From c57edb0fbf57b6992187743ae9087c354871e503 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 1 Aug 2017 14:56:20 -0700 Subject: [PATCH] Update FAQ2* to use address variables Signed-off-by: Tom Eastep --- docs/FAQ.xml | 57 +++++++--------------------------------------------- 1 file changed, 7 insertions(+), 50 deletions(-) diff --git a/docs/FAQ.xml b/docs/FAQ.xml index 6dcc11080..3399b4ed5 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -776,12 +776,7 @@ SNAT(130.151.100.69) 192.168.1.0/24 eth1:19 That rule (and the second one in the previous bullet) only works of course if you have a static external IP address. If you - have a dynamic IP address then include this in - /etc/shorewall/params. - - ETH0_IP=$(find_first_interface_address eth0) - - and make your DNAT rule: + have a dynamic IP address then make your DNAT rule: #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST @@ -793,34 +788,17 @@ SNAT(130.151.100.69) 192.168.1.0/24 eth1:19 ?SECTION NEW DNAT loc loc:192.168.1.5 tcp www - $ETH0_IP + role="bold">&eth0 Using this technique, you will want to configure your - DHCP/PPPoE/PPTP/… client to automatically restart Shorewall each - time that you get a new IP address. + DHCP/PPPoE/PPTP/… client to automatically reload Shorewall each time + that you get a new IP address. If your local interface is a bridge, see FAQ 2e for additional configuration steps. - - - For optional interfaces, use the function find_first_interface_address_if_any() - rather than find_first_interface_address(). The former - will return 0.0.0.0 if the interface has no configured IP address; - the latter terminates the calling program. - - - - If you run Shorewall-lite on your firewall, you must use the - following in the firewall's configuration directory - params file: - - ETH0_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0") - @@ -928,14 +906,8 @@ MASQUERADE 192.168.1.0/24 eth2:192.168.1.2 tcp www DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176 - If your external IP address is dynamic, then you must do the - following: - - In /etc/shorewall/params: - - ETH0_IP=`find_first_interface_address eth0` - - and make your DNAT rule: + If your external IP address is dynamic, then you must make your + DNAT rule: #ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST @@ -947,7 +919,7 @@ MASQUERADE 192.168.1.0/24 eth2:192.168.1.2 tcp www ?SECTION NEW DNAT loc dmz:192.168.2.4 tcp 80 - $ETH0_IP + role="bold">&eth0 With dynamic IP addresses, you probably don't want to use @@ -956,21 +928,6 @@ DNAT loc dmz:192.168.2.4 tcp 80 - and shorewall[-lite] restore. - - - For optional interfaces, use the function find_first_interface_address_if_any() rather - than find_first_interface_address(). The former - will return 0.0.0.0 if the interface has no configured IP address; - the latter terminates the calling program. - - - - If you use Shorewall-lite, then you need to configure the - params file in the firewall's configuration directory as described - above. -