Shorewall users - Aug 2003 - Static Nat question?

Firewall is 207.22.55.10.2,
Static Nat ip is 207.22.55.3>192.168.2.5 my mail
server.

?When (host A) out on the internet sends mail to my
mail server (host b) does the syn/ack response from
(host b) leave the firewall as 207.22.55.3?? I assume
that it does. Again, the terms that I''ve learned for
the different kinds of Nats are I guess proprietary
are different from shorewalls.

?Anytime (host b) initiates a connection out through
the firewall does it leave with the .2 or the .3 now
that thier is a one to one mapping...?

Thanks,
JBanks 

__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

On Fri, 2003-08-01 at 16:05, Joshua Banks wrote:
> Firewall is 207.22.55.10.2,
> Static Nat ip is 207.22.55.3>192.168.2.5 my mail
> server.
> 
> ?When (host A) out on the internet sends mail to my
> mail server (host b) does the syn/ack response from
> (host b) leave the firewall as 207.22.55.3?? I assume
> that it does.
It has to -- what would the the client be expected to do with a response
from 207.22.55.2? Note that the same would happen though if you just did
DNAT rather than Static NAT:

DNAT	net	loc:192.168.2.5	tcp	25	-	207.22.55.3
>  Again, the terms that I''ve learned for
> the different kinds of Nats are I guess proprietary
> are different from shorewalls.
> 
> ?Anytime (host b) initiates a connection out through
> the firewall does it leave with the .2 or the .3 now
> that thier is a one to one mapping...?
.3

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Fri, 2003-08-01 at 16:13, Tom Eastep wrote:
> > 
> > ?Anytime (host b) initiates a connection out through
> > the firewall does it leave with the .2 or the .3 now
> > that thier is a one to one mapping...?
> 
> .3
> 
Another source of information on this stuff is:

	http://shorewall.net/shorewall_setup_guide.htm

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thanks for the reply Tom.

I''ve read through the most of the material on your
site. And I''m re-reading it as well to grasp the
concepts. 
Why would a person choose to use DNAT versus Static
Nat if they both accomplish the same thing?

The only difference that I see is that DNAT allows you
to use the Eth0''s interface ip and any others if
they''re bound to that interface.
So is it safe to assume that you can''t use Eth0''s
assigned interface ip addy when using Static Nat?

So if Eth0 is assigned 207.22.55.2 and I use DNAT or
Static Nat setup with an ip other than .2 I will need
to use my distributions network configuration tools to
add that IP address to the external interface? From
what I''m reading, the only time that shorewall will
setup an ip other than the main external interace ip
is when using SNAT?

Thanks,
JBAnks
--- Tom Eastep <teastep@shorewall.net> wrote:
> On Fri, 2003-08-01 at 16:05, Joshua Banks wrote:
> > Firewall is 207.22.55.10.2,
> > Static Nat ip is 207.22.55.3>192.168.2.5 my mail
> > server.
> > 
> > ?When (host A) out on the internet sends mail to
> my
> > mail server (host b) does the syn/ack response
> from
> > (host b) leave the firewall as 207.22.55.3?? I
> assume
> > that it does.
> 
> It has to -- what would the the client be expected
> to do with a response
> from 207.22.55.2? Note that the same would happen
> though if you just did
> DNAT rather than Static NAT:
> 
> DNAT	net	loc:192.168.2.5	tcp	25	-	207.22.55.3
> 
> >  Again, the terms that I''ve learned for
> > the different kinds of Nats are I guess
> proprietary
> > are different from shorewalls.
> > 
> > ?Anytime (host b) initiates a connection out
> through
> > the firewall does it leave with the .2 or the .3
> now
> > that thier is a one to one mapping...?
> 
> .3
> 
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

Woops,

I answered my 3rd question after reading the link that
you sent before. My bad.

I said:
(So if Eth0 is assigned 207.22.55.2 and I use DNAT or
Static Nat setup with an ip other than .2 I will
need to use my distributions network configuration
tools to add that IP address to the external
interface? From what I''m reading, the only time that
shorewall will setup an ip other than the main
external interace ip is when using SNAT?)

Thanks,
JBanks
--- Joshua Banks <l0f33t@yahoo.com> wrote:
> Thanks for the reply Tom.
> 
> I''ve read through the most of the material on your
> site. And I''m re-reading it as well to grasp the
> concepts. 
> Why would a person choose to use DNAT versus Static
> Nat if they both accomplish the same thing?
> 
> The only difference that I see is that DNAT allows
> you
> to use the Eth0''s interface ip and any others if
> they''re bound to that interface.
> So is it safe to assume that you can''t use Eth0''s
> assigned interface ip addy when using Static Nat?
> 
> So if Eth0 is assigned 207.22.55.2 and I use DNAT or
> Static Nat setup with an ip other than .2 I will
> need
> to use my distributions network configuration tools
> to
> add that IP address to the external interface? From
> what I''m reading, the only time that shorewall will
> setup an ip other than the main external interace ip
> is when using SNAT?
> 
> Thanks,
> JBAnks
> --- Tom Eastep <teastep@shorewall.net> wrote:
> > On Fri, 2003-08-01 at 16:05, Joshua Banks wrote:
> > > Firewall is 207.22.55.10.2,
> > > Static Nat ip is 207.22.55.3>192.168.2.5 my mail
> > > server.
> > > 
> > > ?When (host A) out on the internet sends mail to
> > my
> > > mail server (host b) does the syn/ack response
> > from
> > > (host b) leave the firewall as 207.22.55.3?? I
> > assume
> > > that it does.
> > 
> > It has to -- what would the the client be expected
> > to do with a response
> > from 207.22.55.2? Note that the same would happen
> > though if you just did
> > DNAT rather than Static NAT:
> > 
> > DNAT	net	loc:192.168.2.5	tcp	25	-	207.22.55.3
> > 
> > >  Again, the terms that I''ve learned for
> > > the different kinds of Nats are I guess
> > proprietary
> > > are different from shorewalls.
> > > 
> > > ?Anytime (host b) initiates a connection out
> > through
> > > the firewall does it leave with the .2 or the .3
> > now
> > > that thier is a one to one mapping...?
> > 
> > .3
> > 
> > -Tom
> > -- 
> > Tom Eastep    \ Shorewall - iptables made easy
> > Shoreline,     \ http://shorewall.net
> > Washington USA  \ teastep@shorewall.net
> > 
> 
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo.
> http://search.yahoo.com
> 
__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

On Fri, 1 Aug 2003, Joshua Banks wrote:
> Why would a person choose to use DNAT versus Static
> Nat if they both accomplish the same thing?
>
DNAT allows you to forward port A to system A and port B to system
B. Static NAT forwards all traffic to one system.

> So is it safe to assume that you can''t use Eth0''s
> assigned interface ip addy when using Static Nat?
>
That''s a poor thing to do, yes.
> So if Eth0 is assigned 207.22.55.2 and I use DNAT or
> Static Nat setup with an ip other than .2 I will need
> to use my distributions network configuration tools to
> add that IP address to the external interface?
That''s correct -- I never got around to implementing an
ADD_DNAT_ALIASES
option.
> From what I''m reading, the only time that shorewall will setup an
ip
> other than the main external interace ip is when using SNAT?
Or static NAT.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thanks Tom,

Can one apply Static Nat to the DMZ interface Or Local
interface for traffic coming and going from Local to
DMZ or vicea-versa?

JBanks


__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com

On Fri, 1 Aug 2003, Joshua Banks wrote:
> Can one apply Static Nat to the DMZ interface Or Local
> interface for traffic coming and going from Local to
> DMZ or vicea-versa?
Shorewall itself has no concept of DMZ, local or internet -- get the
point?

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Interesting. I like that. I''ll have to test this out.

Thanks Tom,
JBanks
--- Tom Eastep <teastep@shorewall.net> wrote:
> On Fri, 1 Aug 2003, Joshua Banks wrote:
> 
> > Can one apply Static Nat to the DMZ interface Or
> Local
> > interface for traffic coming and going from Local
> to
> > DMZ or vicea-versa?
> 
> Shorewall itself has no concept of DMZ, local or
> internet -- get the
> point?
> 
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com