On Fri, Oct 14, 2016 at 1:14 PM, Simon Hobson <li...@thehobsons.co.uk>

> Ex 1: simple :)
> >
> > rules:
> > NTP(ACCEPT) { source=lan dest=net:$NTP_HOST }
> >
> > masq:
> > $IF_NET { source=$LAN adress=$GW_IP proto=udp port=ntp }
> >
> > Ok, no big deal really but would look nicer with a macro :)
> The first thing that comes to mind is - do you not have any default
> outbound masq rules that will cover most of this ? I normally have a masq
> rule mapping internal networks to the default outside address, and only
> have per-device masq rules if I need something different to that (which
> isn't that common).
> I see from looking at one of my routers that I have param used in my masc
> file :
> ethext:!$MasqExcl   192.168.xx.0/24     nn.nn.nn.nn

That's not fair, you focused on the "simple" example :) Of course I have a
ready to use "masq" file covering most of my common needs for all the
firewalls I'm in charge of.

What worries me are the very specific situations like the EPT device I
mentioned and other even crappier devices that drive me nuts thanks to
their awful design. Samsung DVRs managing CCTVs are among the worst with a
dozen of TCP/UDP ports to open plus port ranges for RTSP acces, etc.

The "rules" file is clean with a macro covering all this. The "masq" file
OTOH is way less readable at first sight.

Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
Shorewall-users mailing list

Reply via email to