I''m doing more releases of 1.4.* to try to work around the absurd way in which the 2.6 kernel supports ipsec. 1.4.10 will provide a means for excluding multiple destination hosts/subnets from masquerade/SNAT. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thursday 22 January 2004 03:44 pm, Tom Eastep wrote:> I''m doing more releases of 1.4.* to try to work around the absurd way in > which the 2.6 kernel supports ipsec. > > 1.4.10 will provide a means for excluding multiple destination > hosts/subnets from masquerade/SNAT. >Forgot to attach the release notes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 22 Jan 2004 15:44:24 -0800 Tom Eastep <teastep@shorewall.net> wrote:>From release notes:1) The INTERFACE column in the /etc/shorewall/masq file may now specify a destination list. Example: #INTERFACE SUBNET ADDRESS eth0:192.0.2.3,192.0.2.16/28 eth1 If the list begins with "!" then SNAT will occur only if the destination IP address is NOT included in the list.> 1.4.10 will provide a means for excluding multiple destination hosts/subnets > from masquerade/SNAT.You probably meant "including/excluding"? BTW, would it be possible to specify ports also? For example I want to masquerade only if destination port is 6667, how can I do that? Regards, Nerijus
On Friday 23 January 2004 05:38 am, Nerijus Baliunas wrote:> On Thu, 22 Jan 2004 15:44:24 -0800 Tom Eastep <teastep@shorewall.net> > wrote: > > From release notes: > > 1) The INTERFACE column in the /etc/shorewall/masq file may now > specify a destination list. > > Example: > > #INTERFACE SUBNET ADDRESS > eth0:192.0.2.3,192.0.2.16/28 eth1 > > If the list begins with "!" then SNAT will occur only if the > destination IP address is NOT included in the list. > > > 1.4.10 will provide a means for excluding multiple destination > > hosts/subnets from masquerade/SNAT. > > You probably meant "including/excluding"?You have always been able to include multiple destinations simply by using multiple entries.> > BTW, would it be possible to specify ports also?No. I''m concentrating on meeting the ipsec requirements which don''t involve ports.> For example I want > to masquerade only if destination port is 6667, how can I do that? >Use an extension script. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 23 Jan 2004 06:50:00 -0800 Tom Eastep <teastep@shorewall.net> wrote:> > > 1.4.10 will provide a means for excluding multiple destination > > > hosts/subnets from masquerade/SNAT. > > > > You probably meant "including/excluding"? > > You have always been able to include multiple destinations simply by using > multiple entries.I know, as it was me who asked a few days ago, but now it is possible to specify them on the one line... Thanks for that.> > BTW, would it be possible to specify ports also? > > No. I''m concentrating on meeting the ipsec requirements which don''t involve > ports.Is it possible to have this feature in the future? Regards, Nerijus
On Friday 23 January 2004 07:35 am, Nerijus Baliunas wrote:> On Fri, 23 Jan 2004 06:50:00 -0800 Tom Eastep <teastep@shorewall.net> wrote: > > > > 1.4.10 will provide a means for excluding multiple destination > > > > hosts/subnets from masquerade/SNAT. > > > > > > You probably meant "including/excluding"? > > > > You have always been able to include multiple destinations simply by > > using multiple entries. > > I know, as it was me who asked a few days ago, but now it is possible > to specify them on the one line... Thanks for that. > > > > BTW, would it be possible to specify ports also? > > > > No. I''m concentrating on meeting the ipsec requirements which don''t > > involve ports. > > Is it possible to have this feature in the future? >I think that this should come in the form of an SNAT rule in the rules file rather than a hack to the masq file. Maybe some day... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net