On Wed, Mar 13, 2013 at 12:23:38AM -0400, Michael Rash wrote: > On Mar 12, 2013, Jeremiah Rothschild wrote: > > Is there any way to configure things so that the DNAT destination > > isn't a wildcard? That would allow me to use the same port > > on both connections. Otherwise, I have to use different ports, > > which isn't a big deal but also not my first choice. > > Currently I think you could accomplish what you want by defining two > different stanzas in the access.conf file that would use the FORCE_NAT > variable like so: > > SOURCE: ANY; > KEY: key1; > FW_ACCESS_TIMEOUT: 30; > FORCE_NAT: 192.168.1.10 22; > > SOURCE: ANY; > KEY: key2; > FW_ACCESS_TIMEOUT: 30; > FORCE_NAT: 192.168.1.20 22; > > But, then you would have two different encryption keys at play.
I haven't deployed a GPG setup yet but it seems that this solution would also require two sets of keys as well, correct? As I'm sure you're aware, that would be even less practical. > I think your idea is a good one and would allow the client to be > more perscriptive about how NAT rules are created, and I'll take > a look at adding this. In case you find it of value: the way I found out about this was because one of our connections went down. The user had an existing rule in place yet became effectively locked out of our network based on the fact that the new knock (and DNAT rule) was unable to differentiate and route correctly. A bit of an ugly side effect! With that said, thanks much for your work as well as considering the future improvement! Regards, j ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
