I now have proxyarp working with my dmz interface eth0 to the internet eth1 to the dmz eth2 to the local lan My website is now available to the internet, my mail is now available to the internet...so far so good. I can NOT browse my own website because routing is going OUT the to internet on eth0 from the internal LAN. I can browse other websites from internal LAN. I am NOT logging any drops, so I am guessing it is routing or shorewall''s proxyarp to get to my own dmz mail and website. I am attempting to get closer to Tom''s example of myfiles.htm - what direction do I need to go ? currently proxyarp has (external.webserver) eth1 eth0 No Yes where "external.webserver" is a live routeable internet IP address.
Bill.Light@kp.org wrote:> > I now have proxyarp working with my dmz interface > > eth0 to the internet > eth1 to the dmz > eth2 to the local lan > > My website is now available to the internet, my mail is now available to > the internet...so far so good. > > I can NOT browse my own website because routing is going OUT the to > internet on eth0 from the internal LAN. I can browse other websites > from internal LAN. > > I am NOT logging any drops, so I am guessing it is routing or > shorewall''s proxyarp to get to my own dmz mail and website. > > I am attempting to get closer to Tom''s example of myfiles.htm - what > direction do I need to go ? > > currently proxyarp has > > (external.webserver) eth1 eth0 No > Yes > > where "external.webserver" is a live routeable internet IP address.Dear Fool, I believe that you must have mis-posted this to Shorewall-users in error; it seems more appropriate for posting on Usenet at relcom.rec.puzzles. -Tom PS -- if this is indeed intended for Shorewall-users, then please repost and include the information requested at http://www.shorewall.net/support.htm. Thanks :-) -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Fri, 2005-08-26 at 14:07 -0700, Bill.Light@kp.org wrote:> > I now have proxyarp working with my dmz interface > > eth0 to the internet > eth1 to the dmz > eth2 to the local lan > > My website is now available to the internet, my mail is now available > to the internet...so far so good. > > I can NOT browse my own website because routing is going OUT the to > internet on eth0 from the internal LAN. I can browse other websites > from internal LAN.A lot of statements without any facts to look at for us... Quick guess: If the webserver in DMZ got a routable IP you simply might be lacking a rule to allow that traffic. I have seen similar issues before... ACCEPT lan dmz> I am NOT logging any drops, so I am guessing it is routing or > shorewall''s proxyarp to get to my own dmz mail and website.You are not logging any drops. Well, you should -- enable logging and you will see anything "not working" due to your Shorewall setup. Or do you actually mean, you are logging any drops by Shorewall but those don''t appear in the logs? Then please say so... karsten ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Hi, First, is the webserver in the dmz as I suspect? If so, can you access it from your loc zone by using its internal IP address? You may want to try adding a DNAT rule such as: #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT DEST DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176 Have fun, Daniel Wyatt -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Bill.Light@kp.org Sent: Friday, August 26, 2005 2:08 PM To: shorewall-users@lists.sourceforge.net Subject: [Shorewall-users] Sufficiently talented fool I now have proxyarp working with my dmz interface eth0 to the internet eth1 to the dmz eth2 to the local lan My website is now available to the internet, my mail is now available to the internet...so far so good. I can NOT browse my own website because routing is going OUT the to internet on eth0 from the internal LAN. I can browse other websites from internal LAN. I am NOT logging any drops, so I am guessing it is routing or shorewall''s proxyarp to get to my own dmz mail and website. I am attempting to get closer to Tom''s example of myfiles.htm - what direction do I need to go ? currently proxyarp has (external.webserver) eth1 eth0 No Yes where "external.webserver" is a live routeable internet IP address.
shorewall mailing list wrote:> Hi, > > > > First, is the webserver in the dmz as I suspect? If so, can you access > it from your loc zone by using its internal IP address? > > You may want to try adding a DNAT rule such as: > > > > #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL > > # PORT DEST > > DNAT loc dmz:192.168.2.4 tcp 80 - 206.124.146.176 > > > > >Typically, such a rule isn''t necessary in a Proxy ARP DMZ setup since the server has a public IP address. A simple: ACCEPT loc dmz tcp 80 is all that is required. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> > I now have proxyarp working with my dmz interface > > > > eth0 to the internet > > eth1 to the dmz > > eth2 to the local lan > > > > My website is now available to the internet, my mail is now availableto> > the internet...so far so good. > > > > I can NOT browse my own website because routing is going OUT the to > > internet on eth0 from the internal LAN. I can browse other websites > > from internal LAN. > > > > I am NOT logging any drops, so I am guessing it is routing or > > shorewall''s proxyarp to get to my own dmz mail and website. > > > > I am attempting to get closer to Tom''s example of myfiles.htm - what > > direction do I need to go ? > > > > currently proxyarp has > > > > (external.webserver) eth1 eth0 No > > Yes > > > > where "external.webserver" is a live routeable internet IP address. > > > Dear Fool, > > I believe that you must have mis-posted this to Shorewall-users in > error; it seems more appropriate for posting on Usenet at > relcom.rec.puzzles. > > -Tom > > PS -- if this is indeed intended for Shorewall-users, then please repost > and include the information requested at > http://www.shorewall.net/support.htm. > > Thanks :-)===================================== Slap along side the head noted.... Shorewall 2.4.3 2.4 SuSE kernel (9.0 Professional) I have "info" logging in "policy" where I think it should show up (and imap and http requests are not showing) Mail/Webserver is in the DMZ Status (per guidelines) attached: Third try --- for future reference: 1. Don''t send uncompressed "status.txt" it''s too big for mailing list 2. don''t zip the file - zip files are not accepted Is it Friday yet ??
Bill.Light@kp.org wrote:> > Status (per guidelines) attached: >Well, sort of. You didn''t clear the counters and try to access your DMZ web server just before collecting the "shorewall status" output. So I can''t see how far those connections are actually getting before getting stalled. But... even with that, I really don''t see anything in the status that would prevent your local hosts from accessing the web server in your DMZ. You seem to have an extraneous entry in your proxyarp file that adds an entry to the ARP cache for eth2 -- that''s silly. And for some reason, "shorewall restart" (or "shorewall stop; shorewall start") isn''t clearing the old ARP cache entries so you get lots of them. Is the server dual-homed, perhaps? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> > Status (per guidelines) attached: > > > > Well, sort of. You didn''t clear the counters and try to access your DMZ > web server just before collecting the "shorewall status" output. So I > can''t see how far those connections are actually getting before getting > stalled. > > But... even with that, I really don''t see anything in the status that > would prevent your local hosts from accessing the web server in yourDMZ.> > You seem to have an extraneous entry in your proxyarp file that adds an > entry to the ARP cache for eth2 -- that''s silly. And for some reason, > "shorewall restart" (or "shorewall stop; shorewall start") isn''t > clearing the old ARP cache entries so you get lots of them. > > Is the server dual-homed, perhaps? > > -Tom > --Sigh.... I always thought it was NOT being cleared. I guess I don''t understand "dual-homed" so I''ll check it out with Google. Ah yes... there are two DUAL NIC cards in this box. The "extra" ARP was what was killing me all along when I checked this last week, I had it set to the eth2, instead of eth0 (to the SBC DSL modem). I may have 4 separate NIC''s sitting around - should I swap those in when I rebuild with SuSE 9.3 ? SBC gave me 5 usable addresses 1 is their modem, I used 2 for this firewall box and 3 for DMZ/Mail/Webserver. (so 4-5-6 are unused) In my description I left off eth3 which is intended for wireless... (as in the myfiles.htm example). The actual box is a 933 MHz P-III Intel D815EEA2 with 1 piece of 256 ECC memory as I recall. I''ll try a good old fashioned reboot when I get home tonight. As usual, thanks, Tom. - Bill
Bill.Light@kp.org wrote:> I always thought it was NOT being cleared. I guess I don''t understand > "dual-homed" so I''ll check it out with Google. Ah yes... there are two > DUAL NIC cards in this box. >In the WEB SERVER???? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> I always thought it was NOT being cleared. I guess I don''t understand > "dual-homed" so I''ll check it out with Google. Ah yes... there are two > DUAL NIC cards in this box. >In the WEB SERVER???? -Tom ============================================ I thought you meant the firewall (quantity four...two dual NIC''s) The web server does have a 2nd NIC I intended to use for a webcam... and used it for temporary setup. By the caps...I take it this is not a good idea...
Bill.Light@kp.org wrote:> > > >> I always thought it was NOT being cleared. I guess I don''t understand >> "dual-homed" so I''ll check it out with Google. Ah yes... there are two >> DUAL NIC cards in this box. >> > > In the WEB SERVER???? > > -Tom > > ============================================> > I thought you meant the firewall (quantity four...two dual NIC''s) > > The web server does have a 2nd NIC I intended to use for a webcam... and > used it for temporary setup. > > By the caps...I take it this is not a good idea... >I was just astonished that a web server would be configured with four network interfaces :-) Is that 2nd NIC still up -- and if so, what is it''s address and netmask? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>> I always thought it was NOT being cleared. I guess I don''t understand >> "dual-homed" so I''ll check it out with Google. Ah yes... there aretwo>> DUAL NIC cards in this box. >> > > In the WEB SERVER???? > > -Tom > > ============================================> > I thought you meant the firewall (quantity four...two dual NIC''s) > > The web server does have a 2nd NIC I intended to use for a webcam... and > used it for temporary setup. > > By the caps...I take it this is not a good idea... >I was just astonished that a web server would be configured with four network interfaces :-) Is that 2nd NIC still up -- and if so, what is it''s address and netmask? -Tom Ouch - this was my old firewall box with a bigger disk....there are 3 (three) single NIC''s in it... eth0 66.124.156.123 netmask 255.255.255.255 eth1 192.168.15.30 netmask 255.255.255.0 eth2 192.168.13.20 netmask 255.255.255.0 And it IS up... I guess I originally built it with the .13. subnet totally behind the firewall, and the eth1 15.30 is intended for a webcam - I will have to get behind it to see if it still plugged in, but all indications (ping and the right hub LED) indicate it is. FWIW - Doing "ifconfig eth2 down" to take it out has no effect.
Bill.Light@kp.org wrote:> > FWIW - Doing "ifconfig eth2 down" to take it out has no effect. >Well, I think that the problem is on that box, not on your current firewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key