search for: detect_dnat_ipaddr

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, Can someone refresh my memory on the difference between the following (where dmz contains an RFC 1918 address host)? ACCEPT net dmz tcp 80 - all DNAT net dmz tcp 80 I''m trying to generate a script for maintaining multiple interconnected firewalls from shared policy, rules, and zone files, and i

I''ve upgraded a 3-interface system from 2.0.8 to 3.2.6 on Debian, and I''m not able to make DNAT work anymore. If someone could offer a suggestion of where to look to fix this, it would be very much appreciated. Problem Summary: If I set DETECT_DNAT_IPADDRS=Yes, then I can''t access anything on my DMZ via DNAT. If I set DETECT_DNAT_IPADDRS=No, then **EVERYTHING** (all web pages, anyway) get redirected to my web server on my DMZ. Problem Example: DETECT_DNAT_IPADDRS=Yes: I can access http://www.slashdot.com from my loc computers just...

I''ve upgraded a 3-interface system from 2.0.8 to 3.2.6 on Debian, and I''m not able to make DNAT work anymore. If someone could offer a suggestion of where to look to fix this, it would be very much appreciated. Problem Summary: If I set DETECT_DNAT_IPADDRS=Yes, then I can''t access anything on my DMZ via DNAT. If I set DETECT_DNAT_IPADDRS=No, then **EVERYTHING** (all web pages, anyway) get redirected to my web server on my DMZ. Problem Example: DETECT_DNAT_IPADDRS=Yes: I can access http://www.slashdot.com from my loc computers just...

Hi, I''m trying to get RAdmin [uses tcp 4889] access to my Windows machine which is behind my firewall. I have zones: gbl : the world loc : my lan fw : firewall I placed the following in my rules file DNAT gbl loc:192.168.0.2 tcp 4889 - When trying to RAdmin I get a cannot conect to server error. 192.168.0.2 is my Windows Machines IP address. Can anyone help me? Shorewall 1.3.9b

...sr/local/bin + terminator=startup_error + version= + FW= + SUBSYSLOCK= + STATEDIR= + ALLOWRELATED=Yes + LOGRATE= + LOGBURST= + LOGPARMS= + ADD_IP_ALIASES= + ADD_SNAT_ALIASES= + TC_ENABLED= + LOGUNCLEAN= + BLACKLIST_DISPOSITION= + BLACKLIST_LOGLEVEL= + CLAMPMSS= + ROUTE_FILTER= + NAT_BEFORE_RULES= + DETECT_DNAT_IPADDRS= + MUTEX_TIMEOUT= + NEWNOTSYN= + LOGNEWNOTSYN= + FORWARDPING= + MACLIST_DISPOSITION= + MACLIST_LOG_LEVEL= + TCP_FLAGS_DISPOSITION= + TCP_FLAGS_LOG_LEVEL= + RFC1918_LOG_LEVEL= + MARK_IN_FORWARD_CHAIN= + SHARED_DIR=/usr/share/shorewall + FUNCTIONS= + VERSION_FILE= + LOGFORMAT= + LOGRULENUMBERS= + st...

I have some hosts in a DMZ zone with proxyarp. In my local zone I have a host to which I DNAT. I have discovered that I can reach the host in the local zone by attempting to connect to the fw (As expected) or ANY proxyarped host in my dmz zone (as not expected). Is this normal ? (I''ve just discovered that actually the dnated host answers to requests sent to any IP routed to my host!)

.../lock/subsys/shorewall STATEDIR=/var/lib/shorewall MODULESDIR= CONFIG_PATH=/etc/shorewall/action:/etc/shorewall/custom:/etc/shorewall:/usr/share/shorewall FW=fw IP_FORWARDING=Off ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No TC_ENABLED=Yes CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 NEWNOTSYN=Yes ADMINISABSENTMINDED=No BLACKLISTNEWONLY=No MODULE_SUFFIX= DISABLE_IPV6=No BRIDGING=No DYNAMIC_ZONES=No BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP [root@hn00dmz01 root]# ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc...

...EWALL_SHELL=/bin/sh SUBSYSLOCK="" MODULESDIR= CONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILE= IPSECFILE=zones FW= IP_FORWARDING=Keep ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No RETAIN_ALIASES=No TC_ENABLED=Internal CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIX= DISABLE_IPV6=Yes BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes RFC1918_STRICT=No MACLIST_TABLE=filter MACLIST_TTL= SAVE_IPSETS=No MAPOLDACTIONS=No FASTACCEPT=No BLACKLIST_DISPOSITION=DROP MACLIST_DISPO...

...SHELL=/bin/sh SUBSYSLOCK="" STATEDIR=/var/lib/shorewall MODULESDIR= CONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILE= FW=fw IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No RETAIN_ALIASES=No TC_ENABLED=No CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 NEWNOTSYN=Yes ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIX= DISABLE_IPV6=No BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes DROPINVALID=Yes RFC1918_STRICT=No MACLIST_TTL= BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DR...

...LL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/lib/shorewall MODULESDIR= CONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILE= FW=fw IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No TC_ENABLED=No CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=yes ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 NEWNOTSYN=Yes ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes MODULE_SUFFIX= DISABLE_IPV6=No BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP #LAST LINE -- DO NOT REMOVE START: -----------------------------...

# shorewall version 3.2.1 SNAT is enabled. Setting up DNAT to do port forwarding -- this example looked exactly like what I wanted: (FAQ 1c) From the internet, I want to connect to port 1022 on my firewall and have the firewall forward the connection to port 22 on local system 192.168.1.3. How do I do that? In /etc/shorewall/rules: #ACTION SOURCE DEST PROTO DEST PORT

...'ssh ${root}@${system} ${command}'' RCP_COMMAND=''scp ${files} ${root}@${system}:${destination}'' IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No RETAIN_ALIASES=No TC_ENABLED=Internal TC_EXPERT=No CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIX= DISABLE_IPV6=Yes BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes RFC1918_STRICT=No MACLIST_TABLE=filter MACLIST_TTL= SAVE_IPSETS=No MAPOLDACTIONS=No FASTACCEPT=No IMPLICIT_CONTINUE=Yes HIGH_ROUTE_MARKS=N...

Hi, I was reading document http://shorewall.net/MultiISP.html#idp3634200. Inspired by the document I was trying to establish the following changes: * one additional interface: COMA_IF * COM[A,B,C]_IF interfaces request IP address via DHCP * all non-RFC 1918 destined trafic is NATed from INT_IF to COMA_IF * all non-RFC 1918 destined trafic from GW is routed via COMB_IF by default * non-RFC 1918

Afternoon all, I have a box with 5 NICs, which I intend to use as an external interface, and an internal and dmz interface for each of 2 companies. They are all (currently) 3c905b''s, but this could change in the future (in that I may replace 2 of them with gig cards). Anyway at boot they are apparently labeled according to the order the modules are loaded and then their order on the

.../sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK="" STATEDIR=/var/lib/shorewall MODULESDIR= CONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILE= FW=fw IP_FORWARDING=Keep ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No TC_ENABLED=No CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 NEWNOTSYN=No ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes MODULE_SUFFIX= DISABLE_IPV6=No BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP As you can see I have "info" set for most logging levels...

...:${destination}'' RSH_COMMAND=''ssh ${root}@${system} ${command}'' ACCOUNTING=Yes ACCOUNTING_TABLE=filter ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No ADMINISABSENTMINDED=Yes AUTO_COMMENT=Yes AUTOMAKE=No BLACKLISTNEWONLY=Yes CLAMPMSS=No CLEAR_TC=Yes COMPLETE=No DELETE_THEN_ADD=Yes DETECT_DNAT_IPADDRS=No DISABLE_IPV6=Yes DONT_LOAD= DYNAMIC_BLACKLIST=Yes EXPAND_POLICIES=Yes EXPORTMODULES=Yes FASTACCEPT=No FORWARD_CLEAR_MARK= IMPLICIT_CONTINUE=Yes IPSET_WARNINGS=Yes IP_FORWARDING=On KEEP_RT_TABLES=No LEGACY_FASTSTART=Yes LOAD_HELPERS_ONLY=No MACLIST_TABLE=filter MACLIST_TTL= MANGLE_ENABLED=Yes MA...

This is a minor release of Shorewall. WARNING: This release introduces incompatibilities with prior releases. See http://www.shorewall.net/upgrade_issues.htm. Changes are: a) There is now a new NONE policy specifiable in /etc/shorewall/policy. This policy will cause Shorewall to assume that there will never be any traffic between the source and destination zones. b) Shorewall no longer

I have what strikes me as an odd problem with shorewall. Let me describe my setup. My desktop (alfred) is connected to the network through an ADSL modem. I am running rp-pppoe, and this works perfectly. I have a small home network, with two LANs; an Ethernet LAN (including a machine running Windows XP), and a WiFi LAN, including the laptop (william) I am using now. All the computers except for

...LL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/lib/shorewall MODULESDIR= CONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILE= FW=fw IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=no TC_ENABLED=Yes CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=Yes CLAMPMSS=No ROUTE_FILTER=No DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 NEWNOTSYN=Yes ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes MODULE_SUFFIX= DISABLE_IPV6=Yes BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP ------------------------------------------------------ Where...

...al/bin + terminator=startup_error + version= + IPTABLES= + FW= + SUBSYSLOCK= + STATEDIR= + ALLOWRELATED=Yes + LOGRATE= + LOGBURST= + LOGPARMS= + LOGLIMIT= + ADD_IP_ALIASES= + ADD_SNAT_ALIASES= + TC_ENABLED= + BLACKLIST_DISPOSITION= + BLACKLIST_LOGLEVEL= + CLAMPMSS= + ROUTE_FILTER= + LOG_MARTIANS= + DETECT_DNAT_IPADDRS= + MUTEX_TIMEOUT= + NEWNOTSYN= + LOGNEWNOTSYN= + FORWARDPING= + MACLIST_DISPOSITION= + MACLIST_LOG_LEVEL= + TCP_FLAGS_DISPOSITION= + TCP_FLAGS_LOG_LEVEL= + RFC1918_LOG_LEVEL= + BOGON_LOG_LEVEL= + MARK_IN_FORWARD_CHAIN= + SHARED_DIR=/usr/share/shorewall + FUNCTIONS= + VERSION_FILE= + LOGFORMAT= + L...