similar to: NAT PAT & SNAT

I am having problems making RTSP connections to a Windows Streaming Media Server (ie "connecting to media...." but WMP never connects). There are no error messages in /var/log/messages. It was suggested to me that SNAT might perform better than MASQ in this respect. I edited my shorewall/masq file as such: eth0 eth1 12.34.56.78 or should it be? eth0 10.0.0.0/24

In the panic of replacing our firewall(s) earlier in the week, we ended up moving our original shorewall 1.4 config onto a machine with 2.0.10 already installed, overwriting all the 2.0.10 config files. Most things seem to work fine, except for our masq entries. I''ve examined the default 2.0.10 files compared with our 1.4 files, and can''t spot the problem. What am I missing?

This is a minor release of Shorewall. In this release: 1. A "shorewall try" command has been added. This command attempts to restart Shorewall using an alternate configuration and if that attempt fails, Shorewall is automatically started with the default configuration. This is useful for remote administration where a failed restart of Shorewall can leave you isolated from

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The original post was over 300,000kb so I didn''t spam the list with it -TE. | | | Thank you for your quick and helpful response. | | I didn''t understand that the virtual interface eth0:1 doesn''t count as a separate instance from eth0. | I am sorry to ask for further assistance and would appreciate any help. The error

Hi ! I have setup a complete shorewall now with DMZ, and Private zones and masq, rules, port-forwarding etc. worx like expected. BUT I have a wish to use a couple of more public IP''s and relate those to inernal servers on the DMZ zone and i am now so confused about it. I have searched this archive for SNAT port allow Setup: 3 public adresses on the WAN nic. lets call them 80.80.80.80 -

hi, in the masq file''s documentation, there is a sentence: "If you have a static IP on that interface, listing it here makes processing of output packets a little less expensive for the firewall." this realy means that SNAT to the primary address is less expensive than a MASQ rules in the netfilter? is this documented anywhere in iptables/netfilter? thanks. -- Levente

I recently implemented v2.0.9 using ''shorewall setup guide'' 2004-07-31. Starting with block everything not known to be in use and opening ports as complaints come in. This has led to a few rule changes. After a rule change I use shorewall restart to reload the rules. Seems to work OK... except for an outbound NAT SMTP connection from a mail server on .122 to postini.com. The

Hello everybody, I want to solve the following problem with Shorewall: I have a computer with one NIC (eth0) with an internal IP address (10.1.x.x), which is supposed to accept connections from various clients (10.2.x.x) and redirect them to another IP address (10.3.x.x) with a different destination port. For example: The software on the client computer is told to connect to the Shorewall

Problems Corrected: 1) A problem seen on RH7.3 systems where Shorewall encountered start errors when started using the "service" mechanism has been worked around. 2) A problem introduced in earlier snapshots has been corrected. This problem caused incorrect netfilter rules to be created when the destination zone in a rule was qualified by an address in CIDR format.

Hi all, I''m using Shorewall since one year (1.4, then 2.0) I''m trying to migrate a linux firewall from iptables rules to shorewall. The firewall has three zones - net internet - loc1 lan - loc2 second lan I have a lot of rules like this, to SNAT the ip addresses of some computers on loc1 (192.168.16.0/24) when they connect to loc2 (10.0.0.0/8) iptables -v -t nat -I

I have an internal (10.16.0.0/24) network which is routed out via a proxy on port 80 only, this proxy is then routed to an upstream proxy on port 8080, this then runs through a cluster of caching (squid) proxies and then finally, goes out to the internet. As there are a cluster of squid proxies, the IP of an internet-request from the internal LAN is never the same, it changes to match the proxy

I''m doing more releases of 1.4.* to try to work around the absurd way in which the 2.6 kernel supports ipsec. 1.4.10 will provide a means for excluding multiple destination hosts/subnets from masquerade/SNAT. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net

More than one of our docs issues revolve around some confusion between "IP masquerading" and "SNAT" -- a confusion I might share, or if contagious, I may be catching. <g> I think of SNAT more or less as a special case of IP masquerading, applicable when, for example, the external interface has multiple IP''s and you choose to _explicitly_ set the address through

Hi, I got a problem with iproute and shorewall but I don''t know where the real problem is yet, perhaps someone can shed any light on this one. What we currently do is route all traffic coming from a specific host through our second isp''s nat router. This is done via SNAT on our own router. /etc/shorewall/masq: eth2 $INTERNALHOSTA 192.168.0.142 We now

Hi! Can I use the old version shorewall 1.2.12 configure as SNAT and DMZ ? Because Debian Linux came with the default shorewall 1.2.12 . Best Regards, Support

Hi All, >From the documentation I have read on Shorewall, the preferred approach seems to be, to use Proxy ARP instead of Static NAT for hosting web servers in the DMZ Zone. But I have also read that this could cause problems for VPN configurations. I essentially have multiple public IP''s, which I want to map to private addresses in the DMZ. I also intend to setup a gateway between 2

I have a few IP addresses attached to an interface without problems. I also have some chrooted environments attached to these IP addresses. Is there a way to make connections (telnet) from these environments look like they are coming from the aliased IP''s rather than the main IP address? Thanks for any help Kevin.

Hello, > My server is on Mandrake 10.1 off. > eth0 is WAN with static IP connected 512 DSL > eth1 is LAN. I need a little clarification on static nat settings in shorewall. external address - static IP internal address - ? for the internal address should I put my eth1 IP or the general subnet range. For example 192.168.0.0. I am also not sure about : Active for firewall system? yes

Hello, > My server is on Mandrake 10.1 off. > eth0 is WAN with static IP connected 512 DSL > eth1 is LAN. I am little confused about NAT. I have a static IP from ISP I want to do a NAT on eth0. What should I use in shorewall masquerading or static nat ? Thanks Varun

Hello Shorewall gurus, I have a dilemma with a public server. I want to migrate the current public server over to a new machine behind the current server''s firewall (shorewall 1.4). I have included a diagram below to help explain the target network I am working toward. I have read the shorewall online documentation and though I have used Shorewall the past 4 years in the current