More Martian advice

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5400 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-02-12 16:17:09 +00:00
parent 9f36059c7d
commit 122711da53
2 changed files with 19 additions and 9 deletions

View File

@ -648,6 +648,19 @@ Feb 9 17:23:45 gw.ilinx kernel: ll header: 00:a0:24:2a:1f:72:00:13:5f:07:97:05:
application to use). See <link linkend="Local">below</link>.</para> application to use). See <link linkend="Local">below</link>.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
<para>If all else fails, remove the <emphasis
role="bold">routefilter</emphasis> option from your external interfaces.
If you do this, you may wish to add rules to log and drop packets from
the Internet that have source addresses in your local networks. For
example, if the local LAN in the above diagram is 192.168.1.0/24, then
you would add this rule: </para>
<programlisting>#ACTION SOURCE DEST
DROP:info net:192.168.1.0/24 all</programlisting>
<para>Be sure the above rule is added before any other rules with
<emphasis>net</emphasis> in the SOURCE column.</para>
</section> </section>
<section> <section>

View File

@ -303,14 +303,11 @@ SNAT 192.168.1.0/24 vpn 10.10.10.0/24 #RULE 2B</programlist
<section> <section>
<title>Can't I do this with one router? Why do I need two?</title> <title>Can't I do this with one router? Why do I need two?</title>
<para>The single router would have to be able to route to two different <para>I wrote this article before Shorewall included <ulink
192.168.1.0/24 networks. In Netfilter parlance, that would mean that the url="MultiISP.html">multiple provider support</ulink>. You should be able
destination IP address would have to be rewritten after the packet had to accomplish the same thing with just one router through careful use of
been routed; Netfilter doesn't have that capability.</para> /etc/shorewall/netmap and <ulink url="MultiISP.html">multiple
providers</ulink>. If you try it and get it working, please contribute an
<para>Note that if you do it with two routers, then adding a third is update to this article.</para>
easy. There's no reason why you can't have yet another network that is
192.168.1.0/24 on the inside, but you can allocated it 10.10.12.0/24 for
everybody else.</para>
</section> </section>
</article> </article>