From 122711da53b5980714f2ec37307ebabca4a65716 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 12 Feb 2007 16:17:09 +0000 Subject: [PATCH] More Martian advice git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5400 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- docs/MultiISP.xml | 13 +++++++++++++ docs/netmap.xml | 15 ++++++--------- 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/docs/MultiISP.xml b/docs/MultiISP.xml index 90d088914..bcbc329bf 100644 --- a/docs/MultiISP.xml +++ b/docs/MultiISP.xml @@ -648,6 +648,19 @@ Feb 9 17:23:45 gw.ilinx kernel: ll header: 00:a0:24:2a:1f:72:00:13:5f:07:97:05: application to use). See below. + + If all else fails, remove the routefilter option from your external interfaces. + If you do this, you may wish to add rules to log and drop packets from + the Internet that have source addresses in your local networks. For + example, if the local LAN in the above diagram is 192.168.1.0/24, then + you would add this rule: + + #ACTION SOURCE DEST +DROP:info net:192.168.1.0/24 all + + Be sure the above rule is added before any other rules with + net in the SOURCE column.
diff --git a/docs/netmap.xml b/docs/netmap.xml index e55c165b3..92f0363da 100644 --- a/docs/netmap.xml +++ b/docs/netmap.xml @@ -303,14 +303,11 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B Can't I do this with one router? Why do I need two? - The single router would have to be able to route to two different - 192.168.1.0/24 networks. In Netfilter parlance, that would mean that the - destination IP address would have to be rewritten after the packet had - been routed; Netfilter doesn't have that capability. - - Note that if you do it with two routers, then adding a third is - easy. There's no reason why you can't have yet another network that is - 192.168.1.0/24 on the inside, but you can allocated it 10.10.12.0/24 for - everybody else. + I wrote this article before Shorewall included multiple provider support. You should be able + to accomplish the same thing with just one router through careful use of + /etc/shorewall/netmap and multiple + providers. If you try it and get it working, please contribute an + update to this article.
\ No newline at end of file