[Shorewall-newbies] Rule statement differences

Tom Eastep teastep at shorewall.net
Sun Dec 28 07:44:59 PST 2003


On Saturday 27 December 2003 09:37 pm, Lyvim Xaphir wrote:
> On Sat, 2003-12-27 at 23:53, Francesca C. Smith wrote:
> > Hello,
> >
> > On Sat, 2003-12-27 at 23:48, Lyvim Xaphir wrote:
> > > What is the difference in this
> > >
> > > #ACTION  SOURCE DEST                 PROTO   DEST    SOURCE    
> > > ORIGINAL #                                            PORT    PORT(S)  
> > >  DEST
> > >
> > >
> > > DNAT    net     loc:192.168.0.18:80  tcp     -       -
> > >
> > >
> > > And this?
> > >
> > >
> > > DNAT    net     loc:192.168.0.18     tcp     80       -
> > >
> > >
> > > LX
> >
> > Number one is bogus I am pretty sure .. while number two is Valid
>
> Wrong and right, I think.  Witness:
>
>
> http://www.shorewall.net/FAQ.htm#faq1
>
> Where it seems that the usefulness of the first rule is when you are
> redirecting a port to a different port on an internal server.  That's
> one of the applications.

The first rule redirects ALL ports to port 80 on the server -- I can't think 
of any use for doing that, can you?
>
> However I discovered by accident that both of the above worked,
> seemingly the same; the first case works the same as the second because
> of it's abiguity in the destination port column.  When I posted this, I
> wasnt quite aware of that, therefore I wanted someone more knowledgeable
> to explain the difference between the two.

The first rule is inclusive of the second rule -- the second rule can also be 
written:

	DNAT    net     loc:192.168.0.18:80     tcp     80       - 


>
> > "Although I Would Write Such A Rule As One" .. What is this quiz trying
> > to prove ??? Does number one work ??? .. Or whats behind door number
> > three ???
> >
> > Francesca
>
> A door number three thing, I suppose.  And trying different things to
> see what works and what does not.  Cause I've got an internal server
> that I'm trying to make visible from the net.  I think I've narrowed the
> problem down to it being some undocumented ports that are not visible
> from the net.
>
> I've come quite a ways since I started with shorewall; I find it very
> useful.  Most of what I've discovered, I've found out by experimentation
> and log analysis.  You're the first one that has responded to my emails;

On 2003/12/20, you posted with your problem. On 12/22/03, you inserted 
yourself into another thread "shorewall as a 'hub/relay' for openvpn" with 
the comment:

   "So can I please get some advice if I enunciate my problem correctly? :)"

I therefore confused you with the original poster of that thread who can't 
can't seem to describe his problem so that I can understand it.

I'll respond to your original post shortly.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-newbies mailing list