Hello to all i have a big problem here, im trying to configure an 3 interface firewall where eth0 =loc eth1 =net (static ip) eth2 =dmz (10.60.8.1/21) DNAT Zone net Host 10.60.8.2 in zone dmz 50 Any DNAT Zone net Host 10.60.8.2 in zone dmz 51 Any ACCEPT Host xx.xxx.xxx.xx,xx.xxx.xxx.xxx in zone net Any UDP Any 500,4500 DNAT Zone net Host 10.60.8.2 in zone dmz UDP Any 500,4500 ACCEPT Zone dmz Zone net UDP Any 500,4500 ACCEPT Zone dmz Host 10.36.8.3 in zone loc TCP Any 1494,1604 ACCEPT Zone dmz Host 10.36.8.2,10.36.8.51,10.36.8.52 in zone loc TCP Any 53 i want to dnat the vpn server behind the firewall i allways get these messages Mar 25 19:41:25 net2all:DROP:IN=eth1 OUT= SRC="another ip" DST="my ip" LEN=152 TOS=0x00 PREC=0x00 TTL=252 ID=10057 PROTO=UDP SPT=500 DPT=500 LEN=132 Mar 25 19:48:26 all2all:REJECT:IN=eth2 OUT=eth1 SRC=10.60.8.2 DST="another ip" LEN=29 TOS=0x00 PREC=0xC0 TTL=254 ID=5013 PROTO=UDP SPT=0 DPT=0 LEN=9 would be great if anyone could help :) bye hassel
Krauss, Hassel wrote:> Hello to all > > i have a big problem here, im trying to configure an 3 interface firewall where > eth0 =loc > eth1 =net (static ip) > eth2 =dmz (10.60.8.1/21) > > DNAT Zone net Host 10.60.8.2 in zone dmz 50 Any > DNAT Zone net Host 10.60.8.2 in zone dmz 51 Any > ACCEPT Host xx.xxx.xxx.xx,xx.xxx.xxx.xxx in zone net Any UDP Any 500,4500 > DNAT Zone net Host 10.60.8.2 in zone dmz UDP Any 500,4500 > ACCEPT Zone dmz Zone net UDP Any 500,4500 > ACCEPT Zone dmz Host 10.36.8.3 in zone loc TCP Any 1494,1604 > ACCEPT Zone dmz Host 10.36.8.2,10.36.8.51,10.36.8.52 in zone loc TCP Any 53 > > i want to dnat the vpn server behind the firewall >Please show us the *actual* rules -- the above are not valid rules file entries. Also, you probably want to refer to http://www.shorewall.net/VPN.htm. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net