закажи сейчас! http://www.pizza.by
(017) 266-35-07, (029) 690-93-93, 555-93-93
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
