Jason Taylor wrote: > I'm trying to redirect port 24 to 25 for a single IP. My rules file > line is: > > DNAT loc dmz:10.10.1.1:25 tcp 24 - 10.10.1.1 > > It appears that this rule is useless because the original destination IP > matches the destination IP.
I'd like to understand why it's useless, but maybe it's just how the shorewall code processes things. I've been racking my brain a bit on this one. It's an interesting desire, especially because I wrote one of the original firewalls used on lrps, before the days of LEAF, and never tried this. > Leaving off the - 10.10.1.1 portion does redirect all tcp traffic from > loc destined for port 24 as expected. You mean like this? DNAT loc dmz:10.10.1.1:25 tcp 24 - - > However, I would still like to have it dropped unless destined > for this particular host. That seems easy enough. Just put another line right above the one that you've got that works like this: REJECT loc dmz:!10.10.1.1 tcp 24 - - DNAT loc dmz:10.10.1.1:25 tcp 24 - - Let me know if this works. I'm digging around for another nic to setup a dmz to test this, but I may get sidetracked by the new puppy. regards, matthew ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html