-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, Can someone refresh my memory on the difference between the following (where dmz contains an RFC 1918 address host)? ACCEPT net dmz tcp 80 - all DNAT net dmz tcp 80 I''m trying to generate a script for maintaining multiple interconnected firewalls from shared policy, rules, and zone files, and i can''t remember which of the above is preferred, or whether there are some subtle differences. I''m presently using the older form, but thinking that i should try to move towards the newer. - -- Paul http://paulgear.webhop.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+ORNb0yv0OWRYqWwRAkqIAKCSx3msMowlVFLPbqVkdJ8sPIaotwCffSdS 15uHUYiIlN82C4+p6y0JPew=occb -----END PGP SIGNATURE-----
Paul, --On Thursday, January 30, 2003 9:58 PM +1000 Paul Gear <paul@gear.dyndns.org> wrote:> > Can someone refresh my memory on the difference between the following > (where dmz contains an RFC 1918 address host)? > > ACCEPT net dmz tcp 80 - all > DNAT net dmz tcp 80 > > I''m trying to generate a script for maintaining multiple interconnected > firewalls from shared policy, rules, and zone files, and i can''t > remember which of the above is preferred, or whether there are some > subtle differences. I''m presently using the older form, but thinking > that i should try to move towards the newer.The two are equivalent if DETECT_DNAT_IPADDRS=No. If DETECT_DNAT_IPADDRS=Yes then the second is equivalent to: ACCEPT net dmz tcp 80 - <IP of net interface> -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> Paul, > > --On Thursday, January 30, 2003 9:58 PM +1000 Paul Gear > <paul@gear.dyndns.org> wrote: > >> >> Can someone refresh my memory on the difference between the following >> (where dmz contains an RFC 1918 address host)? >> >> ACCEPT net dmz tcp 80 - all >> DNAT net dmz tcp 80 >> >> I''m trying to generate a script for maintaining multiple interconnected >> firewalls from shared policy, rules, and zone files, and i can''t >> remember which of the above is preferred, or whether there are some >> subtle differences. I''m presently using the older form, but thinking >> that i should try to move towards the newer. > > > The two are equivalent if DETECT_DNAT_IPADDRS=No. If > DETECT_DNAT_IPADDRS=Yes then the second is equivalent to: > > ACCEPT net dmz tcp 80 - <IP of net interface>This is probably a stupid question: how would it behave if $FW was dmz? Is that an error trapped by shorewall, or would the results be undefined? I''m thinking that in preprocessing the rules, i probably need to mangle DNAT to ACCEPT where DEST == $FW. Paul -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+OYuQ0yv0OWRYqWwRAgAiAJ9mKfKBpv/4ak2RI5xShhGaLrRW1wCgjQMH eFZ6E3A0iMrt+YKxttovsRM=Yf55 -----END PGP SIGNATURE-----
--On Friday, January 31, 2003 6:29 AM +1000 Paul Gear <paul@gear.dyndns.org> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Tom Eastep wrote: > >> Paul, >> >> --On Thursday, January 30, 2003 9:58 PM +1000 Paul Gear >> <paul@gear.dyndns.org> wrote: >> >>> >>> Can someone refresh my memory on the difference between the following >>> (where dmz contains an RFC 1918 address host)? >>> >>> ACCEPT net dmz tcp 80 - all >>> DNAT net dmz tcp 80 >>> >>> I''m trying to generate a script for maintaining multiple interconnected >>> firewalls from shared policy, rules, and zone files, and i can''t >>> remember which of the above is preferred, or whether there are some >>> subtle differences. I''m presently using the older form, but thinking >>> that i should try to move towards the newer. >> >> >> The two are equivalent if DETECT_DNAT_IPADDRS=No. If >> DETECT_DNAT_IPADDRS=Yes then the second is equivalent to: >> >> ACCEPT net dmz tcp 80 - <IP of net interface> > > This is probably a stupid question: how would it behave if $FW was dmz? > Is that an error trapped by shorewall, or would the results be > undefined? I''m thinking that in preprocessing the rules, i probably > need to mangle DNAT to ACCEPT where DEST == $FW. >We should probably correct ourselves before we go on -- in all cases, we should have been specifiying a server address in ''dmz'' as in: DNAT net dmz:192.168.4.2 tcp 80 So your rule would look something like: DNAT net fw:192.168.1.254 tcp 80 Which actually works fine provided that 192.168.1.254 is an address on your firewall and there is a web server listening on it. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> ... > >>>> Can someone refresh my memory on the difference between the following >>>> (where dmz contains an RFC 1918 address host)? >>>> >>>> ACCEPT net dmz tcp 80 - all >>>> DNAT net dmz tcp 80 >>>> >>>> ... >>> >>> >>> The two are equivalent if DETECT_DNAT_IPADDRS=No. If >>> DETECT_DNAT_IPADDRS=Yes then the second is equivalent to: >>> >>> ACCEPT net dmz tcp 80 - <IP of net interface> >> >> >> This is probably a stupid question: how would it behave if $FW was dmz? >> Is that an error trapped by shorewall, or would the results be >> undefined? I''m thinking that in preprocessing the rules, i probably >> need to mangle DNAT to ACCEPT where DEST == $FW. >> > > We should probably correct ourselves before we go on -- in all cases, > we should have been specifiying a server address in ''dmz'' as in: > > DNAT net dmz:192.168.4.2 tcp 80 > > So your rule would look something like: > > DNAT net fw:192.168.1.254 tcp 80 > > Which actually works fine provided that 192.168.1.254 is an address on > your firewall and there is a web server listening on it.I actually intended dmz to be a zone on one firewall (containing a single host), and $FW on another firewall (the one running on the server in the DMZ). PDG P.S. Put down my vote for Reply-To: shorewall-devel@lists.shorewall.net. :-) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+OkUQ0yv0OWRYqWwRAqavAJ9erSGqFM4tXetwNRBH+3hFvUMmQQCfRH6i 1F4OX2iPwyFj7uh2p2yWHfs=HsKQ -----END PGP SIGNATURE-----