-
you can add a rule on top of the policy to block packets with source address that belongs to RFC1918 space, this will do what you want.
2009-11-16 18:32:14 UTC by vkurland
-
Hello,
I'm using fwbuilder v3.0.6 with iptables.
I'm searching for a way to match in a rule only NATed packets. In my current configuration my webserver behind the Firewall uses a private IP-address. My external Firewall-Port has a public IP-address and I have a second different public IP-address for my webserver.
I have one NAT-Entry matching on
Source: any
Destination...
2009-11-16 15:55:12 UTC by scratchy-de
-
cool, no problem at all. Glad it works for you.
2009-11-14 20:18:41 UTC by vkurland
-
My bad, I'm still learning iptables, and fwbuilder (it's really quite a nice tool, once you get the right ideas into your head). I can see now that I misunderstood (on both 2.X and 3.X versions of fwbuidler). There's no bug here, just another user goof. Sorry.
2009-11-14 19:39:48 UTC by eclectic923
-
Hold on. Look at the commands generated for the guest_list rule set (I copy these from your original report):
1) $IPTABLES -N guest_list_0
2) $IPTABLES -A guest_list -s 10.168.227.232/29 -j guest_list_0 #
The second command is in the guest_list chain as you requested. "guest_list_0" is just another chain used for logging. You application can add new addresses to the guest_list ch.
2009-11-14 15:27:35 UTC by vkurland
-
please attach .fwb data file that illustrates the problem.
2009-11-14 02:28:03 UTC by vkurland
-
Both fwbuilder 2.X and 3.X (including 3.07) have the same bug (though
the naming conventions vary). When one creates a new chain, the chain
doesn't get the name supplied by the user.
This is a big deal! I have an external access granting web app that
adds/deletes rules from the 'guest_list' chain to enable/disable router
access for guest systems (wireless laptops). If the chain name was...
2009-11-14 02:13:08 UTC by eclectic923
-
Closing, please reopen if the problem persists or I misunderstood.
2009-11-13 15:35:35 UTC by vkurland
-
I can see this to be an inconvenience, but this is not a bug, this is by design.
NAT rules do not have special column for the interface so to get "-o interface" parameter the program needs to get it from somewhere. If the interface object or its address is used in TSrc, it adds "-o interface" because it can associate this address with interface. If you explicitly do not want to have "-o...
2009-11-10 13:57:02 UTC by vkurland
-
The problem with the stand-alone address is that it does not reflect how the firewall is configured. That's how I stumbled on this bug: I wanted to update fwbuilder's view to match the real network configuration of the firewall.
2009-11-10 13:51:19 UTC by gombasg
