Just a last month I installed 3.0.8, (only to find my self back level again). Looking at the logging I found this oddity that differs from prior version, and seems less usefull, because its hard to see where the packets actually went. Sample:------- Old version: Rule: DNAT:info net loc:192.168.2.9:5900 tcp 5910 Resultant Log: Jul 28 22:21:21 norcomix kernel: Shorewall:net2loc:DNAT:IN=eth0 OUT=eth1 SRC=206.174.67.201 DST=192.168.2.9 LEN=48 TOS=0x00 PREC=0x00 TTL=124 ID=22326 DF PROTO=TCP SPT=4516 DPT=5900 WINDOW=65535 RES=0x00 SYN URGP=0 New Version: 3.0.6 Rule DNAT:info net loc:192.168.0.2:5905 tcp 5909 Resultant Log: Jul 28 22:25:45 haight kernel: Shorewall:net_dnat:DNAT:IN=eth0 OUTMAC=00:13:72:f7:8f:ea:00:0f:35:2a:c8:00:08:00 SRC=206.174.67.201 DST=24.23X.XXX.112 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=23219 DF PROTO=TCP SPT=1885 DPT=5909 WINDOW=65535 RES=0x00 SYN URGP=0 ---------- In the old version listed the IP and Mac address of the machine on the lan (192.168.2.9). In the New Version, The DST Ip is reported as the external interface IP of the Firewall, rather than the IP of the internal machine that the rule routed it to. (I obfuscated the ip a bit). All my rules were in the NEW section (by default). John Andersen jsa@noromix.dyndns.org ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Sat, Jul 29, 2006 at 2:05am John Andersen <jsa@norcomix.dyndns.org> wrote:> Looking at the logging I found this oddity that differs from prior > version, and seems less useful, because its hard to see where the > packets actually went. >I guess that there is no good answer here. That change was the result of people complaining that they couldn''t see from the log message what the original destination IP was.I also got tired of explaining to people that their private addresses were not really visible to the internet even though the log messages made it look as if they were. -Tom -- Tom Eastep \\ Nothing is foolproof to a sufficiently talented fool Shoreline, \\ http://shorewall.net Washington USA \\ teastep@avvanta.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On 29 Jul 2006 at 8:09, teastep wrote:> On Sat, Jul 29, 2006 at 2:05am John Andersen <jsa@norcomix.dyndns.org> wrote: > > > Looking at the logging I found this oddity that differs from prior > > version, and seems less useful, because its hard to see where the > > packets actually went. > > > > I guess that there is no good answer here. That change was the result > of people complaining that they couldn''t see from the log message > what the original destination IP was.Yes, I can see this being a problem for multi-isp installations, or proxy arp users. It seems that loss of the only after-the-fact analysis data indicating actual destination is lamentable. One just has to assume that shorewall routed it correctly per the rules. I suppose there are a few users using a range of destination IPs (round robin) that can''t even make that assumption. -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 . ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV