[Firehol-support] Re: Masquerading happening on simple router?

Carlos Rodrigues carlos.efr at mail.telepac.pt
Fri Oct 14 17:23:13 BST 2005

Hi again!

Ok, I finally figured it out...

I have other router blocks with "masquerade" and after close inspection 
with "iptables -t nat --list" I noticed that they were being applied to 
the "router" blocks mentioned below. Adding a "src ${attached_network}" 
to the "masquerade" commands solved the matter.

I guess this is caused by the fact that this machine has only two _real_ 
ethernet interfaces, with the other ones being VLANs over one of them.

I guess this was the problem (as mentioned in 

  «The masquerade helper sets up masquerading on the output of a network 
interface (not the interface command, but a real network interface).»

BTW, on another note, even on an Athlon 1800+, with my rules FireHOL 
takes some 20 seconds to start (much better than the 1.5 minutes it 
takes on my home Pentium 133 gateway :)).

Startup time isn't that important (and is certainly irrelevant compared 
to the "amazingness" of FireHOL), but I was wondering if there are any 
plans (although not for the near future) to speed things up by maybe 
recoding some internals in C or some other faster-than-bash-scripting 

    Carlos Rodrigues

Carlos Rodrigues wrote:
> Hi!
> I have the following definitions in my firehol.conf:
> router world-to-dmz \
>         inface ${world_iface} outface ${dmz_iface}
>         protection strong
>         route all accept
> router dmz-to-world \
>         inface ${dmz_iface} outface ${world_iface}
>         protection strong
>         route all accept
> As can be seen, there is no masquerading configured between "world" and 
> "dmz". However, machines in the DMZ (which have public addresses) see 
> all connections from the internet as coming from the firewall. Outside 
> machines with incoming connections from machines in the DMZ also show 
> the same thing.
> I have both interfaces "world" and "dmz" with the same IP address, 
> configured with proxy-arp, but that shouldn't be the cause of this, AFAIK.
> Has anyone got any idea what's happening here?

More information about the Firehol-support mailing list