Robert Nichols wrote: | Claude Jones wrote: || So, my questions: Is this a product of my imperfect reading of || the manual, an instance of wrong documentation, a bit of both? || By using MASQUERADE and not SNAT, have I exposed my box to any || mischief? | | MASQUERADE is just a special form of SNAT that automatically | picks up the external IP address from the outgoing interface. | For SNAT, you have to supply the --to-source address, and | making that match | a dynamically assigned IP address would be a problem. | MASQUERADE also has the effect that the connection is forgotten | when the interface goes down, whereas SNAT tracking information | would remain. That makes MASQUERADE preferable if you are | likely to get a different IP address each time you connect. | The old connection is lost anyway, so there's no point in | keeping the tracking entry. | | While the connection is established, MASQUERADE and SNAT behave | the same. OK - that makes sense. So, it sounds like I still need to troubleshoot my SNAT rule. From what you're saying, it doesn't sound like I've opened any vulnerabilities, though. My SNAT rule did have the --to-source entry, but I guess I need to take a look at that syntax again. Thanks. Claude Jones Levit & James, Inc./WTVS Leesburg, VA, USA
