This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Filtered packet althoght there is a rule for it

Hi,

I have a rule

Any DNS { Name_Servers } Allow

I have a DNAT entry

wss001_eth0 Any -> wss001_eth0 / All None wss001

The DMZ1 interface is 172.16.1.1 and the name server in DMZ1 is 172.16.1.30

In the log i get

172.16.1.1 33118 -> 172.16.1.30 53 UDP

Any one any idea what I have done wrong?

Thanks

This thread was automatically locked due to age.

0 ClausP over 23 years ago

Hi,

DNAT is done "before" packet filtering.

http://docs.astaro.org/asl-faq.pl#4006

>Any DNS { Name_Servers } Allow

So your DNAT IP (wss001) has to be in the rule.

>wss001_eth0 Any -> wss001_eth0 / All None wss001

Rule type: SNAT/DNAT

Packets to match:
Source-address: No match
Dest.-address: 172.16.1.30
Service: DNS or No match

Change destination to: wss001 (= DNATed 172.16.1.30)

Claus [;)]

[size="1"][ 11 September 2002, 10:51: Message edited by: ClausP ][/size]
Cancel
Vote Up 0 Vote Down

Cancel
0 Ian Collins over 23 years ago in reply to ClausP

Thanks, but wss001 is 172.16.1.30. I fond the problem. It was the DNS proxy. I had set that up using the original external address of wss001 before it was moved into the DMZ. Cnanged that to the internal address and it all seems to work fine.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 Chris_W over 23 years ago in reply to Ian Collins

hey, does this mean dnat works with option services-any now?

i remember we had to set up for each service separately, because any (for incoming) just didn't work

kind regards from germany ;-)
Cancel
Vote Up 0 Vote Down

Cancel