From 3ad8861ddbfb749cc2126ab4f1f613d7bfcc76c1 Mon Sep 17 00:00:00 2001 From: mhnoyes Date: Sat, 13 Dec 2003 06:35:24 +0000 Subject: [PATCH] Minor edit git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@841 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs/Documentation.xml | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/Shorewall-docs/Documentation.xml b/Shorewall-docs/Documentation.xml index d4f3eb016..49fc72555 100644 --- a/Shorewall-docs/Documentation.xml +++ b/Shorewall-docs/Documentation.xml @@ -2572,16 +2572,17 @@ NET_OPTIONS=blacklist,norfc1918 You want to run wu-ftpd on 192.168.2.2 in your masqueraded DMZ. Your internet interface address is 155.186.235.151 and you want the FTP server to be accessible from the internet in addition to the local - 192.168.1.0/24 and dmz 192.168.2.0/24 subnetworks. Note that since the - server is in the 192.168.2.0/24 subnetwork, we can assume that access to - the server from that subnet will not involve the firewall (<ulink - url="FAQ.htm#faq2">but see FAQ 2</ulink>). Note that unless you have - more than one external IP address, you can leave the ORIGINAL DEST - column blank in the first rule. You cannot leave it blank in the second - rule though because then <emphasis role="bold">all ftp connections</emphasis> - originating in the local subnet 192.168.1.0/24 would be sent to - 192.168.2.2 <emphasis role="bold">regardless of the site that the user - was trying to connect to</emphasis>. That is clearly not what you want. + 192.168.1.0/24 and dmz 192.168.2.0/24 subnetworks. + + since the server is in the 192.168.2.0/24 subnetwork, + we can assume that access to the server from that subnet will not + involve the firewall (but see FAQ 2)unless + you have more than one external IP address, you can leave the ORIGINAL + DEST column blank in the first rule. You cannot leave it blank in the + second rule though because then all ftp connections originating in the + local subnet 192.168.1.0/24 would be sent to 192.168.2.2 regardless of + the site that the user was trying to connect to. That is clearly not + what you want.