Destination NAT, Source NAT, Incoming routed traffic
these to are split up and make no sence to me now.
From: jonas.kell...@telenet.be
To: efw-user@lists.sourceforge.net
Date: Wed, 30 Dec 2009 21:32:45 +0100
Subject: Re: [Efw-user] firewall rules are hard to use
Thank you Pedro for your explanation. I much appreciate it !!
Things become clearer...
On Wed, 2009-12-30 at 19:25 +0000, Pedro M. S. Oliveira wrote:
Hi Jonas,
When you specify target green or 192.168.1.25 this means that the packet
arriving on the uplink should have a destination ip of the green network or
192.168.1.25 and usuually that doesn't happen because they are marked to arrive
at your red ip address (usually a public ip from your provider if you use a
classic network schema).
lets put it this way:
183.23.13.24 - ExtHost - host on internet
213.21.23.23 - RedIP - your red ip address
192.168.1.254 - GreenIP - your green ip address
192.168.1.25 - HTSrv - your http server
Now lets see the situation you described:
> "Access from : RED" does not work. I don't understand why. Do you ?
> "Target : GREEN" or "Target : 192.168.1.25" does not work. I don't
> understand why I can't use my LAN-client as target, as this is the
> client to where to portforward ?!
ExtHost -> RedIP -> GreenIP - forwarding refused because your rule says forward
all packages with destination 192.168.1.25 but the package has destination
213.21.23.23 (RedIP) and that's why it's not forwarded
To accomplish this you could have something like:
Access from: Any (or anyuplink or uplink)
Target: Uplink or any uplink
IP: your internal server ip (192.168.1.25)
Type: IP
DNAT: NAT
Service: HTTP
This way:
ExtHost -> RedIP -> GreenIP - forwarding accepted because access from and
target are matched as well the service port and packet will be forwarded to the
HTServ
Access from is related to where the package is coming from.
Target is the package destination on ip header not your local intended
destination.
With this new features on EFW you can have a greater control on more complex
networks where you may have different layers of firewalling and this will be
done just relying on the web interface, on version 2.2 with more complex rules
and different layers of firewalling you needed to write a bunch of rules
manually on command line.
_________________________________________________________________
Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail
you.
http://go.microsoft.com/?linkid=9691817------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Efw-user mailing list
Efw-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/efw-user
