More Martian advice

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5400 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-12-22 06:10:42 +01:00 · 2007-02-12 16:17:09 +00:00 · 2007-02-12 16:17:09 +00:00 · 122711da53
commit 122711da53
parent 9f36059c7d
2 changed files with 19 additions and 9 deletions
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@ -648,6 +648,19 @@ Feb  9 17:23:45 gw.ilinx kernel: ll header: 00:a0:24:2a:1f:72:00:13:5f:07:97:05:
          application to use). See <link linkend="Local">below</link>.</para>
        </listitem>
      </orderedlist>
+
+      <para>If all else fails, remove the <emphasis
+      role="bold">routefilter</emphasis> option from your external interfaces.
+      If you do this, you may wish to add rules to log and drop packets from
+      the Internet that have source addresses in your local networks. For
+      example, if the local LAN in the above diagram is 192.168.1.0/24, then
+      you would add this rule: </para>
+
+      <programlisting>#ACTION          SOURCE                     DEST
+DROP:info        net:192.168.1.0/24         all</programlisting>
+
+      <para>Be sure the above rule is added before any other rules with
+      <emphasis>net</emphasis> in the SOURCE column.</para>
    </section>

    <section>
--- a/docs/netmap.xml
+++ b/docs/netmap.xml
@ -303,14 +303,11 @@ SNAT  192.168.1.0/24 vpn              10.10.10.0/24        #RULE 2B</programlist
  <section>
    <title>Can't I do this with one router? Why do I need two?</title>

-    <para>The single router would have to be able to route to two different
-    192.168.1.0/24 networks. In Netfilter parlance, that would mean that the
-    destination IP address would have to be rewritten after the packet had
-    been routed; Netfilter doesn't have that capability.</para>
-
-    <para>Note that if you do it with two routers, then adding a third is
-    easy. There's no reason why you can't have yet another network that is
-    192.168.1.0/24 on the inside, but you can allocated it 10.10.12.0/24 for
-    everybody else.</para>
+    <para>I wrote this article before Shorewall included <ulink
+    url="MultiISP.html">multiple provider support</ulink>. You should be able
+    to accomplish the same thing with just one router through careful use of
+    /etc/shorewall/netmap and <ulink url="MultiISP.html">multiple
+    providers</ulink>. If you try it and get it working, please contribute an
+    update to this article.</para>
  </section>
 </article>