On Wed, 2011-07-06 at 22:20 +0200, Alexander Wilms wrote: > Hi Tom, hi list > > I upgraded my firewall system which included an update to > shorewall-4.4.20.3-1.1.noarch (SuSE build service rpm). > > After that, DNAT seems to behave like DNAT- if the DNAT is directed to > another DST port. Without port-translation it works as expected. > > Using this rules is not enough > DNAT net loc0:$XEN0:22 tcp 52022 - > $DSL_IP > > as this is logged: > SW:net2loc0:DROP:IN=eth1 OUT=eth0 SRC=85.182.238.98 DST=192.168.1.2 LEN=60 > TOS=0x00 PREC=0x00 TTL=57 ID=36614 DF PROTO=TCP SPT=43415 DPT=22 WINDOW=4380 > RES=0x00 SYN URGP=0 > > Extending the rule to: > > DNAT net loc0:$XEN0:22 tcp 52022 - > $DSL_IP > SSH(ACCEPT) net loc0:$XEN0 > > solves the problem. > > Guess it's a bug. Or did I miss something?
Hi Alex, Please post the output of 'shorewall show net2loc0' (or net-loc0 if use use ZONE2ZONE="-") without the extra ACCEPT rule. My tests here show that the correct ACCEPT rule is getting created. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
