The discussion about these firewall rules on port forwarding made it
clear that you have to put the IP-address of destination as it is
mentioned in the IP-header of the incoming IP-packet.
However, what with incoming routed traffic ???
There you indicate the source, being the IP-address of the public
internetswitch or server that sends the traffic to your Endian
firewall ?? I guess not.
The Destination would then be the RED interface or your own public IP,
but you can only choose between the GREEN and ORANGE interface. Where
has the RED interface gone ?? I guess the RED interface is _not_ the
destination here.
I understand that if you have a webserver with a public IP, you would
fill in this IP in the destination.
What is then the function of zone "GREEN" and zone "ORANGE" ??
I can forward all traffic to the GREEN zone, and then what ?! I also
define destination port 55555... somewhere on the GREEN zone ?!
Pretty unclear to me this one.
Jonas.
On Wed, 2009-12-30 at 22:05 +0100, SITCO wrote:
> Onother try:
>
> RED specify (like all zones) one or more IPs, let's say public IP
> 222.222.222.222, so if the rule "access from RED" should work, the packets
> would have to be from a client that is part of this network.
>
> In most cases this won't be (always talking from usual/simple network
> scenarios ;-) ) For example: A client with a public IP from somewhere, lets
> say 111.222.333.444, would try to connect your efw with the configuration:
>
> Access from : RED
>
> This can't work because the IP is not a part of your RED network! Endian is
> then expecting packets from 222.222.222.222. But your source is from
> 111.222.333.444. So you have to tell your efw to handle ALL incoming IPs
> respectively networks (or this specific IP or network). So that's why your
> configuration with RED as "source" won't work.
>
>
> "Target" does not mean to which server or host the signal will be routed!
> It defines which IP/Network the packets must be designated to, to be
> handled.
> So
>
> Target: your LAN client
>
> Would not work because packets from outside do not have a target in you LAN
> but to 222.222.222.222...so it must be:
>
> Target: any Uplink
>
> In "translate to" it is defined to which IP the packet headers will be
> rewritten! The packet destination is at this point still 222.222.222.222 but
> your, for exapmple, webserver has a private IP (perhaps 192.168.1.25) behind
> your efw, so it will only respond to packets that are designated for it's
> own IP. Therefore EFW changes the target IP from 222.222.222.222 to
> 192.168.1.25 (so efw TRANSLATE it!) Please read some articles about how NAT
> works, then you will see that the term "translate to" makes sence and is
> much more correct then to talk from "port forwarding"...
>
> Hope that helps =)
>
>
> Jo
------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Efw-user mailing list
Efw-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/efw-user
