lists at lonnie.abelbeck.com
Wed Jan 14 19:31:15 CET 2009
On Jan 14, 2009, at 11:48 AM, Darrick Hartman wrote:
> I'm trying to figure out a way to implement the following
> 'feature'. I don't think it's possible as a plugin because it would
> likely need to be applied before many of the rules in the main script.
> The feature follows:
> Many firewall 'appliances' allow a so-called DMZ where all
> unassigned inbound traffic is directed to a specific IP address on
> the lan. I need to duplicate this behavior and hope we can find a
> way to do this cleanly with the Arno's script.
> So as an example:
> TCP 80 -> NAT 192.168.1.1:80
> TCP 25 -> NAT 192.168.1.15:25
> ALL other inbound traffic -> NAT 192.168.1.2
> I suppose that NAT_TCP_FORWARD, NAT_UDP_FORWARD could be used with
> some very wide ranges with the specified ports listed before the
> wide range, but I was hoping for something cleaner that would ensure
> that DMZ-IP forwards would happen at the right time without having
> to ensure they were listed last in these other fields.
This would allow multiple firewalls to be easily placed back-to-back,
the first firewall handles what it chooses and then forwards
everything else to another firewall downstream.
Possibly Arno could add something like:
before his DENY's, to forward traffic to a particular IP address
immediately before they would normally be blocked.
More information about the Firewall