I know this is a FAQ and that it''s been discussed much before, I''m just looking for a few key things. I need to setup our gateway so that traffic FROM a range of IPs is sent out, masqueraded, via a new cable connection. I''m running 2.6.9. Am I going to require any of the CONNMARK patches or other patches from http://www.ssi.bg/~ja/#routes? I''m really not sure from reading docs/posts. Thanks, A. -- Adam Sherman Technologist http://www.sherman.ca/
Le mercredi 29 juin 2005 à 15:02 +0000, Adam Sherman a écrit :> http://www.ssi.bg/~ja/#routesIt looks like these patches have the features I thought already existed in the kernel... I am using a recent Debian net install - will these patches help me extend features on this? TIA Tony
2005/6/29, Adam Sherman <adam@sherman.ca>:> > I know this is a FAQ and that it''s been discussed much before, I''m just > looking for a few key things. > I need to setup our gateway so that traffic FROM a range of IPs is sent > out, masqueraded, via a new cable connection. > I''m running 2.6.9. > > Am I going to require any of the CONNMARK patches or other patches from > http://www.ssi.bg/~ja/#routes? I''m really not sure from reading > docs/posts. > Thanks, > > A. > > -- > Adam Sherman > Technologist > http://www.sherman.ca/ > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >Adam: if you RTFM you will find a new shorewall feature to do what you want,and it''s simple and completely documented here: http://www.shorewall.net/Shorewall_and_Routing.html#id2452708 just install shorewall 2.4 and read the url above. -- Cristian Rodriguez. "for DVDs in Linux screw the MPAA and ; do dig $DVDs.z.zoy.org ; done | \ perl -ne ''s/\.//g; print pack("H224",$1) if(/^x([^z]*)/)'' | gunzip"
Cristian Rodriguez <judas.iscariote@gmail.com> wrote:>if you RTFM you will find a new shorewall feature to do what you >want,and it''s simple and completely documented here: > >http://www.shorewall.net/Shorewall_and_Routing.html#id2452708 > >just install shorewall 2.4 and read the url above.Thank you very much! I will look at this and see if it meets my needs. Thanks again, A. -- Adam Sherman Technologist http://www.sherman.ca/
Adam Sherman<adam@sherman.ca> wrote:>Cristian Rodriguez <judas.iscariote@gmail.com> wrote: >>if you RTFM you will find a new shorewall feature to do what you >>want,and it''s simple and completely documented here: >> >>http://www.shorewall.net/Shorewall_and_Routing.html#id2452708 >> >>just install shorewall 2.4 and read the url above. > >Thank you very much! I will look at this and see if it meets my needs.That looks terrific, I upgraded to 2.4 without incident. Now to figure out which Kernel patches I need... I''m going to run 2.6.11 from Debian "kernel-source" package. Looks like CONNMARK/connmatch are now mainline but the IPsec policy stuff isn''t. Also: "As of this writing, the Netfilter+ipsec and policy match support are broken when used with a bridge device. The problem has been reported to the responsible Netfilter developer who has confirmed the problem." What exactly does this mean for me? My IPsec goes out through a straight Ethernet interface but my router also has a bridge device for OpenVPN purposes. Thanks, A. -- Adam Sherman Technologist http://www.sherman.ca/
> > Adam Sherman<adam@sherman.ca> wrote: > >Cristian Rodriguez <judas.iscariote@gmail.com> wrote: > >>if you RTFM you will find a new shorewall feature to do what you > >>want,and it''s simple and completely documented here: > >> > >>http://www.shorewall.net/Shorewall_and_Routing.html#id2452708 > >> > >>just install shorewall 2.4 and read the url above. > > > >Thank you very much! I will look at this and see if it meets my needs. > > That looks terrific, I upgraded to 2.4 without incident. Now to figure > out which Kernel patches I need... > I''m going to run 2.6.11 from Debian "kernel-source" package. Looks like > CONNMARK/connmatch are now mainline but the IPsec policy stuff isn''t. > Also: > "As of this writing, the Netfilter+ipsec and policy match support are > broken when used with a bridge device. The problem has been reported to > the responsible Netfilter developer who has confirmed the problem." > What exactly does this mean for me? My IPsec goes out through a straight > Ethernet interface but my router also has a bridge device for OpenVPN > purposes. > Thanks, > > A.I think you should be fine with just the Netfilter+ipsec. Your firewall is the endpoint for the vpn? I can''t say you wouldn''t have issues with the bridge, but if don''t have any services that are accessable on the bridge interface, it should work fine. Jerry