On Wed, Aug 26, 2009 at 3:14 PM, Tom Eastep <[email protected]> wrote:
> Bráulio Gergull wrote:
>
> >
> > First of all, using MASQUERADING as a means for controlling access is
> > not a good idea. You should use MASQUERADING to rewrite the SOURCE IP
> > address and you should use filter rules to control access.
> >
> >
> > That's a point of view. Generally I have all outgoing traffic blocked,
> > most outgoing traffic will be handled by proxies, and for some
> > exceptions I do masquerading as necessary on a specif basis. But OK, I'm
> > still trying to understand Shorewall concepts more deeply.
>
> It may be a point of view but it is not without reason.
>
> All outgoing connections pass through the nat table POSTROUTING chain.
> So having a large set of rules there that duplicate filter rules:
>
> a) Needlessly passes connections such as those from your proxy to the
> net through a series of rules that they can't possibly match.
>
> b) Needlessly duplicates filtering that you have already done in a more
> focused way in the filter table.
>
> c) Unless the nat and filter rules are carefully synchronized, it is
> possible to send un-masqueraded packets with private source IP
> addresses onto the Internet wasting bandwidth and annoying your
> internal users because their connections time out.
>
>
OK, got it! Still learning the inner behavior of shorewall... :)
Thanks again,
Braulio Gergull
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
