On Saturday 22 June 2002 8:46 am, Patrick Schaaf wrote: > OUTPUT is for packets from local processes on the firewall machine, > which are going out to one or the other network interface. If you have > a userlevel process bind()ing the external IP of your firewall, and it > happens to connect() to a machine on the internal network, that rule > makes it work. If you do not want that, do not use that rule.
Why would you have a process specifically binding to the ext.IP, independent of the route it's communicating to the client system ? Surely if you want to run a daemon for access by internal and external clients, then you would just let it bind to both interfaces and handle requests on a "sensible" address ? If you only allow a daemon to bind to the ext.IP, surely you would do that because you only want it to respond to external requests ? Maybe there's a good reason for this somewhere, but it's not the way I've ever run things... Antony.
