no matter how much I try to understand this it has become more complicated than
it was and should be. New features are fine but to make it so darn hard to
figure out is not good at all.
It looks like I'll have to go back to 2.2 so everything works again .
The help doesn't even work anymore either .But it really did lack like some one
else said.
The graphics for the different setups is nice looking at first look . But it
really doesn't help and a good visually should . It just lacking know what all
its trying to show.
anyway it months of trying to figure this out and even the answers I see know
just talk in riddles so to speak. It become overly complex and that gets to be
like BS in most cases .
> From: i...@sitco.at
> To: efw-user@lists.sourceforge.net
> Date: Wed, 30 Dec 2009 22:05:03 +0100
> Subject: Re: [Efw-user] firewall rules are hard to use
>
> Onother try:
>
> RED specify (like all zones) one or more IPs, let's say public IP
> 222.222.222.222, so if the rule "access from RED" should work, the packets
> would have to be from a client that is part of this network.
>
> In most cases this won't be (always talking from usual/simple network
> scenarios ;-) ) For example: A client with a public IP from somewhere, lets
> say 111.222.333.444, would try to connect your efw with the configuration:
>
> Access from : RED
>
> This can't work because the IP is not a part of your RED network! Endian is
> then expecting packets from 222.222.222.222. But your source is from
> 111.222.333.444. So you have to tell your efw to handle ALL incoming IPs
> respectively networks (or this specific IP or network). So that's why your
> configuration with RED as "source" won't work.
>
>
> "Target" does not mean to which server or host the signal will be routed!
> It defines which IP/Network the packets must be designated to, to be
> handled.
> So
>
> Target: your LAN client
>
> Would not work because packets from outside do not have a target in you LAN
> but to 222.222.222.222...so it must be:
>
> Target: any Uplink
>
> In "translate to" it is defined to which IP the packet headers will be
> rewritten! The packet destination is at this point still 222.222.222.222 but
> your, for exapmple, webserver has a private IP (perhaps 192.168.1.25) behind
> your efw, so it will only respond to packets that are designated for it's
> own IP. Therefore EFW changes the target IP from 222.222.222.222 to
> 192.168.1.25 (so efw TRANSLATE it!) Please read some articles about how NAT
> works, then you will see that the term "translate to" makes sence and is
> much more correct then to talk from "port forwarding"...
>
> Hope that helps =)
>
>
> Jo
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Pedro M. S. Oliveira [mailto:pmsolive...@gmail.com]
> Gesendet: Mittwoch, 30. Dezember 2009 20:25
> An: efw-user@lists.sourceforge.net
> Betreff: Re: [Efw-user] firewall rules are hard to use
>
> Hi Jonas,
> When you specify target green or 192.168.1.25 this means that the packet
> arriving on the uplink should have a destination ip of the green network or
> 192.168.1.25 and usuually that doesn't happen because they are marked to
> arrive at your red ip address (usually a public ip from your provider if you
> use a classic network schema).
>
> lets put it this way:
>
>
> 183.23.13.24 - ExtHost - host on internet
> 213.21.23.23 - RedIP - your red ip address
> 192.168.1.254 - GreenIP - your green ip address
> 192.168.1.25 - HTSrv - your http server
>
> Now lets see the situation you described:
> > "Access from : RED" does not work. I don't understand why. Do you ?
> > "Target : GREEN" or "Target : 192.168.1.25" does not work. I don't
> > understand why I can't use my LAN-client as target, as this is the
> > client to where to portforward ?!
>
> ExtHost -> RedIP -> GreenIP - forwarding refused because your rule says
> forward all packages with destination 192.168.1.25 but the package has
> destination 213.21.23.23 (RedIP) and that's why it's not forwarded
>
> To accomplish this you could have something like:
> Access from: Any (or anyuplink or uplink)
> Target: Uplink or any uplink
> IP: your internal server ip (192.168.1.25)
> Type: IP
> DNAT: NAT
> Service: HTTP
>
> This way:
> ExtHost -> RedIP -> GreenIP - forwarding accepted because access from and
> target are matched as well the service port and packet will be forwarded to
> the HTServ
>
> Access from is related to where the package is coming from.
> Target is the package destination on ip header not your local intended
> destination.
>
> With this new features on EFW you can have a greater control on more complex
> networks where you may have different layers of firewalling and this will be
> done just relying on the web interface, on version 2.2 with more complex
> rules and different layers of firewalling you needed to write a bunch of
> rules manually on command line.
>
> On Wednesday 30 December 2009 10:27:30 jonas kellens wrote:
> > Pedro,
> >
> > This is the right configuration for port forwarding to a LAN-client :
> >
> > Access from : any
> > Target : <any Uplink>
> > Port :TCP 51413
> > Translate to IP 192.168.1.25 port 51413
> >
> >
> > "Access from : RED" does not work. I don't understand why. Do you ?
> > "Target : GREEN" or "Target : 192.168.1.25" does not work. I don't
> > understand why I can't use my LAN-client as target, as this is the
> > client to where to portforward ?!
> >
> > Even with a good understanding of IPtables, I don't get this 'acces',
> > 'target' and 'source'.
> >
> > Can you maybe post a link to some examples cause I feel that the
> > documentation of Endian lacks some explanatory examples.
> >
> >
> > Jonas.
> >
> >
> > On Wed, 2009-12-30 at 10:12 +0000, Pedro M. S. Oliveira wrote:
> >
> > > Hi
> > > I disagree on you both about the new EFW firewall interface, I see it
> > > much more complete and feature rich than the previous one. This new
> > > interface has more advanced options that you may use and it reseable
> > > best the iptables capabilities. In my opinion this is the way to go
> > > and it will be the difference between an home router and a business
> > > system.
> > > im sure that with a bit of reading about firewall and the way they
> > > work you ll get there.
> > > cheers,
> > > pedro
> >
> >
> >
>
> --
> ----------------------------------------------------------------------------
> ------------------------------
> Pedro M. S. Oliveira
> IT Consultant
> Email: pmsolive...@gmail.com
> URL: http://www.linux-geex.com
> Cellular: +351 96 5867227
> ----------------------------------------------------------------------------
> ------------------------------
>
> ----------------------------------------------------------------------------
> --
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and easy
> Join now and get one step closer to millions of Verizon customers
> http://p.sf.net/sfu/verizon-dev2dev
> _______________________________________________
> Efw-user mailing list
> Efw-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/efw-user
>
>
> ------------------------------------------------------------------------------
> This SF.Net email is sponsored by the Verizon Developer Community
> Take advantage of Verizon's best-in-class app development support
> A streamlined, 14 day to market process makes app distribution fast and easy
> Join now and get one step closer to millions of Verizon customers
> http://p.sf.net/sfu/verizon-dev2dev
> _______________________________________________
> Efw-user mailing list
> Efw-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/efw-user
_________________________________________________________________
Windows Live: Make it easier for your friends to see what you’re up to on
Facebook.
http://go.microsoft.com/?linkid=9691816------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Efw-user mailing list
Efw-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/efw-user
