Is there a way to switch the order that nat and masq happen in the=20 POSTROUTING table? --=20 Regards Joseph =09 http://www.datakota.com
On Saturday 24 August 2002 06:07 pm, Joseph T Watson wrote:> Is there a way to switch the order that nat and masq happen in the > POSTROUTING table?Yes -- set the ALL INTERFACES column to "No" in /etc/shorewall/nat. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Saturday 24 August 2002 06:36 pm, Tom Eastep wrote:> On Saturday 24 August 2002 06:07 pm, Joseph T Watson wrote: > > Is there a way to switch the order that nat and masq happen in the > > POSTROUTING table? > > Yes -- set the ALL INTERFACES column to "No" in /etc/shorewall/nat.But I don''t understand why you insist on having your local servers communicate with each other through your firewall. That''s really a ill-advised approach. You could add entries in /etc/hosts on each of your servers (assuming that you have taken the reasonable approach and have configured /etc/nsswitch.conf so that "files" is before "dns" for resolving "hosts") so that if the servers need to talk to each other they use LOCAL IP addresses!! Why don''t you want to do that? You can also configure DNS for this scenario (see http://www.shorewall.net/shorewall_setup_guide.htm#DNS). It avoids all of these messy routing/SNAT/DNAT/"why does my performance suck?" problems AND IT IS ALWAYS FASTER!!!!! I guess people think that "real men" always use IP solutions and "whimps" use DNS solutions. I use a DNS solution -- the DNS configuration at the URL above is a weakly disguised copy of my own Bind setup (draw whatever conclusions you may). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Saturday 24 August 2002 06:55 pm, Tom Eastep wrote:> On Saturday 24 August 2002 06:36 pm, Tom Eastep wrote: > > On Saturday 24 August 2002 06:07 pm, Joseph T Watson wrote: > > > Is there a way to switch the order that nat and masq happen in the > > > POSTROUTING table? > > > > Yes -- set the ALL INTERFACES column to "No" in /etc/shorewall/nat. > > But I don''t understand why you insist on having your local servers > communicate with each other through your firewall. That''s really a > ill-advised approach.Of course the best solution (I think) for your situation is to use Proxy ARP. Your servers each have ONE IP address so none of the problems we''ve been discussing ever come up... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Sunday 25 August 2002 12:09 am, you wrote:> > It''s not that I''m not sympathetic but there are 1000s of you (Shorewall > users) and one of me. I have been consistent in recommending against using > Shorewall like you are using it and I refuse to spend the rest of my > weekend trying to devise a workaround for someone who has ignored my advise > -- does that make sense? > > -TomIt does, Thanks for your help --=20 Regards Joseph =09 http://www.datakota.com