Plus I can't even figure out where to add the urls I don't want in the proxy to
bypass it. Thats was so easy to do. It makes no sence to me that it has to be
this darn hard to do this .
I hate that I can't in the browser on the machine I have the apache running
type in the domain name . It only wants to work if I use localhost:81 . I can't
use it any longer like this .
> From: i...@sitco.at
> To: efw-user@lists.sourceforge.net
> Date: Wed, 30 Dec 2009 22:05:03 +0100
> Subject: Re: [Efw-user] firewall rules are hard to use
>
> Onother try:
>
> RED specify (like all zones) one or more IPs, let's say public IP
> 222.222.222.222, so if the rule "access from RED" should work, the packets
> would have to be from a client that is part of this network.
>
> In most cases this won't be (always talking from usual/simple network
> scenarios ;-) ) For example: A client with a public IP from somewhere, lets
> say 111.222.333.444, would try to connect your efw with the configuration:
>
> Access from : RED
>
> This can't work because the IP is not a part of your RED network! Endian is
> then expecting packets from 222.222.222.222. But your source is from
> 111.222.333.444. So you have to tell your efw to handle ALL incoming IPs
> respectively networks (or this specific IP or network). So that's why your
> configuration with RED as "source" won't work.
>
>
> "Target" does not mean to which server or host the signal will be routed!
> It defines which IP/Network the packets must be designated to, to be
> handled.
> So
>
> Target: your LAN client
>
> Would not work because packets from outside do not have a target in you LAN
> but to 222.222.222.222...so it must be:
>
> Target: any Uplink
>
> In "translate to" it is defined to which IP the packet headers will be
> rewritten! The packet destination is at this point still 222.222.222.222 but
> your, for exapmple, webserver has a private IP (perhaps 192.168.1.25) behind
> your efw, so it will only respond to packets that are designated for it's
> own IP. Therefore EFW changes the target IP from 222.222.222.222 to
> 192.168.1.25 (so efw TRANSLATE it!) Please read some articles about how NAT
> works, then you will see that the term "translate to" makes sence and is
> much more correct then to talk from "port forwarding"...
>
> Hope that helps =)
>
>
> Jo
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Pedro M. S. Oliveira [mailto:pmsolive...@gmail.com]
> Gesendet: Mittwoch, 30. Dezember 2009 20:25
> An: efw-user@lists.sourceforge.net
> Betreff: Re: [Efw-user] firewall rules are hard to use
>
> Hi Jonas,
> When you specify target green or 192.168.1.25 this means that the packet
> arriving on the uplink should have a destination ip of the green network or
> 192.168.1.25 and usuually that doesn't happen because they are marked to
> arrive at your red ip address (usually a public ip from your provider if you
> use a classic network schema).
>
> lets put it this way:
>
>
> 183.23.13.24 - ExtHost - host on internet
> 213.21.23.23 - RedIP - your red ip address
> 192.168.1.254 - GreenIP - your green ip address
> 192.168.1.25 - HTSrv - your http server
>
> Now lets see the situation you described:
> > "Access from : RED" does not work. I don't understand why. Do you ?
> > "Target : GREEN" or "Target : 192.168.1.25" does not work. I don't
> > understand why I can't use my LAN-client as target, as this is the
> > client to where to portforward ?!
>
> ExtHost -> RedIP -> GreenIP - forwarding refused because your rule says
> forward all packages with destination 192.168.1.25 but the package has
> destination 213.21.23.23 (RedIP) and that's why it's not forwarded
>
> To accomplish this you could have something like:
> Access from: Any (or anyuplink or uplink)
> Target: Uplink or any uplink
> IP: your internal server ip (192.168.1.25)
> Type: IP
> DNAT: NAT
> Service: HTTP
>
> This way:
> ExtHost -> RedIP -> GreenIP - forwarding accepted because access from and
> target are matched as well the service port and packet will be forwarded to
> the HTServ
>
> Access from is related to where the package is coming from.
> Target is the package destination on ip header not your local intended
> destination.
>
> With this new features on EFW you can have a greater control on more complex
> networks where you may have different layers of firewalling and this will be
> done just relying on the web interface, on version 2.2 with more complex
> rules and different layers of firewalling you needed to write a bunch of
> rules manually on command line.
>
> On Wednesday 30 December 2009 10:27:30 jonas kellens wrote:
> > Pedro,
> >
> > This is the right configuration for port forwarding to a LAN-client :
> >
> > Access from : any
> > Target : <any Uplink>
> > Port :TCP 51413
> > Translate to IP 192.168.1.25 port 51413
> >
> >
> > "Access from : RED" does not work. I don't understand why. Do you ?
> > "Target : GREEN" or "Target : 192.168.1.25" does not work. I don't
> > understand why I can't use my LAN-client as target, as this is the
> > client to where to portforward ?!
> >
> > Even with a good understanding of IPtables, I don't get this 'acces',
> > 'target' and 'source'.
> >
> > Can you maybe post a link to some examples cause I feel that the
> > documentation of Endian lacks some explanatory examples.
> >
> >
> > Jonas.
> >
> >
> > On Wed, 2009-12-30 at 10:12 +0000, Pedro M. S. Oliveira wrote:
> >
> > > Hi
> > > I disagree on you both about the new EFW firewall interface, I see it
> > > much more complete and feature rich than the previous one. This new
> > > interface has more advanced options that you may use and it reseable
> > > best the iptables capabilities. In my opinion this is the way to go
> > > and it will be the difference between an home router and a business
> > > system.
> > > im sure that with a bit of reading about firewall and the way they
> > > work you ll get there.
> > > cheers,
> > > pedro
> >
> >
> >
>
> --
> ----------------------------------------------------------------------------
> ------------------------------
> Pedro M. S. Oliveira
> IT Consultant
> Email: pmsolive...@gmail.com
> URL: http://www.linux-geex.com
> Cellular: +351 96 5867227
> ----------------------------------------------------------------------------
> ------------------------------
>
> ----------------------------------------------------------------------------
> --
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and easy
> Join now and get one step closer to millions of Verizon customers
> http://p.sf.net/sfu/verizon-dev2dev
> _______________________________________________
> Efw-user mailing list
> Efw-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/efw-user
>
>
> ------------------------------------------------------------------------------
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and easy
> Join now and get one step closer to millions of Verizon customers
> http://p.sf.net/sfu/verizon-dev2dev
> _______________________________________________
> Efw-user mailing list
> Efw-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/efw-user
_________________________________________________________________
Windows Live: Make it easier for your friends to see what you’re up to on
Facebook.
http://go.microsoft.com/?linkid=9691816------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Efw-user mailing list
Efw-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/efw-user
