Thanks. I added the chains to the ipchains.forward file and everything works fine.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Charles Steinkuehler Sent: Saturday, November 10, 2001 6:16 PM To: Barry Martin; 'LEAF' Subject: [Leaf-user] Re: Dachstein and forward rules > Charles, how are you setting up the forward rules in Dachstein for > IPSEC? Is there still a walk-list or do I need to write my own ipchains > in the ipchains.forward script? I assume you're referring to the forwarding rules that allow packets to cross the VPN...ie the rules that accept packets from your local subnet to the remote subnet. Your options are to either add these rules to ipchains.forward, in which case they will *ALWAYS* be in effect...not a problem if you're using private IP space and the output garbage filters are still in place, but this *CAN* allow data that should be encrypted out over the 'net if you're using public IP's or if you're using private IP's and don't have the output garbage filters enabled (in this case, the traffic won't get far, but someone nearby could still sniff it...especially if you're on a cable-modem or similar shared access line). The other option is to let IPSec create the forwarding rules for you (left|rightfirewall=yes). This dynamically brings the forwarding rules up/down with the IPSec link, insuring you won't send anything in the clear that should be encrypted, but you have to remember to restart IPSec if you need to reload your firewall rules, as the IPSec forward rules will be lost. There are more elegant ways around this (ie have IPSec add/remove it's forwarding rules from a custom chain that the automated firewall scripts call, but don't clear), but I haven't bothered to set it up... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
