From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jonathan Goldblatt Subject: Re: diald slow to be useful... Date: 30 May 2002 14:24:23 -0400 Sender: linux-diald-owner@vger.kernel.org Message-ID: References: <20020509220952.A587@raw-sewage.net> <3CDBFAEF.8010402@purplet.demon.co.uk> <20020517185000.A4516@raw-sewage.net> <3CF49AB9.6080608@purplet.demon.co.uk> <20020529061814.A21733@raw-sewage.net> <3CF60FE6.2030504@purplet.demon.co.uk> Mime-Version: 1.0 Return-path: In-Reply-To: <3CF60FE6.2030504@purplet.demon.co.uk> List-Id: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Mike Jagdis Cc: Matt Garman , linux-diald@vger.kernel.org Mike Jagdis writes: > > 3. Hacker voodoo :-). If you know what you are doing you can > change your firewall set up so that it *doesn't* masquerade > traffic sent to diald's proxy interface. How you do that depends > on whether your use ipchains (-i ! sl+) or iptables (-o ! sl+), > and how your distribution does firewall config. In dynamic > (or sticky) mode diald forwards buffered packets back in to > the kernel via the proxy rather than straight out on the > real link. So the kernel first routes the packet to diald > *without* masquerading it, diald brings the link up and > sends the packet back to the kernel, which then routes > it to the link and *does* masquerade it - with the correct > address! This should work for all connections even if you > get a different address every time. But you're probably > going to have to understand firewalling, read man pages, > and edit shell scripts to do it[*]. > > Mike > [*] If anyone does this *please* let us know what you needed > to change! In the script where I turned on IP masquerading with: # Do masquerading echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -A forward -j MASQ I changed it to: # Do masquerading echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/ipchains -A forward -i ! sl+ -j MASQ /sbin/ipchains -P forward ACCEPT The last line was because I set all the policies to DENY when I started the script for safety. Took the time to make sure that the problem was duplicated on my setup. Your suggestion works like a charm. Hope this is helpful. Wondering whether 2.0 is a redesign or somesuch, what the TODOs might be, what goes into making a release, etc.