hi, is there any reason why there is no such thing as ADD_DNAT_ALIASES in shorewall.conf or in rules (or am i just missed it)? i think about it like in masq file if the masquaraded outgoing interface is different from the default firewall intyerface than i can use ip:<digit> where the digit is the alias number. since dnat is in the rules it can be used from there. eg: if would like to dnat all connection from the internet to an internal machine, that i do: DNAT net loc:$INTER_IP - - - $EXTER_IP but i wouldn''t like to add it to the nat file: $EXTER_IP eth0:5 $INTER_IP since i wouldn''t like that the internal machine to be able to directly connect out to the internet, which is the case in the nat file. am i miss something? but in this case i''m not able to define that the first rule should use "5" as alias and not able to force shorewall to add this virtual alias automaticaly. how can i do that or what i misunderstood? thanks in advance. yours. -- Levente "Si vis pacem para bellum!"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Farkas Levente wrote: | hi, | is there any reason why there is no such thing as ADD_DNAT_ALIASES in | shorewall.conf or in rules (or am i just missed it)? It is not there because I haven''t implemented it. | i think about it | like in masq file if the masquaraded outgoing interface is different | from the default firewall intyerface than i can use ip:<digit> where the | digit is the alias number. since dnat is in the rules it can be used | from there. eg: if would like to dnat all connection from the internet | to an internal machine, that i do: | DNAT net loc:$INTER_IP - - - $EXTER_IP | but i wouldn''t like to add it to the nat file: | $EXTER_IP eth0:5 $INTER_IP | since i wouldn''t like that the internal machine to be able to directly | connect out to the internet, which is the case in the nat file. am i | miss something? but in this case i''m not able to define that the first | rule should use "5" as alias and not able to force shorewall to add this | virtual alias automaticaly. | how can i do that or what i misunderstood? You must add the alias manually -- your distribution most likely has a way to do that. Then you can do DNAT based on the original destination addrss as described at http://shorewall.net/Shorewall_and_Aliased_Interfaces.html in the section entitled DNAT. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBGPtCO/MAbZfjDLIRAk7DAJ4/v05X8Ie6qwWBFAal2Pn+rM44MwCgvLi5 Q+FIlc1Q7X+XvE72Wxx9Byc=HGEO -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Farkas Levente wrote: | hi, | is there any reason why there is no such thing as ADD_DNAT_ALIASES in | shorewall.conf or in rules (or am i just missed it)? i think about it | like in masq file if the masquaraded outgoing interface is different | from the default firewall intyerface than i can use ip:<digit> where the | digit is the alias number. since dnat is in the rules it can be used | from there. eg: if would like to dnat all connection from the internet | to an internal machine, that i do: | DNAT net loc:$INTER_IP - - - $EXTER_IP | but i wouldn''t like to add it to the nat file: | $EXTER_IP eth0:5 $INTER_IP | since i wouldn''t like that the internal machine to be able to directly | connect out to the internet, which is the case in the nat file. The NAT file simply defines address mappings -- entries in that file *do not* override your policies and rules. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBGQBNO/MAbZfjDLIRAo7eAKDHNCVx11SMJ5sY4VlDGfQrX8sEpwCfS72Q QZuV//IWswEfBQQ6/Nawszs=wng+ -----END PGP SIGNATURE-----
hi, is there any reason why there is no such thing as ADD_DNAT_ALIASES in shorewall.conf or in rules (or am i just missed it)? i think about it like in masq file if the masquaraded outgoing interface is different from the default firewall intyerface than i can use interface:<digit> where the digit is the alias number. since dnat is in the rules files it can be used from there. eg: if i would like to dnat all connections from the internet to an internal machine, that i do: DNAT net loc:$INTER_IP - - - $EXTER_IP but i wouldn''t like to add it to the nat file: $EXTER_IP eth0:5 $INTER_IP since i wouldn''t like that the internal machine to be able to directly connect out to the internet, which is the case in the nat file. or am i miss something? but in this case i''m not able to define that the first rule should use "5" as alias and not able to force shorewall to add this virtual alias automaticaly. how can i do that or what i misunderstood? and some related questions: - is a line in masq file automaticaly add an accept rule too? eg. in msaq file eth0 <internal ip> allow connection from <internal ip> (local zona) to the net zone (eth0''s zone)? - is a line in the nat file automaticaly add an accept rule too? eg. in nat file: <external ip> eth0:5 <internal ip> allow connection from BOTH <internal ip> (local zona) to the net zone (eth0''s zone) and from the net zone to the <internal ip>? or should i also have to add these to the rules file? i try to read all doc but these are not documented very well. some kind of advanced documentation would be useful for those how know the ip and iptables command .eg. "a dnat rule add such an iptables command" etc. thanks in advance. yours. -- Levente "Si vis pacem para bellum!"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Farkas Levente wrote: | hi, | is there any reason why there is no such thing as ADD_DNAT_ALIASES in | shorewall.conf or in rules (or am i just missed it)? The answer hasn''t changed since I answered your question this morning! | and some related questions: | - is a line in masq file automaticaly add an accept rule too? eg. in | msaq file | eth0 <internal ip> No. | allow connection from <internal ip> (local zona) to the net zone (eth0''s | zone)? | - is a line in the nat file automaticaly add an accept rule too? eg. in | nat file: No. | <external ip> eth0:5 <internal ip> | allow connection from BOTH <internal ip> (local zona) to the net zone | (eth0''s zone) and from the net zone to the <internal ip>? | or should i also have to add these to the rules file? | i try to read all doc but these are not documented very well. some kind | of advanced documentation would be useful for those how know the ip and | iptables command .eg. "a dnat rule add such an iptables command" etc. Those who know now IP and iptables work can study the output of "shorewall status" with the help of these two documents: a) http://shorewall.net/PacketHandling.html b) http://shorewall.net/NetfilterOverview.html - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBGSWEO/MAbZfjDLIRAqkJAJ40cUwQpW3VP8OaJ2BsRaMb44iWNQCdE/H3 4TPMdzrCM+gvM/nh+n2ldTM=T5VW -----END PGP SIGNATURE-----
On Tue, 2004-08-10 at 21:44, Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Farkas Levente wrote: > | hi, > | is there any reason why there is no such thing as ADD_DNAT_ALIASES in > | shorewall.conf or in rules (or am i just missed it)? > > The answer hasn''t changed since I answered your question this morning! > > | and some related questions: > | - is a line in masq file automaticaly add an accept rule too? eg. in > | msaq file > | eth0 <internal ip> > > No. > > | allow connection from <internal ip> (local zona) to the net zone (eth0''s > | zone)? > | - is a line in the nat file automaticaly add an accept rule too? eg. in > | nat file: > > No.thanks for these answers:-)> | <external ip> eth0:5 <internal ip> > | allow connection from BOTH <internal ip> (local zona) to the net zone > | (eth0''s zone) and from the net zone to the <internal ip>? > | or should i also have to add these to the rules file? > | i try to read all doc but these are not documented very well. some kind > | of advanced documentation would be useful for those how know the ip and > | iptables command .eg. "a dnat rule add such an iptables command" etc. > > Those who know now IP and iptables work can study the output of > "shorewall status" with the help of these two documents: > > a) http://shorewall.net/PacketHandling.html > b) http://shorewall.net/NetfilterOverview.htmlsome thing "shorewall generate" would be useful which create a file what can be feed to iptables (best would be iptables-save/restore compatible format) WITHOUT appling it. afair "shorewall status" is only useable on a running shorewall ie. after appling it, but before i use it i''d like to look into what i will do and when something goes wrong than i''d like to see what''g going wrong.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Farkas Levente wrote: | | some thing "shorewall generate" would be useful which create a file what | can be feed to iptables (best would be iptables-save/restore compatible | format) WITHOUT appling it. afair "shorewall status" is only useable on | a running shorewall ie. after appling it, but before i use it i''d like | to look into what i will do and when something goes wrong than i''d like | to see what''g going wrong. | There are rather extensive facilities for trying out new configurations safely -- have you looked at http://shorewall.net/starting_and_stopping_shorewall.htm ? - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/eastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBGTbdO/MAbZfjDLIRAlorAKCg2h9jkUs5MMkgv3elWQV4XAJuOwCggwxq HJNio1Tb38pFuVGqvliwb4U=zeaf -----END PGP SIGNATURE-----