Chuck Gadd wrote:
> > > ipfwadm -I -a deny aaa.bbb.ccc.ddd -S 192.168.1.0/24 -D 0.0.0.0/0
> > > ipfwadm -I -a deny aaa.bbb.ccc.ddd -s aaa.bbb.ccc.ddd -D 0.0.0.0/0
> >
> > This syntax is bogus. Did you mean to have a -V in there somewhere?
>
> Ummm, yup. I dropped it when I copied that line from a book! If I
> remember to include the -V in there before the aaa.bbb.ccc.ddd would
> it then deny packets with the 192.168.1.0/24 network address from
> coming in the aaa.bbb.ccc.ddd interface?
Yes.
> > Your original rules are OK, although I would add an interface
> > specification, i.e.
> >
> > ipfwadm -F -p deny
> > ipfwadm -F -a m -S 192.168.1.0/24 -W eth1
> >
> > (assuming that eth1 is the external interface).
>
> What does the -W eth1 do?
It causes the rule to only match packets which are to be sent from
eth1. It is equivalent to `-V x.x.x.x', where x.x.x.x is the IP
address of eth1.
> Does it tell it to only Masquerade from the eth1? So if eth1 was
> connected to the local network (192.168.1.0) then only packets
> coming in that interface would be masqueraded.
The interface specification (-V/-W) for a forwarding (-F) rule applies
to the outgoing interface, so the above rules would forward and
masquerade packets with a source address of 192.168.1.* which were to
be sent from eth1, and reject everything else (except replies to
masqueraded packets, which are demasqueraded and forwarded
automatically).
--
Glynn Clements <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
