Hi, Au 2003-11-04 15:01 (local), Peter Robb Ãcrivait : > There isn't anything going into the network behind the firewall coz there > aren't any DNAT rules loaded to direct them there.. > Only place they can go is down the INPUT chain... > And the same for outgoing connections, there isn't any masquerade to give > them an internet number for replies.. > > So it kind of makes sense to leave it in the /etc/sysctl.conf file, but > delay loading the DNAT and SNAT rules until the end of the > rule lists to make sure the filtering is active before anything can connect.
You seems to forget people having enough IP addresses to put routable ones on all their computers... And even without talking of them (which are lucky to not have protocoled locked by lack of NAT support), most people would have a servers with routable IP addresses on their DMZ, isn't it? Regards, J.C. P.S. : don't misread me: I love NAT! ;-) -- J.C. ãããããã ANDRà <[EMAIL PROTECTED]> http://www.vn.refer.org/ Coordonnateur technique rÃgional / Associà technologie projet Reflets (CODA) Agence universitaire de la Francophonie (AuF) / Bureau Asie-Pacifique (BAP) Adresse postale : AUF, 21 Là ThÃnh TÃng, T.T. HoÃn Kiám, Hà Nái, Viát Nam TÃl. : +84 4 9331108 Fax : +84 4 8247383 Mobile : +84 91 3248747 â Note personnelle : merci d'Ãviter de m'envoyer des fichiers PowerPoint â â ou Word ; voir http://www.fsf.org/philosophy/no-word-attachments.fr.html â
