Bráulio Gergull wrote: > > First of all, using MASQUERADING as a means for controlling access is > not a good idea. You should use MASQUERADING to rewrite the SOURCE IP > address and you should use filter rules to control access. > > > That's a point of view. Generally I have all outgoing traffic blocked, > most outgoing traffic will be handled by proxies, and for some > exceptions I do masquerading as necessary on a specif basis. But OK, I'm > still trying to understand Shorewall concepts more deeply.
It may be a point of view but it is not without reason. All outgoing connections pass through the nat table POSTROUTING chain. So having a large set of rules there that duplicate filter rules: a) Needlessly passes connections such as those from your proxy to the net through a series of rules that they can't possibly match. b) Needlessly duplicates filtering that you have already done in a more focused way in the filter table. c) Unless the nat and filter rules are carefully synchronized, it is possible to send un-masqueraded packets with private source IP addresses onto the Internet wasting bandwidth and annoying your internal users because their connections time out. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
