From: oneforall i. <one...@ho...> - 2009-12-31 10:12:18
|
Plus I can't even figure out where to add the urls I don't want in the proxy to bypass it. Thats was so easy to do. It makes no sence to me that it has to be this darn hard to do this . I hate that I can't in the browser on the machine I have the apache running type in the domain name . It only wants to work if I use localhost:81 . I can't use it any longer like this . > From: in...@si... > To: efw...@li... > Date: Wed, 30 Dec 2009 22:05:03 +0100 > Subject: Re: [Efw-user] firewall rules are hard to use > > Onother try: > > RED specify (like all zones) one or more IPs, let's say public IP > 222.222.222.222, so if the rule "access from RED" should work, the packets > would have to be from a client that is part of this network. > > In most cases this won't be (always talking from usual/simple network > scenarios ;-) ) For example: A client with a public IP from somewhere, lets > say 111.222.333.444, would try to connect your efw with the configuration: > > Access from : RED > > This can't work because the IP is not a part of your RED network! Endian is > then expecting packets from 222.222.222.222. But your source is from > 111.222.333.444. So you have to tell your efw to handle ALL incoming IPs > respectively networks (or this specific IP or network). So that's why your > configuration with RED as "source" won't work. > > > "Target" does not mean to which server or host the signal will be routed! > It defines which IP/Network the packets must be designated to, to be > handled. > So > > Target: your LAN client > > Would not work because packets from outside do not have a target in you LAN > but to 222.222.222.222...so it must be: > > Target: any Uplink > > In "translate to" it is defined to which IP the packet headers will be > rewritten! The packet destination is at this point still 222.222.222.222 but > your, for exapmple, webserver has a private IP (perhaps 192.168.1.25) behind > your efw, so it will only respond to packets that are designated for it's > own IP. Therefore EFW changes the target IP from 222.222.222.222 to > 192.168.1.25 (so efw TRANSLATE it!) Please read some articles about how NAT > works, then you will see that the term "translate to" makes sence and is > much more correct then to talk from "port forwarding"... > > Hope that helps =) > > > Jo > > > > > -----Ursprüngliche Nachricht----- > Von: Pedro M. S. Oliveira [mailto:pms...@gm...] > Gesendet: Mittwoch, 30. Dezember 2009 20:25 > An: efw...@li... > Betreff: Re: [Efw-user] firewall rules are hard to use > > Hi Jonas, > When you specify target green or 192.168.1.25 this means that the packet > arriving on the uplink should have a destination ip of the green network or > 192.168.1.25 and usuually that doesn't happen because they are marked to > arrive at your red ip address (usually a public ip from your provider if you > use a classic network schema). > > lets put it this way: > > > 183.23.13.24 - ExtHost - host on internet > 213.21.23.23 - RedIP - your red ip address > 192.168.1.254 - GreenIP - your green ip address > 192.168.1.25 - HTSrv - your http server > > Now lets see the situation you described: > > "Access from : RED" does not work. I don't understand why. Do you ? > > "Target : GREEN" or "Target : 192.168.1.25" does not work. I don't > > understand why I can't use my LAN-client as target, as this is the > > client to where to portforward ?! > > ExtHost -> RedIP -> GreenIP - forwarding refused because your rule says > forward all packages with destination 192.168.1.25 but the package has > destination 213.21.23.23 (RedIP) and that's why it's not forwarded > > To accomplish this you could have something like: > Access from: Any (or anyuplink or uplink) > Target: Uplink or any uplink > IP: your internal server ip (192.168.1.25) > Type: IP > DNAT: NAT > Service: HTTP > > This way: > ExtHost -> RedIP -> GreenIP - forwarding accepted because access from and > target are matched as well the service port and packet will be forwarded to > the HTServ > > Access from is related to where the package is coming from. > Target is the package destination on ip header not your local intended > destination. > > With this new features on EFW you can have a greater control on more complex > networks where you may have different layers of firewalling and this will be > done just relying on the web interface, on version 2.2 with more complex > rules and different layers of firewalling you needed to write a bunch of > rules manually on command line. > > On Wednesday 30 December 2009 10:27:30 jonas kellens wrote: > > Pedro, > > > > This is the right configuration for port forwarding to a LAN-client : > > > > Access from : any > > Target : <any Uplink> > > Port :TCP 51413 > > Translate to IP 192.168.1.25 port 51413 > > > > > > "Access from : RED" does not work. I don't understand why. Do you ? > > "Target : GREEN" or "Target : 192.168.1.25" does not work. I don't > > understand why I can't use my LAN-client as target, as this is the > > client to where to portforward ?! > > > > Even with a good understanding of IPtables, I don't get this 'acces', > > 'target' and 'source'. > > > > Can you maybe post a link to some examples cause I feel that the > > documentation of Endian lacks some explanatory examples. > > > > > > Jonas. > > > > > > On Wed, 2009-12-30 at 10:12 +0000, Pedro M. S. Oliveira wrote: > > > > > Hi > > > I disagree on you both about the new EFW firewall interface, I see it > > > much more complete and feature rich than the previous one. This new > > > interface has more advanced options that you may use and it reseable > > > best the iptables capabilities. In my opinion this is the way to go > > > and it will be the difference between an home router and a business > > > system. > > > im sure that with a bit of reading about firewall and the way they > > > work you ll get there. > > > cheers, > > > pedro > > > > > > > > -- > ---------------------------------------------------------------------------- > ------------------------------ > Pedro M. S. Oliveira > IT Consultant > Email: pms...@gm... > URL: http://www.linux-geex.com > Cellular: +351 96 5867227 > ---------------------------------------------------------------------------- > ------------------------------ > > ---------------------------------------------------------------------------- > -- > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon's best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast and easy > Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev > _______________________________________________ > Efw-user mailing list > Efw...@li... > https://lists.sourceforge.net/lists/listinfo/efw-user > > > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon's best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast and easy > Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev > _______________________________________________ > Efw-user mailing list > Efw...@li... > https://lists.sourceforge.net/lists/listinfo/efw-user _________________________________________________________________ Windows Live: Make it easier for your friends to see what you’re up to on Facebook. http://go.microsoft.com/?linkid=9691816 |