Hi, In masquerading, which one gets processed first, a firewall rule, or the masquerading ? I''d think masquerading gets processed first, but I''m not certain. Thanks ! ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
As Shorewall, in fact, configure Netfilter/Iptables best way is to look how packets traverses Linux''s Kernel. Look this: http://www.adminsehow.com/2011/09/iptables-packet-traverse-map/ On Thu, Sep 26, 2013 at 11:41 AM, Fred Maillou <frederriffic@yahoo.ca>wrote:> Hi, > > In masquerading, which one gets processed first, a firewall rule, or the > masquerading ? I''d think masquerading gets processed first, but I''m not > certain. > > Thanks ! > > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
>> On Thu, Sep 26, 2013 at 11:41 AM, Fred Maillou <frederriffic@yahoo.ca> wrote:>> In masquerading, which one gets processed first, a firewall >> rule, or the masquerading ? I''d think masquerading gets > >> processed first, but I''m not certain.> De : Guilsson G <guilsson@gmail.com>> As Shorewall, in fact, configure Netfilter/Iptables best way is > to look how packets traverses Linux''s Kernel.> Look this: > http://www.adminsehow.com/2011/09/iptables-packet-traverse-map/According to the last diagram on that page, it would mean that incoming packets from the network would be NAT-processed first, then processed through the firewall rules. Whereas packets generated by the firewall device would be processed by rules first and then NAT''ed. In the case of a router, all packets going through it would be processed by NAT first, then FW rules would be applied. I guess this makes sense, but am not sure yet. The first diagram on that page has a logic error in which two of the ''routing decision'' boxes have no alternative route. If a decision was taken, then there should be at least a case of yes/no. As it is in the third ''routing decision'' box. Fred. ________________________________ De : Guilsson G <guilsson@gmail.com> À : Fred Maillou <frederriffic@yahoo.ca>; Shorewall Users <shorewall-users@lists.sourceforge.net> Envoyé le : jeudi 26 Septembre 2013 11h02 Objet : Re: [Shorewall-users] Processing precedence: rule/MASQ As Shorewall, in fact, configure Netfilter/Iptables best way is to look how packets traverses Linux''s Kernel. Look this: http://www.adminsehow.com/2011/09/iptables-packet-traverse-map/ On Thu, Sep 26, 2013 at 11:41 AM, Fred Maillou <frederriffic@yahoo.ca> wrote: Hi,> > > In masquerading, which one gets processed first, a firewall rule, or the masquerading ? I''d think masquerading gets processed first, but I''m not certain. > > >Thanks ! > > >------------------------------------------------------------------------------ >October Webinars: Code for Performance >Free Intel webinars can help you accelerate application performance. >Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from >the latest Intel processors and coprocessors. See abstracts and register > >http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
On 9/26/2013 8:28 AM, Fred Maillou wrote:>>> On Thu, Sep 26, 2013 at 11:41 AM, Fred Maillou <frederriffic@yahoo.ca> wrote: > >>> In masquerading, which one gets processed first, a firewall >>> rule, or the masquerading ? I''d think masquerading gets > >>> processed first, but I''m not certain. > >> De : Guilsson G <guilsson@gmail.com> > >> As Shorewall, in fact, configure Netfilter/Iptables best way is >> to look how packets traverses Linux''s Kernel. > >> Look this: >> http://www.adminsehow.com/2011/09/iptables-packet-traverse-map/ > > > According to the last diagram on that page, it would mean that > incoming packets from the network would be NAT-processed first, > then processed through the firewall rules. > > Whereas packets generated by the firewall device would be > processed by rules first and then NAT''ed. > > In the case of a router, all packets going through it would be > processed by NAT first, then FW rules would be applied. > > I guess this makes sense, but am not sure yet. The first diagram > on that page has a logic error in which two of the ''routing > decision'' boxes have no alternative route. If a decision was > taken, then there should be at least a case of yes/no. As it is > in the third ''routing decision'' box.There is a similar diagram at http://www.shorewall.net/NetfilterOverview.html. Not shown in that diagram is the case where a local process sends a packet to another local process. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> There is a similar diagram at > http://www.shorewall.net/NetfilterOverview.html. Not shown in > that diagram is the case where a local process sends a packet > to another local process.Unfortunately this URL currently returns ''not found''. Fred. ________________________________ De : Tom Eastep <teastep@shorewall.net> À : shorewall-users@lists.sourceforge.net Envoyé le : vendredi 27 Septembre 2013 9h35 Objet : Re: [Shorewall-users] Processing precedence: rule/MASQ On 9/26/2013 8:28 AM, Fred Maillou wrote:>>> On Thu, Sep 26, 2013 at 11:41 AM, Fred Maillou <frederriffic@yahoo.ca> wrote: > >>> In masquerading, which one gets processed first, a firewall >>> rule, or the masquerading ? I''d think masquerading gets > >>> processed first, but I''m not certain. > >> De : Guilsson G <guilsson@gmail.com> > >> As Shorewall, in fact, configure Netfilter/Iptables best way is >> to look how packets traverses Linux''s Kernel. > >> Look this: >> http://www.adminsehow.com/2011/09/iptables-packet-traverse-map/ > > > According to the last diagram on that page, it would mean that > incoming packets from the network would be NAT-processed first, > then processed through the firewall rules. > > Whereas packets generated by the firewall device would be > processed by rules first and then NAT''ed. > > In the case of a router, all packets going through it would be > processed by NAT first, then FW rules would be applied. > > I guess this makes sense, but am not sure yet. The first diagram > on that page has a logic error in which two of the ''routing > decision'' boxes have no alternative route. If a decision was > taken, then there should be at least a case of yes/no. As it is > in the third ''routing decision'' box.There is a similar diagram at http://www.shorewall.net/NetfilterOverview.html. Not shown in that diagram is the case where a local process sends a packet to another local process. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
On 9/30/2013 4:53 AM, Fred Maillou wrote:>> There is a similar diagram at >> http://www.shorewall.net/NetfilterOverview.html. Not shown in >> that diagram is the case where a local process sends a packet >> to another local process. > > Unfortunately this URL currently returns ''not found''. >Works here -- anyone else having problems accessing the page? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
The URL is also working here! http://www.shorewall.net/NetfilterOverview.html MD On 30 Sep 2013 at 6:42, Tom Eastep wrote: Date sent: Mon, 30 Sep 2013 06:42:08 -0700 From: Tom Eastep <teastep@shorewall.net> To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Processing precedence: rule/MASQ Send reply to: Shorewall Users <shorewall-users@lists.sourceforge.net> <mailto:shorewall-users-request@lists.sourceforge.net?subject=unsubscribe> <mailto:shorewall-users-request@lists.sourceforge.net?subject=subscribe>> On 9/30/2013 4:53 AM, Fred Maillou wrote: > >> There is a similar diagram at > >> http://www.shorewall.net/NetfilterOverview.html. Not shown in > >> that diagram is the case where a local process sends a packet > >> to another local process. > > > > Unfortunately this URL currently returns ''not found''. > > > > Works here -- anyone else having problems accessing the page? > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > >------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> Works here -- anyone else having problems accessing the page?Ah! When I right clicked on the link you initially provided, the period you put at the end of the URL was also included. Such a small thing, I haven''t noticed it - sorry ! From the diagram, NAT would happen before filter in both incoming and outgoing packets. What I''m puzzled with is the NAT that could happen in Postrouting. The Shorewall nat and rules config files do not seem to have options for locating an entry''s processing in Postrouting. How does NAT Postrouting comes to be ? Thanks! Fred. ________________________________ De : Tom Eastep <teastep@shorewall.net> À : shorewall-users@lists.sourceforge.net Envoyé le : lundi 30 Septembre 2013 9h42 Objet : Re: [Shorewall-users] Processing precedence: rule/MASQ On 9/30/2013 4:53 AM, Fred Maillou wrote:>> There is a similar diagram at >> http://www.shorewall.net/NetfilterOverview.html. Not shown in >> that diagram is the case where a local process sends a packet >> to another local process. > > Unfortunately this URL currently returns ''not found''. >Works here -- anyone else having problems accessing the page? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
On 9/30/2013 7:58 AM, Fred Maillou wrote:>> Works here -- anyone else having problems accessing the page? > > Ah! When I right clicked on the link you initially provided, the period > you put at the end of the URL was also included. Such a small thing, I > haven''t noticed it - sorry ! > > From the diagram, NAT would happen before filter in both incoming and > outgoing packets. What I''m puzzled with is the NAT that could happen in > Postrouting. The Shorewall nat and rules config files do not seem to > have options for locating an entry''s processing in Postrouting. How > does NAT Postrouting comes to be ?/etc/shorewall/masq and /etc/shorewall/nat. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
On 9/30/2013 8:21 AM, Tom Eastep wrote:> On 9/30/2013 7:58 AM, Fred Maillou wrote: >>> Works here -- anyone else having problems accessing the page? >> >> Ah! When I right clicked on the link you initially provided, the period >> you put at the end of the URL was also included. Such a small thing, I >> haven''t noticed it - sorry ! >> >> From the diagram, NAT would happen before filter in both incoming and >> outgoing packets. What I''m puzzled with is the NAT that could happen in >> Postrouting. The Shorewall nat and rules config files do not seem to >> have options for locating an entry''s processing in Postrouting. How >> does NAT Postrouting comes to be ? > > /etc/shorewall/masq and /etc/shorewall/nat. >Note that entries in /etc/shorewall/nat insert complementary rules in both PREROUTING and POSTROUTING. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
On 9/30/2013 4:53 AM, Fred Maillou wrote:>> There is a similar diagram at >> http://www.shorewall.net/NetfilterOverview.html. Not shown in >> that diagram is the case where a local process sends a packet >> to another local process. > > Unfortunately this URL currently returns ''not found''. > > Fred. > > ------------------------------------------------------------------------ > *De :* Tom Eastep <teastep@shorewall.net> > *À :* shorewall-users@lists.sourceforge.net > *Envoyé le :* vendredi 27 Septembre 2013 9h35 > *Objet :* Re: [Shorewall-users] Processing precedence: rule/MASQ > > On 9/26/2013 8:28 AM, Fred Maillou wrote: >>>> On Thu, Sep 26, 2013 at 11:41 AM, Fred Maillou > <frederriffic@yahoo.ca <mailto:frederriffic@yahoo.ca>> wrote: >> >>>> In masquerading, which one gets processed first, a firewall >>>> rule, or the masquerading ? I''d think masquerading gets > >>>> processed first, but I''m not certain. >> >>> De : Guilsson G <guilsson@gmail.com <mailto:guilsson@gmail.com>> >> >>> As Shorewall, in fact, configure Netfilter/Iptables best way is >>> to look how packets traverses Linux''s Kernel. >> >>> Look this: >>> http://www.adminsehow.com/2011/09/iptables-packet-traverse-map/ >> >> >> According to the last diagram on that page, it would mean that >> incoming packets from the network would be NAT-processed first, >> then processed through the firewall rules. >> >> Whereas packets generated by the firewall device would be >> processed by rules first and then NAT''ed. >> >> In the case of a router, all packets going through it would be >> processed by NAT first, then FW rules would be applied. >> >> I guess this makes sense, but am not sure yet. The first diagram >> on that page has a logic error in which two of the ''routing >> decision'' boxes have no alternative route. If a decision was >> taken, then there should be at least a case of yes/no. As it is >> in the third ''routing decision'' box. > > There is a similar diagram at > http://www.shorewall.net/NetfilterOverview.html. > <http://www.shorewall.net/NetfilterOverview.html.>Not shown in that > diagram is the case where a local process sends a packet to another > local process.Actually, that is not true. For the local case, the ''Network'' is the loopback device (lo). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk