[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] SSH through m0n0wall?
 Date:  Mon, 23 Aug 2004 20:57:49 -0700 (PDT)
On Mon, 23 Aug 2004, Kai Dittmann wrote:
> Am So, den 22.08.2004 schrieb Michael Graves um 23:02:
> > 
> > Ever since I installed the v1.1 beta some weeks ago I have not been
> > able to SSH back through my m0n0wall to my Asterisk server. The rule
> > that I have setup is the same as worked with v1.0, that is:
> > 
> > Proto = TCP  
> > source = *  
> > port= 22 (SSH)  
> 
> 	port = any  or 1024:65534
> 
> 	ssh use tcp/hi-ports to connect, and
> 	not port 22 as src.

Or sometimes it uses low-numbered ports if it thinks RHosts might be an
option.  It's best to just wildcard it.

Note that this is for the *firewall*, NAT rules don't have source
ports.  Most commonly you want 22 in both places for NAT (i.e. map
firewall port 22 to server port 22).

On Mon, 23 Aug 2004, Frederick Page wrote:
> Michael Graves schrieb am 22. August 2004:
> 
> >The rule that I have setup is the same as worked with v1.0, that is:
> 
> >Proto = TCP  
> >source = *  
> >port= 22 (SSH)  
> >destination = 192.168.1.30  
> >port = 22 (SSH)
> 
> You do realize, that you need two rules? One on the firewall, allowing
> Port 22 and one in the NAT section. You can also do the rule in the
> NAT section and check the flag "create firewall rule automatically".

Yes, but beware that this happens at NAT rule creation time.  If you
change the port in the NAT entry, it doesn't update the firewall.

Also, if you create the firewall rule manually, beware that the firewall
is applied *after* NAT remapping, so it should refer to the *internal*
destination IP.

> I have exactly this scenario on 1.1 and it works fine.

Same here.

					Fred Wright