OK DESTINATIONnat thats clear and SOURCEnat too, But where the problem is isn't
those names at all Its the new editor to make the rules has changes so darn
much it hard and cumbersome to understand IT. Where to put things now. It
become a try this and hope it works game now. Taking something that was simple
and still just as good and making it harder is not good at all.
I got my web server to work for any one remote with using the my.domain.com but
not fro the lan at all. The 2.2 it worked easy . But now its a half a@@ed so to
speak.
Anyway the old way to edit the rules was much better ,improving it is ok but
still keeping that ease of use would have been a lot better by far.
I tried both the Sourcenat and outgoing traffic to put from any and port 81 to
see if that would let my lan use the server name address and nope.
I guess no one knows where to add the site address that can scipt (bypass) the
proxy either by the looks of it .
Date: Thu, 31 Dec 2009 13:25:08 +0100
From: i...@sitco.at
To: efw-user@lists.sourceforge.net
Subject: Re: [Efw-user] firewall rules are hard to use
Hi
"oneforall"
I do not
understand your problem with Source and Destination NAT 100%? This is realy
quite simple, just enter NAT in google and you will get perfect detailed
information about DNAT ans SNAT. This is nothing developed by Endian. "DNAT is
a
technique for transparently changing the destination IP address of an en-route
packet and performing the inverse function for any replies." And "A common
definition for Source NAT is the counterpart of Destination NAT (DNAT)." So
in Destination NAT the DESTINATION IP is changed and in Source NAT the SOURCE
IP
is changed!!?? So the explanation is already part of the name =))
I think
for what to use DNAT is clear, right? Publishing a single Service or
server to the www is one possible
usage...
For SNAT
(or better let's talk from SourceNAT 'cause SNAT can have other meanings
aswell)
one possible scenario could be that you would like a webserver in Zone orange
to
send it's packets over external IP1 while the pcs in green zone use
external IP2. In this case efw would have to translate all ips coming from
network orange and green. In efw this would look like this:
Source:
NetworkIP from your orange Zone which you would like to be
transformed
Target:
Uplink main (red)
Service/Port: ALL (or just the services/ports you
need)
NAT: NAT
(--> telling efw that it must translate the packets)
Sourceadress: Uplink main - IP: IP1
Source:
NetworkIP from your green Zone which you would like to be
transformed
Target:
Uplink main (red)
Service/Port: ALL (or just the services/ports you
need)
NAT: NAT
(--> telling efw that it must translate the packets)
Sourceadress: Uplink main - IP: IP2
From
outside your network it will look like as your webserver is responding from IP1
and all your PCs from IP2 =) That's not damn hard to understand, right? As it
sounds for me you can ignore Incoming routed traffic: you won't need
it!
Give yourself a overview looking at:
http://en.wikipedia.org/wiki/Network_address_translation
cu
Von: oneforall immortal
[mailto:oneforal...@hotmail.com]
Gesendet: Donnerstag, 31. Dezember
2009 12:28
An: efw-user@lists.sourceforge.net
Betreff: Re:
[Efw-user] firewall rules are hard to use
the target should be where the router box is going to send it too.
Thats always been the way I thought of and most people But now I'm completely
lost on why taget has become a totally new meaning , that isn't the first
thought of at all. The source is easy to understand its where it came from
the
lan the net you own pc. then the router/firewall sends it to the target.
plain
and simple and not chamged to something that isn't even close to the meaning
of the words.
I wish too there was some standard examples and it might
clear it up buit the defination just send most for a loop.
1)
source(incoming to web page)
firewall box 192.168.1.1
target
lan(green)192.168.1.2:81(apache server)
was confused on Destination NAT and
incoming routed traffic(this still sounds like it could be for the incoming
traffic for a web page on port 81) but it just didn't look like it would work
and destination nat did. So as it stands I have no idea what incoming routed
traffic is good for .
Plus I still have no idea how to alow the same box to
use the browser and put in the domain name with out it timing out and only
working wiht localhost:81. 2.2 I never had this problem at all
2)
I
see no way to be able to add the web pages I want to bypass the proxy but
again its either gone or to darn complicated for something that WAS simple to
do.
3)
outgoing traffic I'm glad is still only one tab and not split
making it even more confusing . like Destination NAT, Source NAT
and Incoming routed traffic(see that swhy this sound like it should be for
routing to you servers) or just any other pc on the lan . Source NAT I've
given up by now again trying to figure out what its for because nothing
is as it sounds any more. Even looking again it looks like 3 ways to do the
same darn thing but instead of just source/target(destination) port , its
access.target(what this is now I've given up trying to comprehend the non
common definition).
anyway I give up
>
From: pmsolive...@gmail.com
> To: efw-user@lists.sourceforge.net
>
Date: Wed, 30 Dec 2009 19:25:28 +0000
> Subject: Re: [Efw-user] firewall
rules are hard to use
>
> Hi Jonas,
> When you specify
target green or 192.168.1.25 this means that the packet arriving on the
uplink
should have a destination ip of the green network or 192.168.1.25 and
usuually
that doesn't happen because they are marked to arrive at your red ip address
(usually a public ip from your provider if you use a classic network
schema).
>
> lets put it this way:
>
>
>
183.23.13.24 - ExtHost - host on internet
> 213.21.23.23 - RedIP - your
red ip address
> 192.168.1.254 - GreenIP - your green ip address
>
192.168.1.25 - HTSrv - your http server
>
> Now lets see the
situation you described:
> > "Access from : RED" does not work. I
don't understand why. Do you ?
> > "Target : GREEN" or "Target :
192.168.1.25" does not work. I don't
> > understand why I can't use
my LAN-client as target, as this is the
> > client to where to
portforward ?!
>
> ExtHost -> RedIP -> GreenIP - forwarding
refused because your rule says forward all packages with destination
192.168.1.25 but the package has destination 213.21.23.23 (RedIP) and that's
why it's not forwarded
>
> To accomplish this you could have
something like:
> Access from: Any (or anyuplink or uplink)
>
Target: Uplink or any uplink
> IP: your internal server ip
(192.168.1.25)
> Type: IP
> DNAT: NAT
> Service:
HTTP
>
> This way:
> ExtHost -> RedIP -> GreenIP -
forwarding accepted because access from and target are matched as well the
service port and packet will be forwarded to the HTServ
>
>
Access from is related to where the package is coming from.
> Target is
the package destination on ip header not your local intended
destination.
>
> With this new features on EFW you can have a
greater control on more complex networks where you may have different layers
of firewalling and this will be done just relying on the web interface, on
version 2.2 with more complex rules and different layers of firewalling you
needed to write a bunch of rules manually on command line.
>
> On
Wednesday 30 December 2009 10:27:30 jonas kellens wrote:
> >
Pedro,
> >
> > This is the right configuration for port
forwarding to a LAN-client :
> >
> > Access from :
any
> > Target : <any Uplink>
> > Port :TCP
51413
> > Translate to IP 192.168.1.25 port 51413
> >
> >
> > "Access from : RED" does not work. I don't
understand why. Do you ?
> > "Target : GREEN" or "Target :
192.168.1.25" does not work. I don't
> > understand why I can't use
my LAN-client as target, as this is the
> > client to where to
portforward ?!
> >
> > Even with a good understanding of
IPtables, I don't get this 'acces',
> > 'target' and
'source'.
> >
> > Can you maybe post a link to some
examples cause I feel that the
> > documentation of Endian lacks some
explanatory examples.
> >
> >
> > Jonas.
>
>
> >
> > On Wed, 2009-12-30 at 10:12 +0000, Pedro M.
S. Oliveira wrote:
> >
> > > Hi
> > > I
disagree on you both about the new EFW firewall interface, I see it
>
> > much more complete and feature rich than the previous one. This
new
> > > interface has more advanced options that you may use and
it reseable
> > > best the iptables capabilities. In my opinion
this is the way to go
> > > and it will be the difference between
an home router and a business
> > > system.
> > > im
sure that with a bit of reading about firewall and the way they
> >
> work you ll get there.
> > > cheers,
> > >
pedro
> >
> >
> >
>
> --
>
----------------------------------------------------------------------------------------------------------
>
Pedro M. S. Oliveira
> IT Consultant
> Email:
pmsolive...@gmail.com
> URL: http://www.linux-geex.com
>
Cellular: +351 96 5867227
>
----------------------------------------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
>
This SF.Net email is sponsored by the Verizon Developer Community
> Take
advantage of Verizon's best-in-class app development support
> A
streamlined, 14 day to market process makes app distribution fast and
easy
> Join now and get one step closer to millions of Verizon
customers
> http://p.sf.net/sfu/verizon-dev2dev
>
_______________________________________________
> Efw-user mailing
list
> Efw-user@lists.sourceforge.net
>
https://lists.sourceforge.net/lists/listinfo/efw-user
Windows Live: Keep your friends up to date with what you do
online.
_________________________________________________________________
Windows Live: Make it easier for your friends to see what you’re up to on
Facebook.
http://go.microsoft.com/?linkid=9691816
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Efw-user mailing list
Efw-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/efw-user
