Posted by: Anonymous Coward
on December 14, 2005 12:58 AM
Nice article !
By the way, lets introduce a 3.8 new feature that can simplify a bit the firewall. You can make use of the new "interface groups" feature, for instance the (automaticly assigned/updated) "egress" and "tun" groups: For instance
<tt>nat on egress from !(egress) -> (egress)</tt>
will do what you want, even if you change you're connection type (egress group will be refreshed if the default route change). And no need for macro here.
Also, the use of the "tcp_flags" macro is a bit<nobr> <wbr></nobr>... unusefull here<nobr> <wbr></nobr>;)
Still about the firewall, I'd be kind to allow icmp traffic to pass in. Or at least, don't kill pmtu (path-mtu discovery), else you may experience congestion problems.
A missing info is that you need to allow IP forwarding<nobr> <wbr></nobr>:
Learn about Linux
Download Linux
Get Linux help
firewall
Posted by: Anonymous Coward on December 14, 2005 12:58 AMBy the way, lets introduce a 3.8 new feature that can simplify a bit the firewall.
You can make use of the new "interface groups" feature, for instance the (automaticly assigned/updated) "egress" and "tun" groups:
For instancewill do what you want, even if you change you're connection type (egress group will be refreshed if the default route change). And no need for macro here.
Also, the use of the "tcp_flags" macro is a bit<nobr> <wbr></nobr>... unusefull here<nobr> <wbr></nobr>;)
Still about the firewall, I'd be kind to allow icmp traffic to pass in. Or at least, don't kill pmtu (path-mtu discovery), else you may experience congestion problems.
A missing info is that you need to allow IP forwarding<nobr> <wbr></nobr>:
#