So if NAT is turned off and I have straight-forward routing happening, will the shorewall rules mean only what it says will get through? Or will the shorewall just forward packets addressed to the firewall to another server, without interfering with packets addressed to the other public servers? (Sorry, I confess I don't know too much about Shorewall etc!)
In the absence of any entries in /etc/shorewall/nat or /etc/shorewall/netmap and without any DNAT rules (the Shorewall manifestaion of 'NAT is turned off'), any packets addressed to the firewall will be handled according to net->fw rules and the applicable policy; they will not be forwarded off to some random server.
Also, when packets are forwarded to another server, does anything need to be done on the other server, so it can talk to the requester properly, and go back through the leaf box? Or does it just act as if it came direct to itself?
The route back to the client should go through the firewall if the original request came through the firewall (in other words, your routing should be symmetric). While that isn't a hard requirement (Shorewall can be configured to only listen to one side of the conversation), it's certainly the most common approach.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED]
-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
