OK, I recently installed a DSL line this past week, and instead of having a
cable modem with a single IP address, I now had a small subnet. Wanting to
put those new IP addresses BEHIND the SuSE box as a firewall (and yet still
have some IP Masquerading available for any OTHER machines who didn't need
real IP's), I set out to make it happen. yast turned out to be exactly the
WRONG way to go, and I think it can be easily fixed, although I am not a
programmer. Some of these are issues both of feature improvements (the
suggestions part) and how yast currently handles the inputs I'm talking
about (the bugs part). yast tends to silently ignore or mishandle data
that it is not prepared to deal with, which is definitely a Very Bad Thing. :)
Four suggestions:
1.) Allow host-routes on network interfaces in yast:
YAST (updated version for 6.2), will not allow a host-route to be specified
on a particular ethernet interface.
For example:
Int IP Netmask Gateway
eth0 192.168.1.2 255.255.255.255 192.168.1.1
eth1 192.168.1.129 255.255.255.128
A host-route out eth0 allows the SuSE box to behave as a firewall via a
crossover cable to an upstream router (for example a DSL router).
Any time I enter that netmask, YaST silently (and this is my bigger
complaint) decides that it knows what is best and changes it to a /24
(255.255.255.0) netmask without telling me.
I finally had to change rc.config;/etc/route.conf to manually input the
right data, and resign myself to NOT running yast, lest it mess it up again. :)
Now admittedly, what I'm REALLY doing is even more ugly than what is above,
but what I am doing would have been made easier if yast would accept
hostroutes out an ethN interface...
What I am doing right now looks similar to (using real addresses though and
not these RFC1918 ones):
eth0 192.168.1.2 255.255.255.255 192.168.1.1
eth1 192.168.1.2 255.255.255.248
and then eth0 arps for .[3..6], and eth1 arps for .1
This allows me to use my SuSE box as a firewall between my DSL router (.1)
and the rest of the /29 I am assigned by my DSL provider. Each side "sees"
the rest of the subnet as though it were on the same segment.
2.) Allow for Proxy ARP table additions to be added within yast.
It would be wonderful if I could drill down into an interface defined in
yast and say "oh yeah, add proxy ARP entries for <ip1>, <ip2>, and/or