Hi, I want to create a DNAT Macro to forward some port to a server, but I need to specify an external address to listen (I have 3 external address dedicated to different applications). I did a macrofile like this : DNAT net loc tcp 5000 - [external ip] rules : macro [server internal ip] When I do that, I always get an error saying Invalid Rate in macrofile The documentation say to put "-" when you need to specify an ip address in the next column. P.S. I'm using shorewall version 4.0.15 Many thanks -- Pascal Poudrier, CISSP Vice-Président Tel :819-377-0269 Cell:1-819-698-7817 Fax :819-840-0734 Geothentic Inc. 500 Cote Richelieu, #200 Trois-Rivieres, QC G9A 2Z1 ******************************************** Lauréat Produit/Procédé Novateur Carrefour manufacturier 2008 ******************************************** ------------------- Économiser Temps et Argent avec ORCA Save Money and Time with ORCA ---------------------------------------------------------------- Messages de confidentialité Ce courriel (de même que les fichiers joints) est strictement réservé à l'usage de la personne ou de l'entité à qui il est adressé et peut contenir de l'information privilégiée et confidentielle. Toute divulgation, distribution ou copie de ce courriel est strictement prohibée. Si vous avez reçu ce courriel par erreur, veuillez nous en aviser sur-le-champ, détruire toutes les copies et le supprimer de votre système informatique. Merci. Confidentiality Notice This communication (including any files transmitted with it) is intended solely for the person or entity to whom it is addressed, and may contain confidential or privileged information. The disclosure, distribution or copying of this message is strictly forbidden. Should you have received this communication in error, kindly contact the sender promptly, destroy any copies and delete this message from your computer system. Thank you.. ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Pascal Poudrier wrote:> Hi, I want to create a DNAT Macro to forward some port to a server, > but I need to specify an external address to listen (I have 3 external > address dedicated to different applications). > > I did a macrofile like this : > > DNAT net loc tcp 5000 - [external ip] > > rules : > macro [server internal ip] > > When I do that, I always get an error saying Invalid Rate in macrofile > > The documentation say to put "-" when you need to specify an ip > address in the next column. > > P.S. I''m using shorewall version 4.0.15Shorewall-shell or Shorewall-perl? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
Sorry, it's shorewall-perl -- Pascal Poudrier, CISSP Vice-Président Tel :819-377-0269 Cell:1-819-698-7817 Fax :819-840-0734 Geothentic Inc. 500 Cote Richelieu, #200 Trois-Rivieres, QC G9A 2Z1 ******************************************** Lauréat Produit/Procédé Novateur Carrefour manufacturier 2008 ******************************************** ------------------- Économiser Temps et Argent avec ORCA Save Money and Time with ORCA Tom Eastep <teastep@shorewall.net> a écrit :> Pascal Poudrier wrote: >> Hi, I want to create a DNAT Macro to forward some port to a server, >> but I need to specify an external address to listen (I have 3 external >> address dedicated to different applications). >> >> I did a macrofile like this : >> >> DNAT net loc tcp 5000 - [external ip] >> >> rules : >> macro [server internal ip] >> >> When I do that, I always get an error saying Invalid Rate in macrofile >> >> The documentation say to put "-" when you need to specify an ip >> address in the next column. >> >> P.S. I'm using shorewall version 4.0.15 > > Shorewall-shell or Shorewall-perl? > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > >---------------------------------------------------------------- Messages de confidentialité Ce courriel (de même que les fichiers joints) est strictement réservé à l'usage de la personne ou de l'entité à qui il est adressé et peut contenir de l'information privilégiée et confidentielle. Toute divulgation, distribution ou copie de ce courriel est strictement prohibée. Si vous avez reçu ce courriel par erreur, veuillez nous en aviser sur-le-champ, détruire toutes les copies et le supprimer de votre système informatique. Merci. Confidentiality Notice This communication (including any files transmitted with it) is intended solely for the person or entity to whom it is addressed, and may contain confidential or privileged information. The disclosure, distribution or copying of this message is strictly forbidden. Should you have received this communication in error, kindly contact the sender promptly, destroy any copies and delete this message from your computer system. Thank you.. ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Pascal Poudrier wrote:> Hi, I want to create a DNAT Macro to forward some port to a server, > but I need to specify an external address to listen (I have 3 external > address dedicated to different applications). > > I did a macrofile like this : > > DNAT net loc tcp 5000 - [external ip] > > rules : > macro [server internal ip] > > When I do that, I always get an error saying Invalid Rate in macrofile > > The documentation say to put "-" when you need to specify an ip > address in the next column. > > P.S. I''m using shorewall version 4.0.15You are defining a FORMAT-2 macro so you need to specify FORMAT 2 in the macrofile. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
Ok, thank you Is this feature documented somewhere ? I went to the official documentation and I cannot find anything regarding that. Thanks again -- Pascal Poudrier, CISSP Vice-Président Tel :819-377-0269 Cell:1-819-698-7817 Fax :819-840-0734 Geothentic Inc. 500 Cote Richelieu, #200 Trois-Rivieres, QC G9A 2Z1 ******************************************** Lauréat Produit/Procédé Novateur Carrefour manufacturier 2008 ******************************************** ------------------- Économiser Temps et Argent avec ORCA Save Money and Time with ORCA Tom Eastep <teastep@shorewall.net> a écrit :> Pascal Poudrier wrote: >> Hi, I want to create a DNAT Macro to forward some port to a server, >> but I need to specify an external address to listen (I have 3 external >> address dedicated to different applications). >> >> I did a macrofile like this : >> >> DNAT net loc tcp 5000 - [external ip] >> >> rules : >> macro [server internal ip] >> >> When I do that, I always get an error saying Invalid Rate in macrofile >> >> The documentation say to put "-" when you need to specify an ip >> address in the next column. >> >> P.S. I'm using shorewall version 4.0.15 > > You are defining a FORMAT-2 macro so you need to specify FORMAT 2 in the > macrofile. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > >---------------------------------------------------------------- Messages de confidentialité Ce courriel (de même que les fichiers joints) est strictement réservé à l'usage de la personne ou de l'entité à qui il est adressé et peut contenir de l'information privilégiée et confidentielle. Toute divulgation, distribution ou copie de ce courriel est strictement prohibée. Si vous avez reçu ce courriel par erreur, veuillez nous en aviser sur-le-champ, détruire toutes les copies et le supprimer de votre système informatique. Merci. Confidentiality Notice This communication (including any files transmitted with it) is intended solely for the person or entity to whom it is addressed, and may contain confidential or privileged information. The disclosure, distribution or copying of this message is strictly forbidden. Should you have received this communication in error, kindly contact the sender promptly, destroy any copies and delete this message from your computer system. Thank you.. ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Pascal Poudrier wrote:> Ok, thank you > > Is this feature documented somewhere ? I went to the official > documentation and I cannot find anything regarding that.The ability to specify ORIGINAL DEST in a macrofile wasn''t added until 4.2.0 Shorewall-perl. It is documented in the 4.2 release notes. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p
Ok, if you look at the 4.0 documentation, here what is written : "#SOURCE PORT(S) - Port(s) used by the client. If omitted, any source port is acceptable. Specified as a comma-separated list of port names, port numbers or port ranges. ---------------- HERE ---> If you don't want to restrict client ports but need to specify an ADDRESS in the next column, then place "-" in this column. ---------------- If your kernel contains multi-port match support, then only a single Netfilter rule will be generated if in this list and in the DEST PORT(S) list above: ... Is this a documentation error ? -- Pascal Poudrier, CISSP Vice-Président Tel :819-377-0269 Cell:1-819-698-7817 Fax :819-840-0734 Geothentic Inc. 500 Cote Richelieu, #200 Trois-Rivieres, QC G9A 2Z1 ******************************************** Lauréat Produit/Procédé Novateur Carrefour manufacturier 2008 ******************************************** ------------------- Économiser Temps et Argent avec ORCA Save Money and Time with ORCA Tom Eastep <teastep@shorewall.net> a écrit :> Pascal Poudrier wrote: >> Ok, thank you >> >> Is this feature documented somewhere ? I went to the official >> documentation and I cannot find anything regarding that. > > The ability to specify ORIGINAL DEST in a macrofile wasn't addeduntil> 4.2.0 Shorewall-perl. It is documented in the 4.2 release notes. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfatherwho> Shoreline, \ died peacefully in his sleep. Not screaminglike> Washington, USA \ all of the passengers in his car > http://shorewall.net\________________________________________________> >---------------------------------------------------------------- Messages de confidentialité Ce courriel (de même que les fichiers joints) est strictement réservé à l'usage de la personne ou de l'entité à qui il est adressé et peut contenir de l'information privilégiée et confidentielle. Toute divulgation, distribution ou copie de ce courriel est strictement prohibée. Si vous avez reçu ce courriel par erreur, veuillez nous en aviser sur-le-champ, détruire toutes les copies et le supprimer de votre système informatique. Merci. Confidentiality Notice This communication (including any files transmitted with it) is intended solely for the person or entity to whom it is addressed, and may contain confidential or privileged information. The disclosure, distribution or copying of this message is strictly forbidden. Should you have received this communication in error, kindly contact the sender promptly, destroy any copies and delete this message from your computer system. Thank you.. ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Pascal Poudrier wrote:> Ok, if you look at the 4.0 documentation, here what is written : > > "#SOURCE PORT(S) - Port(s) used by the client. If omitted, any source > port is acceptable. Specified as a comma-separated list of port names, > port numbers or port ranges. > > ---------------- > HERE ---> If you don''t want to restrict client ports but need to specify > an ADDRESS in the next column, then place "-" in this column. > ---------------- > > If your kernel contains multi-port match support, then only a single > Netfilter rule will be generated if in this list and in the DEST > PORT(S) list above: > ... > > Is this a documentation error ? > >There is no ORIGINAL DEST column in the 4.0 macro file! The only documentation error is that the column and FORMAT 2 were not documented for 4.2 (I just fixed that); but you are running 4.0 so your macro file is invalid for that release. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p