[Shorewall-users] Macrofied DNAT not working
Probably something silly I'm doing but I don't see it for the moment.
I had rules:
DNATschlpinet:${Pinet}.1tcpssh-
${Schlnet}.129
DNATschlpinet:${Pinet}.1tcp5900-
${Schlnet}.129
plus another 7 pairs with consecutive destination and original
destination addresses.
I needed to add an http rule and expand it to 16 IP addresses, so I
wrote a macro.Pi:
PARAM - - tcp 5900:5909 - -
PARAM - - tcp ssh - -
PARAM - - tcp http- -
and replaced all the former rules by 16 after the fashion:
Pi(DNAT)schlpinet:${Pinet}.1- - -
${Schlnet}.129
(I generalised the VNC port while I was at it.)
Connections utilising those rules were then refused. I don't see why.
Perhaps this would be a classic use case for IPsets.
Regards - Philip
--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Macrofied DNAT not working
On 12/3/2014 10:05 AM, Philip Le Riche wrote:
> Probably something silly I'm doing but I don't see it for the moment.
>
> I had rules:
> DNATschlpinet:${Pinet}.1tcpssh-
> ${Schlnet}.129
> DNATschlpinet:${Pinet}.1tcp5900-
> ${Schlnet}.129
> plus another 7 pairs with consecutive destination and original
> destination addresses.
>
> I needed to add an http rule and expand it to 16 IP addresses, so I
> wrote a macro.Pi:
> PARAM - - tcp 5900:5909 - -
> PARAM - - tcp ssh - -
> PARAM - - tcp http- -
>
> and replaced all the former rules by 16 after the fashion:
> Pi(DNAT)schlpinet:${Pinet}.1- - -
> ${Schlnet}.129
> (I generalised the VNC port while I was at it.)
>
> Connections utilising those rules were then refused. I don't see why.
>
I don't either, but if you will send me the original rules file, the
modified rules file and your macro file then I will take a look.
-Tom
PS - My apologies for the slow response; I've been traveling abroad and
only had mobile phone internet access.
--
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \
signature.asc
Description: OpenPGP digital signature
--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Macrofied DNAT not working
Thanks Tom -
It must've been something silly as it seems to be working ok now.
(Unfortunately I only get access to the firewall briefly once a week.)
Regards - Philip
On 13/12/2014 17:01, Tom Eastep wrote:
> On 12/3/2014 10:05 AM, Philip Le Riche wrote:
>> Probably something silly I'm doing but I don't see it for the moment.
>>
>> I had rules:
>> DNATschlpinet:${Pinet}.1tcpssh-
>> ${Schlnet}.129
>> DNATschlpinet:${Pinet}.1tcp5900-
>> ${Schlnet}.129
>> plus another 7 pairs with consecutive destination and original
>> destination addresses.
>>
>> I needed to add an http rule and expand it to 16 IP addresses, so I
>> wrote a macro.Pi:
>> PARAM - - tcp 5900:5909 - -
>> PARAM - - tcp ssh - -
>> PARAM - - tcp http- -
>>
>> and replaced all the former rules by 16 after the fashion:
>> Pi(DNAT)schlpinet:${Pinet}.1- - -
>> ${Schlnet}.129
>> (I generalised the VNC port while I was at it.)
>>
>> Connections utilising those rules were then refused. I don't see why.
>>
> I don't either, but if you will send me the original rules file, the
> modified rules file and your macro file then I will take a look.
>
> -Tom
>
> PS - My apologies for the slow response; I've been traveling abroad and
> only had mobile phone internet access.
>
>
> --
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
>
>
> ___
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
