Bastian Kleineidam wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1Hi, I cannot reproduce this with a default config. Both zone.int and zone.tun are enabled with the following rule: SNAT[0]="EXT ALL 0.0.0.0/0=>0.0.0.0/0" Now looking at the result: $ iptables -t nat -nvL Chain POSTROUTING_NAT_EXT (1 references) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * * 192.168.1.0/24 0.0.0.0/0 0 0 MASQUERADE all -- * * 172.20.0.0/16 0.0.0.0/0 As you see, both nat rules are restricted to the zone subnets. Perhaps you have DYNAMIC=1 in one of your zone.xxx files? This would have the effect you described. But DYNAMIC=1 is not necessary in zone.{int,tun}.
i have dynamic set to 1 in zone.tun (for openvpn). Laurent -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
