Hi Tom,
here it comes:
horewall 4.4.20.3 Chain net2loc0 at fire - Mi 6. Jul 23:14:49 CEST 2011
Counters reset Mi 6. Jul 23:14:15 CEST 2011
Chain net2loc0 (1 references)
pkts bytes target prot opt in out source destination
260 61740 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
ctstate RELATED,ESTABLISHED
0 0 ACCEPT 89 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
icmptype 8 /* Ping */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.2
tcp dpt:22 ctorigdstport 14027 ctorigdst 62.143.214.30
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.2
tcp dpt:21 /* FTP */
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.1.100 tcp dpt:6881 /* BitTorrent */
0 0 ACCEPT udp -- * * 0.0.0.0/0
192.168.1.100 udp dpt:4444 /* BitTorrent */
0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.1.100 tcp dpt:7403 /* BitTorrent */
0 0 ACCEPT udp -- * * 0.0.0.0/0
192.168.1.100 udp dpt:7403 /* BitTorrent */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.3
multiport dports 3000,2004
5 300 Drop all -- * * 0.0.0.0/0 0.0.0.0/0
5 300 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix "SW:net2loc0:DROP:"
5 300 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
----- Ursprüngliche Mail -----
Von: "Tom Eastep" <[email protected]>
An: "Shorewall Users" <[email protected]>
Gesendet: Mittwoch, 6. Juli 2011 23:05:03
Betreff: Re: [Shorewall-users] DNAT behaves like DNAT-
On Wed, 2011-07-06 at 22:20 +0200, Alexander Wilms wrote:
Hi Tom, hi list
I upgraded my firewall system which included an update to
shorewall-4.4.20.3-1.1.noarch (SuSE build service rpm).
After that, DNAT seems to behave like DNAT- if the DNAT is directed to another
DST port. Without port-translation it works as expected.
Using this rules is not enough
DNAT net loc0:$XEN0:22 tcp 52022 -
$DSL_IP
as this is logged:
SW:net2loc0:DROP:IN=eth1 OUT=eth0 SRC=85.182.238.98 DST=192.168.1.2 LEN=60
TOS=0x00 PREC=0x00 TTL=57 ID=36614 DF PROTO=TCP SPT=43415 DPT=22 WINDOW=4380
RES=0x00 SYN URGP=0
Extending the rule to:
DNAT net loc0:$XEN0:22 tcp 52022 -
$DSL_IP
SSH(ACCEPT) net loc0:$XEN0
solves the problem.
Guess it's a bug. Or did I miss something?
Hi Alex,
Please post the output of 'shorewall show net2loc0' (or net-loc0 if use use
ZONE2ZONE="-") without the extra ACCEPT rule. My tests here show that the
correct ACCEPT rule is getting created.
Thanks,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car http://shorewall.net
\________________________________________________
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
