Def. Quota Tom Eastep <[email protected]>: > I see no reason why the entry in tcrules should not work just like your > manually-added rule. They are exactly the same rule at the iptables > level -- in the case of the tcrules entry, the rule is only traversed on > the first output packet in a connection while your rule is traversed by > every packet originating from the firewall.
Exact, this is true. The two rules have the same behavior... With the tcrules and only the second line (nat) it works ok > > Given that there is no USER/GROUP column in the masq file, there is > currently no way to replace the second iptables rule exactly using > standard Shorewall file entries. Is the purpose of the rule to give > proxy traffic a different SOURCE IP address? Yes, this is the really question. Just a proposal: you have no USER/GROUP column in the masq file but it can be a good solution to have the possiblity to write in the SOURCE column the USER/GROUP name. In this manner the functionality of the masq file is the same but if the SOURCE column is not an address or an eth/tun* it were a good solution to analyze the SOURCE like so: tcrules as seen before normal masq eth0 eth1 89.44.55.21 eth2 192.168.10.0/24 with user/group eth0 USER:dansguardian,squid 89.44.55.22 eth0 GROUP:www-data 89.44.55.23 eth0 eth1 89.44.55.21 eth2 192.168.10.0/24 What do you think about this???? Thank's for the answer. Alessio ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
