Thanks for the reply Mark.
On Mon, 21 Jun 1999, Mark Johnson wrote:
> > Jun 19 20:13:22 router kernel: IP fw-out deny ppp0 UDP W.X.Y.Z:61233 E.F.G.H:53
>L=65 S=0x00 I=4864 F=0x0000 T=31
>
> I believe this message indicates that a "-O" rule or policy is denying
> transit. Check your default policies.
Exactly - I don't want any 'private' traffic routed directly (ie 'fw-out')
unless it is masqueraded. This rule is 100% applicable, and you are right
is the one that is being caught by the '-O' policy - however it's because
I want to know if the kernel is stupidly forwarding instead of
masquerading, which is my problem here.
> > Here are my masquerading rules:
> >
> > ipfwadm -F -f
> > ipfwadm -F -p deny
> >
> > echo "masquerade-forwarding from $PRIVATE_NET"
> > ipfwadm -F -a accept -m -W $PUBLIC_INT -S $PRIVATE_NET
>
> Is this properly constructed? I don't think that you need to use
> 'accept' with masquerading rules.
I am from the 'old' school where this was the specified way to get
masquerading working. Some newer HOWTO's claim a slight difference in the
syntax. However they both work.
>
> >
> > echo "masquerade-forwarding on $DIALD_INT from $PRIVATE_NET"
> > ipfwadm -F -a accept -m -W $DIALD_INT -S $PRIVATE_NET
>
> I don't believe you need this masquerading rule. I'm using ipchains now;
> I use the diald ip-up and ip-down options
> to specify a scripts that bring the firewall up or down when the link to
> the ISP comes up or down. When the link is
> down, I permit all forwarding.
>
I have to allow masquerading on the diald interface otherwise 1) the diald
interface will never get traffic and thus never bring the link up and 2)
if I don't masquerade then when diald 'switches' over the traffic to the
ppp0 link then it will not be masqueraded - anyway this is what I thought
made sense. I will try out your method of just plain old forwarding on the
DIALD_INT and only masquerading on the PUBLIC_NET.
> You might want to try:
> ipfwadm -F -a accept -W $DIALD_INT -S $PRIVATE_NET
>
Thanks - will give it a try...
> >
> > ipfwadm -F -a deny -o
> >
> > --
> >
> > ============ Geek Technology at its best: http://nuked.org ===============
> > ``````````````````````````````````````````````````````````````````````````
> > Rod Moffitt ICQ# 6696644 Linux: multi-platform, multi-tasking,
> > [EMAIL PROTECTED] multi-user, fast & free! http://www.linux.org
> > PGP RSA KeyID 570A0731 Protect your privacy! http://www.pgpi.com
> > http://rodmoffitt.org Net, s/w & h/w consulting: http://vissitt.com
> > ..........................................................................
> > ========= Where loved ones are remembered: http://memoriam.org ===========
> >
> > Last yeer I kudn't spel Engineer. Now I are won.
> >
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-diald" in
> > the body of a message to [EMAIL PROTECTED]
>
--
============ Geek Technology at its best: http://nuked.org ===============
``````````````````````````````````````````````````````````````````````````
Rod Moffitt ICQ# 6696644 Linux: multi-platform, multi-tasking,
[EMAIL PROTECTED] multi-user, fast & free! http://www.linux.org
PGP RSA KeyID 570A0731 Protect your privacy! http://www.pgpi.com
http://rodmoffitt.org Net, s/w & h/w consulting: http://vissitt.com
..........................................................................
========= Where loved ones are remembered: http://memoriam.org ===========
Last yeer I kudn't spel Engineer. Now I are won.
-
To unsubscribe from this list: send the line "unsubscribe linux-diald" in
the body of a message to [EMAIL PROTECTED]
