[Shorewall-newbies] Rule statement differences

Tue Jan 6 04:42:11 PST 2004

On Sun, 2003-12-28 at 10:44, Tom Eastep wrote:
> On Saturday 27 December 2003 09:37 pm, Lyvim Xaphir wrote:
> > On Sat, 2003-12-27 at 23:53, Francesca C. Smith wrote:
> > > Hello,
> > >
> > > On Sat, 2003-12-27 at 23:48, Lyvim Xaphir wrote:
> > > > What is the difference in this
> > > >
> > > > #ACTION  SOURCE DEST                 PROTO   DEST    SOURCE    
> > > > ORIGINAL #                                            PORT    PORT(S)  
> > > >  DEST
> > > >
> > > >
> > > > DNAT    net     loc:192.168.0.18:80  tcp     -       -
> > > >
> > > >
> > > > And this?
> > > >
> > > >
> > > > DNAT    net     loc:192.168.0.18     tcp     80       -
> > > >
> > > >
> > > > LX
> > >
> > > Number one is bogus I am pretty sure .. while number two is Valid
> >
> > Wrong and right, I think.  Witness:
> >
> >
> > http://www.shorewall.net/FAQ.htm#faq1
> >
> > Where it seems that the usefulness of the first rule is when you are
> > redirecting a port to a different port on an internal server.  That's
> > one of the applications.
> 
> The first rule redirects ALL ports to port 80 on the server -- I can't think 
> of any use for doing that, can you?

The first thing that occurs to me here when I read this is --   DOH!!

> >
> > However I discovered by accident that both of the above worked,
> > seemingly the same; the first case works the same as the second because
> > of it's abiguity in the destination port column.  When I posted this, I
> > wasnt quite aware of that, therefore I wanted someone more knowledgeable
> > to explain the difference between the two.
> 
> The first rule is inclusive of the second rule -- the second rule can also be 
> written:
> 
> 	DNAT    net     loc:192.168.0.18:80     tcp     80       - 
> 
> 
> >
> > > "Although I Would Write Such A Rule As One" .. What is this quiz trying
> > > to prove ??? Does number one work ??? .. Or whats behind door number
> > > three ???
> > >
> > > Francesca
> >
> > A door number three thing, I suppose.  And trying different things to
> > see what works and what does not.  Cause I've got an internal server
> > that I'm trying to make visible from the net.  I think I've narrowed the
> > problem down to it being some undocumented ports that are not visible
> > from the net.
> >
> > I've come quite a ways since I started with shorewall; I find it very
> > useful.  Most of what I've discovered, I've found out by experimentation
> > and log analysis.  You're the first one that has responded to my emails;
> 
> On 2003/12/20, you posted with your problem. On 12/22/03, you inserted 
> yourself into another thread "shorewall as a 'hub/relay' for openvpn" with 
> the comment:
> 
>    "So can I please get some advice if I enunciate my problem correctly? :)"
> 
> I therefore confused you with the original poster of that thread who can't 
> can't seem to describe his problem so that I can understand it.
> 
> I'll respond to your original post shortly.
> 
> -Tom

This is probably somewhat outdated now.  :)

LX