Re: [Fwknop-discuss] DNAT rule question

[Michael R. <mb...@ci...>]

On Mar 12, 2013, Jeremiah Rothschild wrote:

> Hello,

Hi Jeremiah,

> I have an environment that consists of two separate Internet
> connections going through the same firewall.
> 
> I am trying to setup a port, let's say 123, for use with
> both of these connections. For example, I want to be able
> to SSH to port 123 on host1.on.isp1.foo.com as well as
> host1.on.isp2.foo.com (which my firewall is then setup to
> know how to handle, etc).
> 
> It seems, however, that I cannot use the same port #
> because the DNAT rule (that gets added after knocking)
> defines 0.0.0.0 for the destination. For example:
> 
> DNAT       tcp  --  remote.host.com      anywhere      tcp dpt:123 /*
> _exp_1362785423 */ to:192.168.1.10:22
> 
> Is there any way to configure things so that the destination
> isn't a wildcard? That would allow me to use the same port
> on both connections. Otherwise, I have to use different ports,
> which isn't a big deal but also not my first choice.

Currently I think you could accomplish what you want by defining two
different stanzas in the access.conf file that would use the FORCE_NAT
variable like so:

SOURCE: ANY;
KEY: key1;
FW_ACCESS_TIMEOUT:  30;
FORCE_NAT: 192.168.1.10 22;

SOURCE: ANY;
KEY: key2;
FW_ACCESS_TIMEOUT:  30;
FORCE_NAT: 192.168.1.20 22;

But, then you would have two different encryption keys at play.  I think
your idea is a good one and would allow the client to be more
perscriptive about how NAT rules are created, and I'll take a look at
adding this.

Thanks,

--Mike


> Thanks for the time & help!
> 
> j
> 
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_mar
> _______________________________________________
> Fwknop-discuss mailing list
> Fwk...@li...
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss