Assume we have no control over the services -- they pick any old IP (and
I assure you, they do, this isn't just academic) from that public-facing
IP physical interface and start using ephemeral ports, which then can
conflict with RPC or whatever for the SNAT/DNAT host that the IP is
supposed to exclusively support.
Furthermore, let's say that an upstream firewall counts packets from
source/destination IPs for the purposes of auditing traffic. By a local
service on the GNU/Linux firewall using these IPs that they are not
supposed to, it creates the false illusion that the host for which the
IP is supposed to be exclusively used for is sending/receiving traffic.
If we had such upstream filtering going on, this could even
permit/deny traffic unintended from policy.
There might be some other unintended consequences that I've not thought
of. Either way, it just seems wrong that there isn't a way to do this
if GNU/Linux is going intended to be used as a modern fully featureless
firewall that can perform NAT/PAT.
M**** K**** wrote:
Hello,
The problem with this is that the firewall itself runs some services
and they have the potential to use these secondary IPs as their
...
It seems like using these secondary addresses is not the right thing to
do.
One non-invasive approach is to launch local services on firewall box
specifying bind address (0.0.0.0 is default and binds to all
addressess).
Method mentioned by Tore Anderson is the cleanest way out, but you'd
have to persuade your upstream provider to route a subnet of public IPs
throu your firewall box. This way you wouldn't have to assing secondary
addresses for SNAT/DNAT to work.
Cheers,
--
# Jesse Molina
# Mail = jesse@xxxxxxxxxxxxxx
# Page = page-jesse@xxxxxxxxxxxxxx
# Cell = 1.602.323.7608
# Web = http://www.opendreams.net/jesse/
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
