Re: [Shorewall-users] Shorewall documentation corrections

Sat, 27 Jun 2020 15:12:39 -0700 

On 6/26/20 2:40 PM, Tom Eastep wrote:
> Hi Bill,
> 
> On 6/25/20 7:50 PM, Bill Shirley wrote:
>>
>> I ran into this while trying to make openvpn server behave.  I have two
>> public addresses (xxx.yyy.zzz.104 & xxx.yyy.zzz.105).  If I allow the
>> server
>> to connect to all addresses (0.0.0.0) and then my client connects on .105
>> the server replies on .104.  So I thought, I'll just SNAT that puppy to the
>> address I want.  Doing that instead of changing openvpn's server.conf
>> to bind to a specific address, if your IP address ever changes, like it
>> will
>> soon when we migrate from the old server to the new one, they'll be
>> one less configuration file to change.
>>
>> Instead of getting things too complicated, I just changed server.conf to
>> use:
>> local    xxx.yyy.zzz.105
> 
> The absence of an SPORT column in the 'masq' file was a topic of
> considerable debate ten years or more ago. My objection to adding it at
> that time was that it would have not directly followed the DPORT column
> as in all of the other files with a DPORT column. Regrettably, I didn't
> address that when I created the 'snat' file; my bad. Beginning in
> 5.2.5.2, I'll change the column name while accepting both 'port' and
> 'dport' in the alternate input form.

I decided to defer that change until 5.2.6. 5.2.6 RC 1 will contain
these two changes:

1)  To emphasize that it specifies destination ports, the PORT column
    in the snat file has been renamed DPORT. Beginning with this
    release, both 'port' and 'dport' are accepted in the alternative
    input format.

2)  The snat file now supports ?FORMAT 2, which adds an SPORT (source
    port) column immediately to the right of the DPORT (destination
    port) column.

-Tom
-- 
Tom Eastep        \ Q: What do you get when you cross a mobster
Shoreline,         \    with an international standard?
Washington, USA     \ A: Someone who makes you an offer you
http://shorewall.org \    can't understand
                      \________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to