Hi, a "DNAT-" rule with source "all" omitted destination zone is not applied for packets originating from the firewall itself. Here is an example (zones oz and $FW) and some further analysis:
1. Adding the rule DNAT- all 10.10.0.1 - - - 209.85.135.99 adds the lines :dnat - [0:0] :oz_dnat - [0:0] -A PREROUTING -j dnat -A dnat -i eth0 -j oz_dnat -A oz_dnat -d 209.85.135.99 -j DNAT --to-destination 10.10.0.1 to the firewall script, which obviously does not affect packets coming from the firewall itself. 2. Mentioning $FW explicitly DNAT- $FW 10.10.0.1 - - - 209.85.135.99 provides the desired result: -A OUTPUT -d 209.85.135.99 -j DNAT --to-destination 10.10.0.1 3. Putting "all-" or "all+-" as source leads to the same result as in case 1. 4. Putting "all+" adds lines from case 1 and 2 to the firewall script. This behavior is different from what is described in shorewall-rules(5): "all" means "All Zones", including the firewall itself. "all-" means "All Zones, except the firewall itself" [...] When all+[-] is "used, intra-zone traffic is affected BTW, what is "intra-zone traffic" in this example, since the zone is omitted in the destination field. This motivates another series of tests where the destination zone is "oz". I get a warning from the compiler: WARNING: Destination zone (oz) ignored) but the firewall script seems to be correct in this case: 5. DNAT- all oz:10.10.0.1 - - - 209.85.135.99 or DNAT- $FW oz:10.10.0.1 - - - 209.85.135.99 Same firewall script as in 2. 6. DNAT- all- oz:10.10.0.1 - - - 209.85.135.99 Adds nothing to the firewall script. 7. DNAT- all+ oz:10.10.0.1 - - - 209.85.135.99 Same firewall script as in 4. 8. DNAT- all+- oz:10.10.0.1 - - - 209.85.135.99 Same firewall script as in 1. The warning is kind of misleading here, because the destination zone is actually not ignore. Though I agree that a destination zone is only needed in a DNAT, but not in a DNAT- rule. Is the behavior with omitted destination zone correct and should I specify the destination zone in DNAT- rules or not? How serious should I take the warning about the ignored destination zone? Many thanks, Klemens ------------------------------------------------------------------------------ Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
