diff --git a/Shorewall/firewall b/Shorewall/firewall index 5b682a09e..33ba3f5ec 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1490,7 +1490,7 @@ add_nat_rule() { ;; detect) addr= - if [ -n "$DETECT_IPADDRS" && "$source"! = "$FW" ]; then + if [ -n "$DETECT_DNAT_IPADDRS" -a "$source" != "$FW" ]; then eval interfaces=\$${source}_interfaces for interface in $interfaces; do addr="`find_interface_address $interface` $addr" @@ -3313,7 +3313,7 @@ do_initialize() { ROUTE_FILTER= NAT_BEFORE_RULES= MULTIPORT= - DETECT_IPADDRS= + DETECT_DNAT_IPADDRS= stopping= have_mutex= masq_seq=1 @@ -3387,7 +3387,7 @@ do_initialize() { ROUTE_FILTER=`added_param_value_no ROUTE_FILTER $ROUTE_FILTER` NAT_BEFORE_RULES=`added_param_value_yes NAT_BEFORE_RULES $NAT_BEFORE_RULES` MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT` - DETECT_IPADDRS=`added_param_value_no DETECT_IPADDRS $DETECT_IPADDRS` + DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS` } ################################################################################ diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index 79476c86e..8e415db05 100755 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -228,7 +228,7 @@ NAT_BEFORE_RULES=Yes MULTIPORT=No -# IP ADDRESS DETECTION +# DNAT IP Address Detection # # Normally when Shorewall encounters the following rule: # @@ -251,10 +251,12 @@ MULTIPORT=No # rule will forward connection requests on all of these addresses; # that may not be what is desired. # -# By setting DETECT_IPADDRS=Yes, rules such as the above will apply +# By setting DETECT_DNAT_IPADDRS=Yes, rules such as the above will apply # only if the original destination address is the primary IP address of -# one of the interfaces associated with the source zone. +# one of the interfaces associated with the source zone. Note that this +# requires all interfaces to the source zone to be up when the firewall +# is [re]started. -DETECT_IPADDRS=No +DETECT_DNAT_IPADDRS=No #LAST LINE -- DO NOT REMOVE