I''m forwarding this to keep the thread on the list. I''ve
updated the
response to FAQ 1e to clarify that SSHD needs to listen on port 22 only
on the address of the internal interface.
-Tom
-------- Original Message --------
Subject: Re: [Shorewall-users] DNAT rule for SSH opens both ports
Date: Thu, 02 Mar 2006 07:34:21 -0800
From: Tom Eastep <teastep@shorewall.net>
To: Tom Eastep <teastep@shorewall.net>
CC: Leah Cunningham <leah@frauerpower.com>
References: <200603012100.10440.leah@heinous.org>
<44065612.20709@shorewall.net>
<200603012141.01261.leah@frauerpower.com>
<4406634A.4050603@shorewall.net> <440667EA.5090600@shorewall.net>
Tom Eastep wrote:> Tom Eastep wrote:
>> Leah Cunningham wrote:
>>> On Wednesday 01 March 2006 21:18, you wrote:
>>>> This is Shorewall FAQ 1e.
>>> Unless I am mistaken, I am doing EXACTLY what it says to do in FAQ
1e. In
>>> fact, it was one of my main references. My rule looks like:
>>>
>>> DNAT net fw:10.255.0.25:22 tcp 22869
>>>
>> That is not the rule suggested by FAQ 1e.
The FAQ 1e response suggests that the port be forwarded to the IP
address of the firewall''s *internal* interface. You are forwarding it
to
the IP address of the firewall''s *external* interface.
The FAQ 1e response also assumes that SSHD will be configured to only
listen on the internal IP address.
>>
>
> Also, I don''t think that *any* of the BROADCAST values in your
> /etc/shorewall/interfaces file are correct.
>
If a.b.c.d is the broadcast address of a non-degenerate network then
''d''
must be a multiple of four minus 1. The three values that you show are:
34 (no way -- it''s not even odd)
25 (not multiple of four minus 1)
3 (Is a multiple of four minus one but then you would be
configuring your local network as 192.168.1.0/30 which
seems unlikely since that network has only two usable
addresses in it -- 192.168.1.1 and 192.168.1.2).
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key