Re: masq'ng when I don't want it to....

Fri, 13 Nov 1998 22:42:52 -0500 

> Tim wrote:
> 
> > Ok, here's the relevant information:
> 
> [sni]
> 
> > rc.masq
> > =======
> > /sbin/ipfwadm -F -f
> > /sbin/ipfwadm -F -a accept -b -S 192.168.200.0/255.255.255.0 -D 
>192.168.100.0/255.255.255.0
> > /sbin/ipfwadm -F -a m -S 192.168.200.9/255.255.255.255 -D 0.0.0.0/0
> 
> Note: this will still masquerade packets which are sent between
> different hosts on the same network. The first rule will only apply
> when one end is on the 100 network and the other is on the 200
> network, but not when both hosts are on the same network.
> 
> Unless there is some compelling reason to the contrary, it would
> probably be better to treat the whole of 192.168.* as a single network
> for this purpose, i.e.
> 
> /sbin/ipfwadm -F -a accept -S 192.168.0.0/16 -D 192.168.0.0/16
> /sbin/ipfwadm -F -m -a accept -S 192.168.0.0/16
The biggest reason for this is that I'm controlling who does and does not
get it on an as needed basis or rather upon request from the "powers that
be".

I'm doing all of the routing from another Linux Server and was hoping I
could basically do the same thing on another Linux box set up as a PPP
server, but I believe this is where the problems are stemming from.  In
addition to the other post, the box in question is 192.168.100.11 and has
all of the ipfwadm rules set up for the internal net(s).  All the
WorkStations point to 192.168.100.11 as their GW.  I use all  
192.168.100.xxx for devices (routers, server, etc.) and 192.168.200.xxx
for WorkStations.

Here's a quick snip of what the other Server is doing as far as 
as the ipfwadm rules go anyhow:

/sbin/ipfwadm -F -f
/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -a accept -b -S 192.168.200.0/255.255.255.0 -D
192.168.100.0/255.255.255.0
/sbin/ipfwadm -F -a m -S 192.168.200.8/255.255.255.255 -D 0.0.0.0/0#snoopy2

With the above (first accept) this allows me to telnet to our AS/400
(192.168.100.2) w/out being masq'd from 192.168.200.4 for example.

Maybe I'm going about this all wrong......Not really sure, hence that's
why I've come to the experts.  :)

Best Regards,
Tim

--
Linux HOWTO coordinator
[EMAIL PROTECTED], [EMAIL PROTECTED] (HOWTO's)
[EMAIL PROTECTED] (Home)
[EMAIL PROTECTED] (Work)
                                D I P C
   The system that enables you to write distributed programs.......the
   easy way!
                        http://wallybox.cei.net/dipc/

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]

Reply via email to