[Shorewall-users] Problem with ICMP Redirect

Tom Eastep teastep at shorewall.net
Tue Jun 17 21:21:20 PDT 2003


On Wed, 18 Jun 2003, Martin Chan wrote:

> Yes, it works.
> But can we use it only on one interface. I'm worry about it will affect
> the security on my firewall from the Internet side.
>

If it was available on an interface basis, I would have recommended that
approach to you. Any routing scheme that sends packets out the same
interface that they came in on is braindead in my opinion; if that's
what you want to do, setting NEWNOTSYN=Yes is the price you pay if you
want to use Shorewall.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep at shorewall.net


More information about the Shorewall-users mailing list