On Sunday 21 December 2003 08:36 am, Tony wrote: > OK, so what you're saying is the packet was logged up in the pre-routing > NAT section before it got dropped by the blacklisting filter at the > Forward section? >
Yes. If you want to log these connections out of the FORWARD chain, replace your DNAT rule with: DNAT- net dmz:<internal ip> ftp 21 ACCEPT:<log level> net dmz:<internal ip> ftp 21 With Shorewall 1.4.5, the above two rules are identical to your current single DNAT rule with the exception that logging occurs out of the filter table. With Shorewall 1.4.6 and later, if your kernel has the connection tracking match extension, the single DNAT rule is a little tighter than the two rules above in that the ACCEPT rule checks to ensure that the original destination of the connection was your external IP address. This extra check requires that you have DETECT_DNAT_IPADDRS=Yes in shorewall.conf. This additional check usually doesn't significantly enhance security though since you have RFC1918 filtering enabled on your external interface and the <internal ip> is most likely an RFC 1918 address. That guarantees that any connection from the net to the server had to have traversed the DNAT rule. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
