Karl E. Jørgensen a écrit : > > On 16/08/13 13:12, Pascal Hambourg wrote: >> >> Karl E. Jørgensen a écrit : >>> >>> Why do you need shorewall to wait for the interface? >> Maybe because it needs to know its IP address ? > > Yes - that's sort of what I was alluding to. If the box is a router, > then (I thought) that people normally set it up to do masquerading, > rather than SNAT with a specific IP, as masquerading picks the IP > address on the outgoing interface...
Sometimes the IP address is required, e.g. for tightened filtering rules, or when you set port forwarding and you want it to work seamlessly from within the LAN, so instead of : iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport xx -j DNAT... you need iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport xx -j DNAT... -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/520f4fd9.5080...@plouf.fr.eu.org
