* Kaiser, Hans;
Well it can do the routing if you set the following to yes # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network # interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_CLASS_ROUTING="no"
Hello,
thanks for the answers! Are there any security concerns if setting FW_ALLOW_CLASS_ROUTING="yes" ?
Not that I see ( note that does not mean it does note exist) since it only allows routing of the packets between the same class meaning if you have two devices for FW_DEV_INT then the routing between these two is allowed if you look at the script (around line 1595) test "$FW_ALLOW_CLASS_ROUTING" = yes && { for DEV1 in $FW_DEV_INT; do for DEV2 in $FW_DEV_INT; do test "$DEV1" = "$DEV2" || { $LAA $IPTABLES -A forward_int -j LOG ${LOG}"-ACCEPT-CLASS " -i $DEV1 -o $DEV2 $IPTABLES -A forward_int -j "$ACCEPT" -i $DEV1 -o $DEV2 } done .... It checks for FW_DEV_DMZ and FW_DEV_EXT also to see if there are more then one devices. Your other alternative is to define FW_FORWARD where you can define which ports are allowed to be forwarded to the other network. Hope this helps -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum