mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-24 03:31:24 +02:00
Update FAQ2* to use address variables
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
80e6cd8a2f
commit
c57edb0fbf
57
docs/FAQ.xml
57
docs/FAQ.xml
@ -776,12 +776,7 @@ SNAT(<emphasis role="bold">130.151.100.69</emphasis>) 192.168.1.0/24 eth1:19
|
|||||||
|
|
||||||
<para>That rule (and the second one in the previous bullet) only
|
<para>That rule (and the second one in the previous bullet) only
|
||||||
works of course if you have a static external IP address. If you
|
works of course if you have a static external IP address. If you
|
||||||
have a dynamic IP address then include this in
|
have a dynamic IP address then make your DNAT rule:</para>
|
||||||
<filename>/etc/shorewall/params</filename>.</para>
|
|
||||||
|
|
||||||
<programlisting><command>ETH0_IP=$(find_first_interface_address eth0)</command> </programlisting>
|
|
||||||
|
|
||||||
<para>and make your DNAT rule:</para>
|
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
|
|
||||||
@ -793,34 +788,17 @@ SNAT(<emphasis role="bold">130.151.100.69</emphasis>) 192.168.1.0/24 eth1:19
|
|||||||
?SECTION NEW
|
?SECTION NEW
|
||||||
|
|
||||||
DNAT loc loc:192.168.1.5 tcp www - <emphasis
|
DNAT loc loc:192.168.1.5 tcp www - <emphasis
|
||||||
role="bold">$ETH0_IP</emphasis></programlisting>
|
role="bold">&eth0</emphasis></programlisting>
|
||||||
|
|
||||||
<para>Using this technique, you will want to configure your
|
<para>Using this technique, you will want to configure your
|
||||||
DHCP/PPPoE/PPTP/… client to automatically restart Shorewall each
|
DHCP/PPPoE/PPTP/… client to automatically reload Shorewall each time
|
||||||
time that you get a new IP address.</para>
|
that you get a new IP address.</para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>If your local interface is a bridge, see <link
|
<para>If your local interface is a bridge, see <link
|
||||||
linkend="faq2e">FAQ 2e</link> for additional configuration
|
linkend="faq2e">FAQ 2e</link> for additional configuration
|
||||||
steps.</para>
|
steps.</para>
|
||||||
</note>
|
</note>
|
||||||
|
|
||||||
<note>
|
|
||||||
<para>For optional interfaces, use the function <emphasis
|
|
||||||
role="bold">find_first_interface_address_if_any()</emphasis>
|
|
||||||
rather than <emphasis
|
|
||||||
role="bold">find_first_interface_address()</emphasis>. The former
|
|
||||||
will return 0.0.0.0 if the interface has no configured IP address;
|
|
||||||
the latter terminates the calling program.</para>
|
|
||||||
</note>
|
|
||||||
|
|
||||||
<note id="Call">
|
|
||||||
<para>If you run Shorewall-lite on your firewall, you must use the
|
|
||||||
following in the firewall's configuration directory
|
|
||||||
<filename>params</filename> file:</para>
|
|
||||||
|
|
||||||
<programlisting><command>ETH0_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</command></programlisting>
|
|
||||||
</note>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
@ -928,14 +906,8 @@ MASQUERADE 192.168.1.0/24 eth2:192.168.1.2 tcp www</programlisting>
|
|||||||
|
|
||||||
<emphasis role="bold">DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176</emphasis></programlisting>
|
<emphasis role="bold">DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176</emphasis></programlisting>
|
||||||
|
|
||||||
<para>If your external IP address is dynamic, then you must do the
|
<para>If your external IP address is dynamic, then you must make your
|
||||||
following:</para>
|
DNAT rule:</para>
|
||||||
|
|
||||||
<para>In <filename>/etc/shorewall/params</filename>:</para>
|
|
||||||
|
|
||||||
<programlisting><command>ETH0_IP=`find_first_interface_address eth0`</command> </programlisting>
|
|
||||||
|
|
||||||
<para>and make your DNAT rule:</para>
|
|
||||||
|
|
||||||
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
|
||||||
|
|
||||||
@ -947,7 +919,7 @@ MASQUERADE 192.168.1.0/24 eth2:192.168.1.2 tcp www</programlisting>
|
|||||||
?SECTION NEW
|
?SECTION NEW
|
||||||
|
|
||||||
DNAT loc dmz:192.168.2.4 tcp 80 - <emphasis
|
DNAT loc dmz:192.168.2.4 tcp 80 - <emphasis
|
||||||
role="bold">$ETH0_IP</emphasis></programlisting>
|
role="bold">&eth0</emphasis></programlisting>
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>With dynamic IP addresses, you probably don't want to use
|
<para>With dynamic IP addresses, you probably don't want to use
|
||||||
@ -956,21 +928,6 @@ DNAT loc dmz:192.168.2.4 tcp 80 - <emphasi
|
|||||||
save</command> and <command>shorewall[-lite]
|
save</command> and <command>shorewall[-lite]
|
||||||
restore</command></ulink>.</para>
|
restore</command></ulink>.</para>
|
||||||
</warning>
|
</warning>
|
||||||
|
|
||||||
<note>
|
|
||||||
<para>For optional interfaces, use the function <emphasis
|
|
||||||
role="bold">find_first_interface_address_if_any()</emphasis> rather
|
|
||||||
than <emphasis
|
|
||||||
role="bold">find_first_interface_address()</emphasis>. The former
|
|
||||||
will return 0.0.0.0 if the interface has no configured IP address;
|
|
||||||
the latter terminates the calling program.</para>
|
|
||||||
</note>
|
|
||||||
|
|
||||||
<note>
|
|
||||||
<para>If you use Shorewall-lite, then you need to configure the
|
|
||||||
params file in the firewall's configuration directory as described
|
|
||||||
<link linkend="Call">above</link>.</para>
|
|
||||||
</note>
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="faq2c">
|
<section id="faq2c">
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user