In the example above, it's the last entry in the table (my WAN is 192.168.63.101, and I've configured the DMZ as 192.168.1.100). Make sure the rule is there *and* shows hits on the pkts and bytes columns.
Doesn't the SPI firewall have to be enabled for DMZ to work, anyway? _________________ An old man said, “Erasers are made for those who make mistakes.” A youth replied, “Erasers are made for those who are willing to correct their mistakes!” Attitude matters! ~ Anonymous
----------
“You are always a student, never a master. You have to keep moving forward.” ~ Conrad Hall
----------
“Life is about moving on, accepting changes and looking forward to what makes you stronger and more complete.” ~ Anonymous
Doesn't the SPI firewall have to be enabled for DMZ to work, anyway?
I was thinking the same thing initially. But even if the spi firewall is disabled, the DMZ rule still gets added, and any attempt to use it still results in hits on the rule. So I assume it still works regardless.
With a Firewall that is not SPI, you need two rules - A->B and B->A.
A SPI Firewall only needs one rule - A->B. It the see the state of B->A an allow it as it's the reply to the A->B connection.
Well that's an interesting take on it. I didn't interpret the enabling and disabling of the stateful firewall to mean when it's disabled, you still have a firewall, but it just doesn't track state. I interpreted it to mean you no longer have a firewall, AT ALL.
Just another one of those problems of interpretation that comes from a lack of documentation, and having to rely on the option's label to determine its purpose/intent.
Assuming the meaning is as you suggest, that doesn't jive w/ what's happening in the actual firewall rules. When disabled, I still see state rules, and see them being triggered. In fact, when you change the Operating Mode from Gateway (the default) to Router, *then* you see the state machine become inoperable. And it's done explicitly via the following rule in the raw table (something that does NOT happen by merely disabling the stateful firewall).
Code:
root@lab-ddwrt2:~# iptables -t raw -vnL PREROUTING
Chain PREROUTING (policy ACCEPT 130 packets, 20726 bytes)
pkts bytes target prot opt in out source destination
130 20726 CT all -- * * 0.0.0.0/0 0.0.0.0/0 NOTRACK