Hi John,
John A. Sullivan III wrote:
On Tue, 2005-02-22 at 16:18 +0800, Ming-Ching Tiew wrote:
I would like to find a way to do this with the CyberGuard devices. I do not have the option of installing a UDP helper so I have to do this with iptables or iproute.
Trying to understand your problem :-
Why is the option of installing a UDP helper is out ? Is it because
the can't compile C programs and install any program on these cyberguard devices? And you can only write scripts ?
<snip> Yes, exactly. They are very small footprint appliances running ucLinux and I would not want to void any warranties by cross compiling and adding binaries to the image. Thanks for such a quick response - John
Customizing the firmware won't void the warranty per se. The problem is that our support processes cannot handle units with custom firmware in them, so if you have a problem with the unit, we require that you reinstall the standard firmware before contacting support.
So adding a UDP helper isn't too hard if you don't mind cross compiling it and recreating the firmware image. If you want to go this route, then you can find the source code on www.snapgear.org.
Alternatively, we currently only ship Linux 2.4 firmware, so you could use the stateless NAT in the ip route command. Unfortunately we've only enabled this for the high-end units, thinking very few people would have a use for it when we already have iptables NAT. So again, you may have build your firmware image.
It's probably possible to write an iptables mangle target to perform stateless NAT, but it doesn't exist yet that I am aware of.
-- Philip Craig - SnapGear, A CyberGuard Company - http://www.SnapGear.com
