I want to create a rule which forwards connections to port 230 of the firewall to port 22 of a machine in dmz (external ssh access). Forward to an existing port without port change works. With port change it does not. Following the line of the firewall/confige file: 6,ACCEPT,FORWARDFW,ON,std_net_src,ALL,tgt_addr,192.168.2.16/32,,TCP,,,ON,,,TGT_PORT,22,SSH server on hathi,,,,,,,,,,00:00,00:00,ON,AUTO,230,dnat,,,,,second If I start the SSH server on the internal host on port 230, connection works. So I think, that the port change is not reflected in the iptables command. Cheers Martin
This is not a bug? Should be posted on the forums.
(In reply to Martin Wunderli from comment #0) > I want to create a rule which forwards connections to port 230 of the > firewall to port 22 of a machine in dmz (external ssh access). Forward to an > existing port without port change works. With port change it does not. > > Following the line of the firewall/confige file: > > 6,ACCEPT,FORWARDFW,ON,std_net_src,ALL,tgt_addr,192.168.2.16/32,,TCP,,,ON,,, > TGT_PORT,22,SSH server on > hathi,,,,,,,,,,00:00,00:00,ON,AUTO,230,dnat,,,,,second > > If I start the SSH server on the internal host on port 230, connection > works. So I think, that the port change is not reflected in the iptables > command. > > Cheers > Martin I am afraid I did not fully get what your problem is. Could you please describe it a bit more detailed?
It is about port forward. Example: You can define: Firewall, Port 230 --- forward to --> Internal Host, Port 22 Does not work (Port changes while forwarding). You can define: Firewall, Port 230 --- forward to --> Internal Host, Port 230 Works (No Port change while forwarding)
Thank you.
Well, maybe there is another problem here. I can confirm that i am using exactly that setup on several IPFire systems since years now. And the ports are correctly forwarded to an internal host on green,port 22 Maybe your problem is, that the orange network (DMZ) is what the name says: a DMZ. That means, servers in the DMZ are usually directly reachable from the internet. But for that you have to make sure, that the servers in DMZ are able to use DNS. The right firewall rule is: SOURCE: ALL Target: ORANGE (host) / Port Done Please correct me if i am wrong as i dont have the time to test it right now.
Why is this ticket on MODIFIED? Where is the change?
Seems to be another FWBUG...
Tested today with an DNAT rule on the external port 12345 which points to port 22 on a host in the Blue subnet - Everything worked fine. I'm closing this bug because it is rather old and during testing I was not able to reproduce the issue. Please feel free to re-open if the problem still exists. Best regards, -Stefan