On Mar 13, 2013, Jeremiah Rothschild wrote: > On Wed, Mar 13, 2013 at 12:23:38AM -0400, Michael Rash wrote: > > On Mar 12, 2013, Jeremiah Rothschild wrote: > > > Is there any way to configure things so that the DNAT destination > > > isn't a wildcard? That would allow me to use the same port > > > on both connections. Otherwise, I have to use different ports, > > > which isn't a big deal but also not my first choice. > > > > Currently I think you could accomplish what you want by defining two > > different stanzas in the access.conf file that would use the FORCE_NAT > > variable like so: > > > > SOURCE: ANY; > > KEY: key1; > > FW_ACCESS_TIMEOUT: 30; > > FORCE_NAT: 192.168.1.10 22; > > > > SOURCE: ANY; > > KEY: key2; > > FW_ACCESS_TIMEOUT: 30; > > FORCE_NAT: 192.168.1.20 22; > > > > But, then you would have two different encryption keys at play. > > I haven't deployed a GPG setup yet but it seems that this solution > would also require two sets of keys as well, correct? As I'm sure > you're aware, that would be even less practical.
Yes, the usage of GPG vs. Rijndael doesn't affect the construction of the NAT rules. Seems as though it would still be doable even with GPG once the key generation and signing were done (multiple keys on the same GPG key ring on each side). > > I think your idea is a good one and would allow the client to be > > more perscriptive about how NAT rules are created, and I'll take > > a look at adding this. > > In case you find it of value: the way I found out about this was > because one of our connections went down. The user had an existing > rule in place yet became effectively locked out of our network > based on the fact that the new knock (and DNAT rule) was unable to > differentiate and route correctly. A bit of an ugly side effect! Understood. Once a candidate fix is developed I send you a -pre release just in case you want to try it out. > With that said, thanks much for your work as well as considering > the future improvement! Thanks, --Mike > Regards, > > j > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_mar > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
