Hi Bill, On 6/25/20 7:50 PM, Bill Shirley wrote: > $ rpm -q shorewall > shorewall-5.2.3.5-1.fc32.noarch > > On page https://shorewall.org/configuration_file_basics.htm topic: > *Alternate Specification of Column Values* > 1) The shortcuts for the 'mangle' file is missing: probability, dscp, & > switch
Corrected. > 2) There is no 'snat' listing. If you use the 'tcrules' section, > substituting > action for mark, it is missing switch, probability, & origdest (and > possibly > ipsec). Corrected. > > For the 'snat' file, PORT should be DPORT in the column headings. I don't > see a way to select on source port. Also, I add a line above the column > heading line (#ACTION SOURCE...) like so: > # shortcuts - > action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers,switch,probability,origdest > > I find this handy so I have to refer to Shorewall's excellent documentation > less often. For quite a while now, the column names and alternate specification keywords have been the same. > > I ran into this while trying to make openvpn server behave. I have two > public addresses (xxx.yyy.zzz.104 & xxx.yyy.zzz.105). If I allow the > server > to connect to all addresses (0.0.0.0) and then my client connects on .105 > the server replies on .104. So I thought, I'll just SNAT that puppy to the > address I want. Doing that instead of changing openvpn's server.conf > to bind to a specific address, if your IP address ever changes, like it > will > soon when we migrate from the old server to the new one, they'll be > one less configuration file to change. > > Instead of getting things too complicated, I just changed server.conf to > use: > local xxx.yyy.zzz.105 The absence of an SPORT column in the 'masq' file was a topic of considerable debate ten years or more ago. My objection to adding it at that time was that it would have not directly followed the DPORT column as in all of the other files with a DPORT column. Regrettably, I didn't address that when I created the 'snat' file; my bad. Beginning in 5.2.5.2, I'll change the column name while accepting both 'port' and 'dport' in the alternate input form. > > Again, thanks for the excellent software and documentation. You are most welcome. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
