Bonjour, ,- - [ Le jeudi 12 janvier 2012 vers 19:05 Tom Eastep écrivait: ] - - | >> # nat >> 1.1.1.2 eth0 10.1.1.2 no no >> 1.1.1.2 eth1 10.1.1.2 no no >> 1.1.1.3 eth0 10.1.1.3 no no >> 1.1.1.3 eth1 10.1.1.3 no no
> There is no reason not to use your rules. But these rules do the same thing: > 1.1.1.2 eth0 10.1.1.2 yes - > 1.1.1.2 eth1 10.1.1.2 yes - > and are documented in FAQ 2a. | `- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - I suppose that you mean 1.1.1.2 eth0 10.1.1.2 yes - 1.1.1.3 eth0 10.1.1.3 yes - ? According the FAQ 2a, with this settings i should also set a masq ( eth1 eth1 1.1.1.1 ) to allow servers to use the public ip to connect each other, meaning that all loc->loc traffic appear to originate on the firewall, from the 1.1.1.1 IP, and not from the public IP of the real originating server... it's precisely what i would like to avoid and the reason why i've set two explicit NAT rules... It's also confirmed by the http://www.shorewall.net/NAT.htm page : Specifying “Yes” in this column will not by itself allow systems on the lower LAN to access each other using their public IP addresses. -- Bien à vous... _ (_' Un problème de serveur ? Diagnostic rapide et pro pour 25 euros ! ,_)téphane Bouvard http://www.infogerance-serveurs.com ------------------------------------------------------------------------------ RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
