Re: [Shorewall-users] DNAT behaves like DNAT-

On Jul 6, 2011, at 4:23 PM, Tom Eastep wrote: > > No problem. I've reported the problem on netfilter-devel. > The netfilter developers have accepted my (second) patch. -Tom Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep.

Re: [Shorewall-users] DNAT behaves like DNAT-

According to http://www.netfilter.org/projects/iptables/files/changes-iptables-1.4.11.1.txt and the corresponding patch not. - Ursprüngliche Mail - Von: "Dominic Benson" An: "Shorewall Users" Gesendet: Donnerstag, 7. Juli 2011 00:26:12 Betreff: Re: [Shorewall-user

Re: [Shorewall-users] DNAT behaves like DNAT-

On Jul 6, 2011, at 4:17 PM, Dominic Benson wrote: > > On 7 Jul 2011, at 00:09, Tom Eastep wrote: > >> >> On Jul 6, 2011, at 3:26 PM, Dominic Benson wrote: >> >>> >>> On 6 Jul 2011, at 22:59, Alexander Wilms wrote: >>> Ack, downgraded to plain openSUSE iptables-1.4.10-3.1.i586.rpm, resu

Re: [Shorewall-users] DNAT behaves like DNAT-

On 7 Jul 2011, at 00:09, Tom Eastep wrote: > > On Jul 6, 2011, at 3:26 PM, Dominic Benson wrote: > >> >> On 6 Jul 2011, at 22:59, Alexander Wilms wrote: >> >>> Ack, downgraded to plain openSUSE iptables-1.4.10-3.1.i586.rpm, result is >>> now a correct "ctorigdstport 52022" >>> >>> 160 A

Re: [Shorewall-users] DNAT behaves like DNAT-

On Jul 6, 2011, at 3:26 PM, Dominic Benson wrote: > > On 6 Jul 2011, at 22:59, Alexander Wilms wrote: > >> Ack, downgraded to plain openSUSE iptables-1.4.10-3.1.i586.rpm, result is >> now a correct "ctorigdstport 52022" >> >> 160 ACCEPT tcp -- * * 0.0.0.0/019

Re: [Shorewall-users] DNAT behaves like DNAT-

On 6 Jul 2011, at 22:59, Alexander Wilms wrote: > Ack, downgraded to plain openSUSE iptables-1.4.10-3.1.i586.rpm, result is now > a correct "ctorigdstport 52022" > > 160 ACCEPT tcp -- * * 0.0.0.0/0192.168.1.2 > tcp dpt:22 ctorigdstport 52022 ctorigdst

Re: [Shorewall-users] DNAT behaves like DNAT-

> - Ursprüngliche Mail - > Von: "Tom Eastep" > An: "Shorewall Users" > Gesendet: Donnerstag, 7. Juli 2011 00:05:32 > Betreff: Re: [Shorewall-users] DNAT behaves like DNAT- > > > On Wed, 2011-07-06 at 14:53 -0700, Tom Eastep wrote: > >

Re: [Shorewall-users] DNAT behaves like DNAT-

- Von: "Tom Eastep" An: "Shorewall Users" Gesendet: Donnerstag, 7. Juli 2011 00:05:32 Betreff: Re: [Shorewall-users] DNAT behaves like DNAT- On Wed, 2011-07-06 at 14:53 -0700, Tom Eastep wrote: On Wed, 2011-07-06 at 23:46 +0200, Alexander Wilms wrote: My version is i

Re: [Shorewall-users] DNAT behaves like DNAT-

On Wed, 2011-07-06 at 14:53 -0700, Tom Eastep wrote: > On Wed, 2011-07-06 at 23:46 +0200, Alexander Wilms wrote: > > > My version is iptables-1.4.11+-21.1.i586 > > > That's where the bug is. > > - Here is a patch to libxt_conntrack.c if you happen to be in a position to build your own iptabl

Re: [Shorewall-users] DNAT behaves like DNAT-

ittwoch, 6. Juli 2011 23:53:00 Betreff: Re: [Shorewall-users] DNAT behaves like DNAT- On Wed, 2011-07-06 at 23:46 +0200, Alexander Wilms wrote: My version is iptables-1.4.11+-21.1.i586 That's where the bug is. -Tom -- Tom Eastep    \ When I die, I want to go like my Grandf

Re: [Shorewall-users] DNAT behaves like DNAT-

On Wed, 2011-07-06 at 23:46 +0200, Alexander Wilms wrote: > My version is iptables-1.4.11+-21.1.i586 That's where the bug is. -Tom -- Tom Eastep\ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \

Re: [Shorewall-users] DNAT behaves like DNAT-

My version is iptables-1.4.11+-21.1.i586 - Ursprüngliche Mail - Von: "Tom Eastep" An: "Shorewall Users" Gesendet: Mittwoch, 6. Juli 2011 23:40:09 Betreff: Re: [Shorewall-users] DNAT behaves like DNAT- On Wed, 2011-07-06 at 23:16 +0200, Alexander Wilms wrote: Hi

Re: [Shorewall-users] DNAT behaves like DNAT-

On Wed, 2011-07-06 at 23:16 +0200, Alexander Wilms wrote: > Hi Tom, > > here it comes: > > horewall 4.4.20.3 Chain net2loc0 at fire - Mi 6. Jul 23:14:49 CEST 2011 > > Counters reset Mi 6. Jul 23:14:15 CEST 2011 > > Chain net2loc0 (1 references) > pkts bytes target prot opt in out

Re: [Shorewall-users] DNAT behaves like DNAT-

*/ This "ctorigdstport 14027" shouldn't happen, isn't it? - Ursprüngliche Mail - Von: "Tom Eastep" An: "Shorewall Users" Gesendet: Mittwoch, 6. Juli 2011 23:12:32 Betreff: Re: [Shorewall-users] DNAT behaves like DNAT- On Wed, 2011-07-06 at 14:05 -0700,

Re: [Shorewall-users] DNAT behaves like DNAT-

Von: "Tom Eastep" An: "Shorewall Users" Gesendet: Mittwoch, 6. Juli 2011 23:05:03 Betreff: Re: [Shorewall-users] DNAT behaves like DNAT- On Wed, 2011-07-06 at 22:20 +0200, Alexander Wilms wrote: Hi Tom, hi list I upgraded my firewall system which included an update to

Re: [Shorewall-users] DNAT behaves like DNAT-

On Wed, 2011-07-06 at 14:05 -0700, Tom Eastep wrote: > On Wed, 2011-07-06 at 22:20 +0200, Alexander Wilms wrote: > > SW:net2loc0:DROP:IN=eth1 OUT=eth0 SRC=85.182.238.98 DST=192.168.1.2 LEN=60 > > TOS=0x00 PREC=0x00 TTL=57 ID=36614 DF PROTO=TCP SPT=43415 DPT=22 > > WINDOW=4380 RES=0x00 SYN UR

Re: [Shorewall-users] DNAT behaves like DNAT-

On Wed, 2011-07-06 at 22:20 +0200, Alexander Wilms wrote: > Hi Tom, hi list > > I upgraded my firewall system which included an update to > shorewall-4.4.20.3-1.1.noarch (SuSE build service rpm). > > After that, DNAT seems to behave like DNAT- if the DNAT is directed to > another DST port. Wit

[Shorewall-users] DNAT behaves like DNAT-

Hi Tom, hi list I upgraded my firewall system which included an update to shorewall-4.4.20.3-1.1.noarch (SuSE build service rpm). After that, DNAT seems to behave like DNAT- if the DNAT is directed to another DST port. Without port-translation it works as expected. Using this rules is not enou