thanks for the theoretical help :)) just found the bug had to add an accept policy in front of the dnat policy is that right?? -----Ursprüngliche Nachricht----- Von: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]Im Auftrag von Krauss, Hassel Gesendet: Donnerstag, 25. März 2004 19:58 An: shorewall-users@lists.shorewall.net Betreff: ==SPAM==! [Shorewall-users] DNAT & IPSEC Problem Hello to all i have a big problem here, im trying to configure an 3 interface firewall where eth0 =loc eth1 =net (static ip) eth2 =dmz (10.60.8.1/21) DNAT Zone net Host 10.60.8.2 in zone dmz 50 Any DNAT Zone net Host 10.60.8.2 in zone dmz 51 Any ACCEPT Host xx.xxx.xxx.xx,xx.xxx.xxx.xxx in zone net Any UDP Any 500,4500 DNAT Zone net Host 10.60.8.2 in zone dmz UDP Any 500,4500 ACCEPT Zone dmz Zone net UDP Any 500,4500 ACCEPT Zone dmz Host 10.36.8.3 in zone loc TCP Any 1494,1604 ACCEPT Zone dmz Host 10.36.8.2,10.36.8.51,10.36.8.52 in zone loc TCP Any 53 i want to dnat the vpn server behind the firewall i allways get these messages Mar 25 19:41:25 net2all:DROP:IN=eth1 OUT= SRC="another ip" DST="my ip" LEN=152 TOS=0x00 PREC=0x00 TTL=252 ID=10057 PROTO=UDP SPT=500 DPT=500 LEN=132 Mar 25 19:48:26 all2all:REJECT:IN=eth2 OUT=eth1 SRC=10.60.8.2 DST="another ip" LEN=29 TOS=0x00 PREC=0xC0 TTL=254 ID=5013 PROTO=UDP SPT=0 DPT=0 LEN=9 would be great if anyone could help :) bye hassel _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm