I don’t understand setting up a firewall rule.
To me, the job of rule is to receive traffic directed at a certain ip address and get another IP address to deal with it.
If a NAT is used, then the originating party does not know that anything like this is happening; the firewall is in the middle. NAT works at level 3, IP level (MAC not relevant), I think.
So on my Green zone 192.168.39.0/24, there is no device on 192.168.39.99 but there a machine at 192.168.39.10 which responds to ping.
I set up a firewall rule with source 192.168.39.99.
NAT to 192.168.39.10
Protocol: ALL
If I then ping to 192.168.39.99 I get this output:
tim@black:~$ ping 192.168.39.99
PING 192.168.39.99 (192.168.39.99) 56(84) bytes of data.
From 192.168.39.10 icmp_seq=1 Destination Host Unreachable
From 192.168.39.10 icmp_seq=2 Destination Host Unreachable
If NAT is active, why is it reporting 192.168.39.10? Or maybe that is in the ICMP message.
But why then do I get Destination Host Unreachable.
If I try to ssh to 192.168.39.99 the error is no route to host.
I have requested that the rule be logged, but in Logs → Firewall Logs I see nothing matching this traffic.
Yes. Also because, as many studies and tests as I have done, setting a firewall rule in IPFire (green to green) in my opinion does not make sense.
I have great doubts that IPFire can somehow “handle” it. Green + Green = Same network = works even with IPFire turned off (except for a possible DHCP assignment).
Am I right, @cfusco ?
In your case, it seems to me that you are trying to create rules between
192.168.39.99
192.168.39.10
which are two Green machines, right?
Two machines on the same GREEN communicate with each other independently of IPFire.
By cutting the thread, GREEN still works if the three machines have static IPs. the information that these machines exchange over the network (among them), does not “go through IPFire.” The rules created in the firewall between 192.168.39.99 and 192.168.39.10 in my opinion will never be executed. Regardless of whether the wire is cut or not.
That was a contrived example, sorry. The real problem I wanted to solve was to allow people on the one subnet (blue) to discover a IPP printer on green, and then have print traffic sent to it once it has been discovered. I think my concept of the solution, a phantom printer IP on the blue they users could , was completely wrong.
Okay. Maybe then my example is valid .
By default you should not be able to access from BLUE to green.
Whereas you should be able to access from Green to Blue.
These are the default rules on how IPFire handles internal traffic. So, in your case, you need to create an internal traffic rule pe “open a gap” between the BLUE network and the GREEN IP of your printer. I have already experimented with this. I can send you a screenshot of my rule…
That question seems to have already been asked by yourself in another post https://community.ipfire.org/t/printer-discover-traffic/10309 and appeared to have been solved with the use of the mDNS Repeater addon based on your last reply in that thread.
yes, you are 100% correct. Routing typically refers to the process of forwarding packets from one network to another, which is a Layer 3 (Network layer) operation, handled by routers. In a single subnet, we usually talk about “switching”. Communication within the same subnet is primarily a Layer 2 job handled by switches, which use MAC addresses to forward frames to the correct destination.
@cfusco , I sincerely thank you for the confirmation. Just think that I have come to think this way with practical tests done with IPFire itself over the past few years. I am enjoying this simple and powerful firewall more and more and it allows me to learn and experiment with many things at the network level.
Forgive my drawings. Maybe there is free software suitable for making these patterns?
@casabenedetti , just fundamental thought from an old informatics guy.
Learning new things ( in your case networking/firewalling/… ) should be done not only by experimenting with products in this ‘new world’. It is necessary to learn the basics from literature.
Reasons:
every product contains errors, it isn’t desirable to take these as ‘feature’; especially because these bugs are not easily recognisable, otherwise they would have been corrected.
literature usually describes the topic in general, not based on a single SW product.
( asking questions based on knowledge in the thematical field doesn’t bind working effort of devs and mods more than necessary )
Yes, I acknowledge the above to be true. And before I do that, I think I will also have to study English well. I see on the net that these topics are covered in English. Very often I struggle to understand them. And so I am forced to resort to proof. As a result, I always have doubts whether what I understand is true or not.
you are doing both at the same time. That is the best way to go. ChatGPT 3.5 is quite good at translating to and from English. By observing how the model does it, you will absorb more than you realize, and learn. Keep going. You will be amazed how far you will progress if you keep trying.
By the way, in addition to what you have listed, one more reason for learning the hard way is to avoid the risk of creating spurious correlation between two events that have nothing to do with each other.
more than that. Error correction is how we (and also AI) learn. Think how a child learns to walk. Making mistakes is the foundation of human knowledge. Error-correction does not work only when we let our intrinsic need to protect our self-image to interfere. Our ego is sometimes the worst enemy we have.
EDIT: after I understood how the LLMs learn to answer questions, I realized that there is nothing intelligent about it. Yet, the world is full of people that are inferior to AI because their ego makes them a worst learner than a stupid language model. I find this depressing.
.
