Hello, I tried to utilize rules like this: DNAT all loc:192.168.1.1 tcp http - 192.168.100.100 but it causes the generation of an "iptables -t nat -A OUTPUT" rule that my Linux does not accept since the kernel is built without the "CONFIG_IP_NF_NAT_LOCAL" parameter; so "shorewall check" is succesful but "shorewall start" produces a iptables error "Invalid argument". I use SuSE Linux Enterprise Server 9 with the last updates (SuSE 10 does not have this problem). I cannot recompile the kernel because I want to preserve SuSE support and automatic updates, so I must add a DNAT line for each zone but "$FW". I suggest to insert in shorewall a new source qualifier for DNAT rules; pheraphs cuold we call it "notfw"? So my rule would be: DNAT notfw loc:192.168.1.1 tcp http - 192.168.100.100 and shorewall does not try to generate local nat iptables rule? Sorry for my poor english. Bye -- ----------------------------------------------------- Paolo Basenghi - Sistemi Informativi Az. Speciale Farmacie Comunali Riunite Via Doberdò, 9 - 42100 Reggio Emilia Tel. +39(0522)543312 - Fax +39(0522)550146 paolo.basenghi@fcr.re.it; www.fcr.re.it; www.saninforma.it; www.futurfarma.it ----------------------------------------------------- ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Paolo Basenghi wrote:> > I suggest to insert in shorewall a new source qualifier for DNAT rules; > pheraphs cuold we call it "notfw"? So my rule would be: > > DNAT notfw loc:192.168.1.1 tcp http - 192.168.100.100 >I implemented this feature such that "all-" means "All zones except the firewall itself". So your rule would be: DNAT all- loc:192.168.1.1 tcp http - 192.168.100.100 Code is in shorewall/trunk/Shorewall in SVN and will be in 3.2.0 Beta 8. Thanks you for your suggestion, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thank you, Tom. Very quick! ----------------------------------------------------- Paolo Basenghi - Sistemi Informativi Az. Speciale Farmacie Comunali Riunite Via Doberdò, 9 - 42100 Reggio Emilia Tel. +39(0522)543312 - Fax +39(0522)550146 paolo.basenghi@fcr.re.it; www.fcr.re.it; www.saninforma.it; www.futurfarma.it ----------------------------------------------------- Tom Eastep ha scritto:> Paolo Basenghi wrote: > > >> I suggest to insert in shorewall a new source qualifier for DNAT rules; >> pheraphs cuold we call it "notfw"? So my rule would be: >> >> DNAT notfw loc:192.168.1.1 tcp http - 192.168.100.100 >> >> > > I implemented this feature such that "all-" means "All zones except the > firewall itself". So your rule would be: > > DNAT all- loc:192.168.1.1 tcp http - 192.168.100.100 > > Code is in shorewall/trunk/Shorewall in SVN and will be in 3.2.0 Beta 8. > > Thanks you for your suggestion, > -Tom >
I backported the "all-" feature from SVN to 3.0.7 It appear to work for my configuration. Attached is the diff from original 3.0.7 firewall script. I ask developers if it is sufficient or if I need to patch any other file. Bye ----------------------------------------------------- Paolo Basenghi - Sistemi Informativi Az. Speciale Farmacie Comunali Riunite Via Doberdò, 9 - 42100 Reggio Emilia Tel. +39(0522)543312 - Fax +39(0522)550146 paolo.basenghi@fcr.re.it; www.fcr.re.it; www.saninforma.it; www.futurfarma.it ----------------------------------------------------- Tom Eastep ha scritto:> Paolo Basenghi wrote: > > >> I suggest to insert in shorewall a new source qualifier for DNAT rules; >> pheraphs cuold we call it "notfw"? So my rule would be: >> >> DNAT notfw loc:192.168.1.1 tcp http - 192.168.100.100 >> >> > > I implemented this feature such that "all-" means "All zones except the > firewall itself". So your rule would be: > > DNAT all- loc:192.168.1.1 tcp http - 192.168.100.100 > > Code is in shorewall/trunk/Shorewall in SVN and will be in 3.2.0 Beta 8. > > Thanks you for your suggestion, > -Tom >
Paolo Basenghi wrote:> I backported the "all-" feature from SVN to 3.0.7 > It appear to work for my configuration. > Attached is the diff from original 3.0.7 firewall script. > I ask developers if it is sufficient or if I need to patch any other file. > ByeThanks for the patch. Given that 3.2 is about to go into the Release Candidate phase, I don''t think I''ll release a change to 3.0 for this feature. The feature only saves some typing in the event that you want to omit the firewall zone from a rule -- it doesn''t add any capability that doesn''t already exist in the current code. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key