--On Monday, November 18, 2002 04:30:19 PM -0800 Michael Bonner <[EMAIL PROTECTED]> wrote:
Michael,While looking at Tom's configuration files on the shorewall site, I've been intriqued by the comment in his Interfaces file that he set it up "so that I can start the firewall before bringing up my Ethernet interfaces."Is it possible to implement a similar configuration under Bering so I can bring up the firewall before enabling my loc and dmz interfaces? Any pointers, ideas, suggestions how to go about setting this up? I know the window for the interfaces being up before the firewall actually starts is small, but stil....they don't call them paranoid settings for nothing! :-)
The key is not to use any Shorewall constructs that require the interfaces to be up. I haven't done a recent thorough inventory but things to avoid that come immediately to mind are:
a) 'detect' in /etc/shorewall/interfaces
b) DETECT_DNAT_IPADDRS=Yes in /etc/shorewall/shorewall.conf
c) ADD_IP_ALIASES=Yes or ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf
d) Use of Proxy ARP (my comments on my web site pre-date my use of that feature :-)
e) Using an interface name in the second column of /etc/shorewall/masq
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://shorewall.sf.net
ICQ: #60745924 \ [EMAIL PROTECTED]
-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
