|
||||||||||
Brieseneck, Arne, VF-Group wrote: > Why NAT? > I don't want to NAT anything. > So if I understand your previous postings correctly, the setup is up and running, with the - WAN IP being 10.5.40.20, and the - gateway being 10.5.40.1 so the WAN is not a direct Internet connection, which is fine. Furthermore, your LAN is - 192.168.50.128/26 and one host (192.168.50.190) is running sshd there. You described earlier that "everything works" if you allow all traffic in all directions, is that correct? I just want to rule out any routing issues, since the ssh client machine appears to reside somewhere else on the LAN, thus your router at 10.5.40.1 must know to route all packets destined for 192.168.50.190 to the gateway 10.5.40.20. If all this is correct and you know it works with an any:any rule both incoming and outgoing, I would recommend turning on all logging when you try to restrict the traffic to only allow access to 192.168.50.190:22/tcp and paste the result here, both before and after you put the rule in place. If you feel you can describe it bette rin German, I think the list decided a long time ago to allow any language, the response pool might just be smaller. Sven P.S.: was that the full config.xml you posted or did you omit anything besides password hashes? I am just curious because I am either blind or I need a drink, but I don't see the firewall rule. > > > -----Original Message----- > From: Chris Buechler [mailto:cbuechler at gmail dot com] > Sent: Mittwoch, 12. September 2007 20:27 > To: Brieseneck, Arne, VF-Group > Cc: m0n0wall at lists dot m0n0 dot ch > Subject: Re: [m0n0wall] RE: SSH rule dows not work > > You don't have any NAT rules. Go to Inbound NAT as others said previously and add it properly. > > > On 9/12/07, Brieseneck, Arne, VF-Group <Arne dot Brieseneck at vodafone dot com> wrote: > >> <?xml version="1.0"?> >> <m0n0wall> >> <version>1.6</version> >> <lastchange>1189620245</lastchange> >> <system> >> <hostname>dmzfw</hostname> >> <domain>local</domain> >> <dnsallowoverride/> >> <username>admin</username> >> <password>xxxxx</password> >> <timezone>Europe/Berlin</timezone> >> <time-update-interval>300</time-update-interval> >> <timeservers>192.168.50.129</timeservers> >> <webgui> >> <protocol>http</protocol> >> <port/> >> </webgui> >> </system> >> <interfaces> >> <lan> >> <if>vxn1</if> >> <ipaddr>192.168.50.185</ipaddr> >> <subnet>26</subnet> >> <media/> >> <mediaopt/> >> </lan> >> <wan> >> <if>vxn0</if> >> <mtu/> >> <media/> >> <mediaopt/> >> <ipaddr>10.5.40.20</ipaddr> >> <subnet>24</subnet> >> <gateway>10.5.40.1</gateway> >> <spoofmac/> >> </wan> >> </interfaces> >> <staticroutes> >> <route> >> <interface>wan</interface> >> <network>192.168.61.0/24</network> >> <gateway>10.5.40.120</gateway> >> <descr>Rückroute zum WIMAX</descr> >> </route> >> </staticroutes> >> <pppoe/> >> <pptp/> >> <bigpond/> >> <dyndns> >> <type>dyndns</type> >> <username/> >> <password/> >> <host/> >> <mx/> >> <server/> >> <port/> >> </dyndns> >> <dnsupdate/> >> <dhcpd> >> <lan> >> <range> >> <from>192.168.1.100</from> >> <to>192.168.1.199</to> >> </range> >> </lan> >> </dhcpd> >> <pptpd> >> <mode/> >> <redir/> >> <localip/> >> <remoteip/> >> </pptpd> >> <dnsmasq> >> <enable/> >> </dnsmasq> >> <snmpd> >> <syslocation/> >> <syscontact/> >> <rocommunity>public</rocommunity> >> </snmpd> >> <diag> >> <ipv6nat> >> <ipaddr/> >> </ipv6nat> >> </diag> >> <bridge/> >> <syslog/> >> <nat/> >> <filter> >> <rule> >> <type>pass</type> >> <interface>wan</interface> >> <source> >> <any/> >> </source> >> <destination> >> <any/> >> </destination> >> <descr/> >> </rule> >> <rule> >> <type>pass</type> >> <interface>lan</interface> >> <source> >> <any/> >> </source> >> <destination> >> <any/> >> </destination> >> <descr/> >> </rule> >> </filter> >> <shaper/> >> <ipsec/> >> <aliases/> >> <proxyarp/> >> <wol/> >> <vlans> >> <vlan> >> <if>vxn0</if> >> <tag>4</tag> >> </vlan> >> <vlan> >> <if>vxn1</if> >> <tag>3</tag> >> </vlan> >> </vlans> >> </m0n0wall> >> >> > > |