All I''m sorry I sutured up the hornets nest by asking the question here. At no point did I mention using NAT on the vmware interface so I''m not quite sure how the discussion sparked up. Just to clarify what I was doing, I have a /29 ip address block from my ISP (publically routable, registered with Ripe, with my surname spelt wrong!). What I was trying to do was run a vmware bridge on an interface so that I could keep the zones config file down to interface level rather than nested with subnets, but either vmware or linux would stop routing packets to the virtual machines when the media state of the interface dropped. I''ve got it working for now with a cheap hub but I''ll either buy an ethernet loopback jack (http://www.thinkgeek.com/gadgets/tools/6c20/) or knock one up. I''ve found them in the US but anybody know where to get them in the UK?Si> Date: Fri, 8 Jun 2007 15:20:56 -0400> From: cozzi@cozziconsulting.com> To: shorewall-users@lists.sourceforge.net> Subject: Re: [Shorewall-users] General Linux Networking FOR NOVICES> > Simon Hobson wrote:> >> > What''s the difference, security wise between :> > DNAT net loc:a.b.c.d> > and> > ALLOW net loc:a.b.c.d> > assuming you have a default policy net->loc of drop ?> > > > Simon,> > It''s a huge difference. RFC 1918 packets are not routable. Thus, > even if your firewall drop rule failed, the chance of easy NAT traversal > is pretty slim if the admin of the gateway machine has been smart about > what services are exposed.> > You do not have that advantage if you are firewalling a LAN > comprised of routable IPs.> > --> Michael Cozzi> cozi@cozziconsulting.com> > -------------------------------------------------------------------------> This SF.net email is sponsored by DB2 Express> Download DB2 Express C - the FREE version of DB2 express and take> control of your XML. No limits. Just data. Click to get it now.> http://sourceforge.net/powerbar/db2/> _______________________________________________> Shorewall-users mailing list> Shorewall-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/shorewall-users_________________________________________________________________ Celeb spotting – Play CelebMashup and win cool prizes https://www.celebmashup.com/index2.html ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Simon Hobson
2007-Jun-08 20:41 UTC
Re: Loopback Jack (Was: General Linux Networking FOR NOVICES)
Simon Purdy wrote:>I''ve got it working for now with a cheap hub but I''ll either buy an >ethernet loopback jack >(<http://www.thinkgeek.com/gadgets/tools/6c20/>http://www.thinkgeek.com/gadgets/tools/6c20/) >or knock one up. > >I''ve found them in the US but anybody know where to get them in the UK?I assume it simply links the 12 pair with the 36 pair - hence anything you connect it to will see it''s own link pulses and bring up the interface. You can knock this up very quickly if you have a crimp tool and a spare connector (or know someone who does). However, I can''t help wondering what this will do if you plug it into a switch - I''ve seen a network come to a grinding halt when it''s had a loop on it and the broadcast packets just multiply until they reach the physical capacity of the network. Actually I''ve seen it twice, at the same customer, on the same switch, probably with the same ''spare'' cable ! ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/