[Discuss] firewalld rant

[dsr at randomstring.org (Dan Ritter)]

Dale R. Worley wrote: 
> > From: Matthew Gillen <me at mattgillen.net>
> > Subject: [Discuss] firewalld rant
> ...
> > Side note in ambiguous documentation: check out the "masquerade" option
> > https://firewalld.org/documentation/man-pages/firewalld.zone.html :
> >   ..."If it's present masquerading is enabled."
> > no indication of which interface it should be set on (the internal or
> > external; the answer is you set that option on the interface you want to
> > masquerade /out/ of).
> ...
> 
> I know nothing about firewalld, but I've noticed over the years that
> documentation of how to configure/use software packages comes in two
> varieties:
> 
> 1) documentation that explains clearly and explicitly the consequences
> of what one does
> 
> 2) the vast majority of documention, which gives general descriptions of
> the conseuqences of various actions, but presupposes you have telepathic
> knowledge of a larger structure which contains most of the details
> 
> As in the above example, when you set masquerading on interface X,
> *which* packets coming from *which* interfaces are masqueraded *how*
> going out *which* interface?

This is consistent on all NAT systems: masquerading refers to changing
the source address for forwarding packets exiting a system for their
next destination. It applies on an outgoing interface, and
without further elaboration, to all matching packets going out
from that interface.

To *not* masquerade certain outbound packets based on the
interface that they were received from would be additional
configuration.

-dsr-