Tom Eastep wrote:
> Joseph L. Casale wrote:
>>> What exactly are you trying to accomplish? If you are trying to use
>>> the lack of masquerading as a filtering mechanism, I strongly
>>> recommend just using REJECT rules instead.
>>>
>>> -Tom
>>
>> I just want to make sure clients that use shorewall as their
>> gateway to masq outbound traffic can't get to a list of ip's.
>
> Then forget your masq approach.
Another alternative is to only masq the addresses you specifically want
to allow.
You can put something like this in your masq file:
eth1 $MY_IPS
and define MY_IPS in params as:
MY_IPS=192.168.0.0/24
This will mean that only those addresses are allowed to masq out through
your firewall. Everything else must be either routed with a routable
address, or handled by a specific rule (e.g. DNAT, REDIRECT).
When i managed a school network, i set up my firewall so that even if
the client machines got past the packet filtering rules, they would not
get any traffic out to the Internet because their addresses were not in
the NAT list. Only servers & sysadmin workstations were allowed to do NAT.
Paul
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
