Mailinglist Archive: opensuse (4294 mails)

< Previous Next >
Re: [opensuse] Accepting all in the FORWARD chain
  • From: Anders Johansson <andjoh@xxxxxxxxxx>
  • Date: Wed, 13 Dec 2006 19:24:48 +0100
  • Message-id: <200612131924.48397.andjoh@xxxxxxxxxx>
On Wednesday 13 December 2006 08:22, suseuser@xxxxxxxxxxx wrote:
> Nope, I don't need masquerading, the squid box sits before my firewall
> (and has only one NIC). The idea is that the client PC's are default
> routed to the squid box. Outgoing web requests are captured by a
> PREROUTING rule to hand them over to squid. All other traffic
> should just be forwarded to the default route of the squid box,
> which is my firewall.

So let me get this straight. You use the squid box as default gateway for your
internal machines even though it only has one NIC, and then you have the
router as default gateway for the squid

And you say it drops "some" packages, but not all.

Which packages does it drop?

BTW, I wouldn't have set it up that way, I would have done it on the router,
with a redirect of web traffic to the squid box and a normal masquerading for
everything else

> I've had this setup on an Mandriva box before so I know it works,
> it's just the antics of SuSEfirewall2 and how to completely allow
> forwarding in it I don't quite grasp.

As far as I know, FW_ROUTE="yes" and your FW_FORWARD rule should be enough

But I have to say, I've never had much luck with implementing a router with
only one NIC, on any platform. Your squid box is effectively a router, and as
such should have two NICs

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups