Thread Info
  • State Not Answered
  • Replies 10 replies
  • Subscribers 5 subscribers
  • Views 5946 views
  • Users 0 members are here
Options
Suggested

NAT RULE 0

Billybob

Can we choose a different color for traffic processed by NAT RULE 0. I have a firewall rule ALLOW ANY ANY and a nat rule NAT LAN to WAN. If i disable the nat rule, the traffic stops flowing as expected, but my firewall logs are still green and show traffic as allowed. It is technically correct that my traffic is allowed due to the firewall rule but I am not getting anywhere due to NAT rule zero so a little hint in the logs would be nice.

Also, the NAT rules don't stop passing traffic immediately if disabled unlike firewall rules probably due to conntrack entries so some clarity in the logs would be appreciated. (Try ping 8.8.8.8 and disable NAT rule, your ping will continue)

Regards

Parents
  • 0

    Hi Billybob,

    That would be nice but I have some Customers that do have some un-NATed routes via the WAN link, this would then interfere with the logging of those. There is already a column for whether it is NATed or not?

    I can imagine that the reason why it continues is solely because of the conntrack entry and waits for it to time out. I dislike this behaviour as it has caused me problems in the past.

    Emile

  • 0 in reply to Emile Belcourt

    Aha... I guess we need a new NAT logging module then that shows traffic is being dropped due to a NAT rule. This is not a big deal as NAT is pretty much set and forget. I was playing around with firewall rules and my traffic wasn't working but the logs showed that everything was OK till I noticed NAT rule zero. A little confusing to say the least but your point is taken on different people with different needs

    I figured conntrack was letting the traffic pass through that was already passing and I just put it down as an observation. But people that don't understand conntrack will definitely have questions [:D]

    Regards

Reply
  • 0 in reply to Emile Belcourt

    Aha... I guess we need a new NAT logging module then that shows traffic is being dropped due to a NAT rule. This is not a big deal as NAT is pretty much set and forget. I was playing around with firewall rules and my traffic wasn't working but the logs showed that everything was OK till I noticed NAT rule zero. A little confusing to say the least but your point is taken on different people with different needs

    I figured conntrack was letting the traffic pass through that was already passing and I just put it down as an observation. But people that don't understand conntrack will definitely have questions [:D]

    Regards

Children
Unfiltered HTML