Hey Tom,
I have successfully set up to servers on a Dmz practice network woohoo
:).
If I take out the proxyarp option in /etc/shorewall/interfaces
Then Dmz can ping outside ip''s on the net but not and of my servers
on network 66.224.62.96/27 (Other than its own gateway server 66.224.62.120)
The reason I ask is to learn. I thought I would not need the proxyarp
option for this to work on a routed network. And Please let me know if you
are tired of
my questions on this the because I appreciate all your Help and shorewall
rocks.
Thanks, Mike
[root@66-224-62-120 root]# shorewall version
1.4.6c
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect norfc1918,proxyarp
dmz eth1 detect proxyarp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
[root@66-224-62-120 root]# arp -na
? (66.224.62.97) at 00:60:49:80:24:46 [ether] on eth0
? (66.224.62.100) at 00:40:33:E3:CF:C3 [ether] on eth0
? (66.224.62.122) at 52:54:00:E8:AB:22 [ether] on eth1
? (66.224.62.121) at 00:40:CA:2E:BE:E5 [ether] on eth1
[root@66-224-62-120 root]#
[root@66-224-62-120 root]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:E0:4C:39:0B:5B
inet addr:66.224.62.120 Bcast:66.224.62.127 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14466 errors:15 dropped:0 overruns:0 frame:0
TX packets:3031 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:4849732 (4.6 Mb) TX bytes:816111 (796.9 Kb)
Interrupt:10 Base address:0xb000
eth1 Link encap:Ethernet HWaddr 00:50:BF:92:5D:75
inet addr:66.224.62.120 Bcast:66.224.62.120 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:522 errors:0 dropped:0 overruns:0 frame:0
TX packets:436 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:50590 (49.4 Kb) TX bytes:476792 (465.6 Kb)
Interrupt:11 Base address:0xd000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:28 errors:0 dropped:0 overruns:0 frame:0
TX packets:28 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2256 (2.2 Kb) TX bytes:2256 (2.2 Kb)
[root@66-224-62-120 root]#
[root@66-224-62-120 root]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
66.224.62.122 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
66.224.62.121 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
66.224.62.96 0.0.0.0 255.255.255.224 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 66.224.62.97 0.0.0.0 UG 0 0 0 eth0
[root@66-224-62-120 root]#
On Tue, 2004-12-07 at 13:08 -0800, Mike Lander wrote:> Hey Tom, > I have successfully set up to servers on a Dmz practice network woohoo > :). > If I take out the proxyarp option in /etc/shorewall/interfaces > Then Dmz can ping outside ip''s on the net but not and of my servers > on network 66.224.62.96/27 (Other than its own gateway server 66.224.62.120) > > The reason I ask is to learn. I thought I would not need the proxyarp > option for this to work on a routed network. And Please let me know if you > are tired of > my questions on this the because I appreciate all your Help and shorewall > rocks. >Mike, As I mentioned in a post yesterday -- IF THE UPSTREAM ROUTER IS SENDING ARP REQUESTS FOR THE DMZ SERVER THEN YOUR SETUP IS *NOT ROUTED*. If it were routed, the upstream router would have no need for the MAC address of the DMZ server since all traffic to that server would be *ROUTED* through the firewall (i.e, traffic to the server would be sent with Destination MAC address = Your firewall and the Destination IP address Your DMZ server). The whole point of Proxy ARP is to make your firewall answer the ARP request for the DMZ server so that traffic for the DMZ server *WILL* be sent to the firewall''s MAC. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Tue, 2004-12-07 at 13:13 -0800, Tom Eastep wrote:> > As I mentioned in a post yesterday -- IF THE UPSTREAM ROUTER IS SENDING > ARP REQUESTS FOR THE DMZ SERVER THEN YOUR SETUP IS *NOT ROUTED*. If it > were routed, the upstream router would have no need for the MAC address > of the DMZ server since all traffic to that server would be *ROUTED* > through the firewall (i.e, traffic to the server would be sent with > Destination MAC address = Your firewall and the Destination IP address > Your DMZ server). The whole point of Proxy ARP is to make your firewall > answer the ARP request for the DMZ server so that traffic for the DMZ > server *WILL* be sent to the firewall''s MAC. >Here''s a Picture: Assume Firewall''s IP address = a.b.c.254 Assume Server''s IP address = a.b.c.1 ROUTED: ISP Router Firewall(a.b.c.254) ARP who-has a.b.c.254---------------------------> <-------------Here is a.b.c.254 (MAC of firewall) Packet for a.b.c.1 (DST MAC = Mac of firewall) -> Proxy ARP ISP Router Firewall(a.b.c.254) ARP who-has a.b.c.1-----------------------------> <---------------Here is a.b.c.1 (MAC of firewall) Packet for a.b.c.1 (DST MAC = Mac of firewall) -> So you end up with the same result but the ARP exchange is different. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> > As I mentioned in a post yesterday -- IF THE UPSTREAM ROUTER IS SENDING > ARP REQUESTS FOR THE DMZ SERVER THEN YOUR SETUP IS *NOT ROUTED*. If it > were routed, the upstream router would have no need for the MAC address > of the DMZ server since all traffic to that server would be *ROUTED* > through the firewall (i.e, traffic to the server would be sent with > Destination MAC address = Your firewall and the Destination IP address > Your DMZ server). The whole point of Proxy ARP is to make your firewall > answer the ARP request for the DMZ server so that traffic for the DMZ > server *WILL* be sent to the firewall''s MAC. > -------------(its working now woohoo :) > -TomOh, I keep going back to shorewall Docs thinking I have a routed network since all Traffic is routed through one Ip 66.224.62.97 as for example on my network.(see below) I read that yesterday, I did not realize exactly How that worked also I like to know how things work I always got in trouble as a kid for taking things apart to see how they work! The below statement made me think I had routed network since everything comes through a single gateway. And that my isp assigned me /27 network. I know your blood pressure may be going up at this point. But I am one those that always raised my hand for a good understanding. And you Rock Tom The cool thing is now I don''t have to use bind views and internal computers can access these Dmz servers now woohoo. Thank you, Mike Quote from shorewall setup guides a.. Routed - Traffic to any of your addresses will be routed through a single gateway address. This will generally only be done if your ISP has assigned you a complete subnet (/29 or larger). In this case, you will assign the gateway address as the IP address of your firewall/router''s external interface. b.. Non-routed - Your ISP will send traffic to each of your addresses directly.
On Tue, 2004-12-07 at 13:33 -0800, Mike Lander wrote:> And that my isp assigned me /27 network. I know your blood pressure may be > going up at this point. > But I am one those that always raised my hand for a good understanding.So set down and watch the ARP traffic on your firewall''s external interface -- you''ll see what I described in my last post. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>> As I mentioned in a post yesterday -- IF THE UPSTREAM ROUTER IS SENDING >> ARP REQUESTS FOR THE DMZ SERVER THEN YOUR SETUP IS *NOT ROUTED*. If it >> were routed, the upstream router would have no need for the MAC address >> of the DMZ server since all traffic to that server would be *ROUTED* >> through the firewall (i.e, traffic to the server would be sent with >> Destination MAC address = Your firewall and the Destination IP address >> Your DMZ server). The whole point of Proxy ARP is to make your firewall >> answer the ARP request for the DMZ server so that traffic for the DMZ >> server *WILL* be sent to the firewall''s MAC. >> > > Here''s a Picture: > > Assume Firewall''s IP address = a.b.c.254 > Assume Server''s IP address = a.b.c.1 > > ROUTED: > > ISP Router Firewall(a.b.c.254) > > ARP who-has a.b.c.254---------------------------> > <-------------Here is a.b.c.254 (MAC of firewall) > Packet for a.b.c.1 (DST MAC = Mac of firewall) -> > > Proxy ARP > > ISP Router Firewall(a.b.c.254) > > ARP who-has a.b.c.1-----------------------------> > <---------------Here is a.b.c.1 (MAC of firewall) > Packet for a.b.c.1 (DST MAC = Mac of firewall) -> > > So you end up with the same result but the ARP exchange is different. > > -TomYou know I tryed watching this even before you advised I have not ever noticed my upstream Isps router ask for Dmz''s Mac everything but though. So I ran I arp dump on eth0. and the log is attached. It arps my whole /27 but not dmz Eh1 has arp requests for 66.224.62.121 and 122 Dmz''s Ip''s but not eth0 arp''s is that odd to you or not. It should be according to below????> ISP Router Firewall(a.b.c.254) > > ARP who-has a.b.c.1-----------------------------> > <---------------Here is a.b.c.1 (MAC of firewall) > Packet for a.b.c.1 (DST MAC = Mac of firewall) ->dmz
On Tue, 2004-12-07 at 14:44 -0800, Mike Lander wrote:> You know I tryed watching this even before you advised I have not ever > noticed my upstream Isps router ask for > Dmz''s Mac everything but though. So I ran I arp dump on eth0. and the log is > attached. It arps my whole /27 but not dmz > Eh1 has arp requests for 66.224.62.121 and 122 Dmz''s Ip''s but not eth0 arp''s > is that odd to you or not. > It should be according to below????I think that the upstream router is ARPing for those addresses that are NOT in its cache. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> On Tue, 2004-12-07 at 14:44 -0800, Mike Lander wrote: > >> You know I tryed watching this even before you advised I have not ever >> noticed my upstream Isps router ask for >> Dmz''s Mac everything but though. So I ran I arp dump on eth0. and the log >> is >> attached. It arps my whole /27 but not dmz >> Eh1 has arp requests for 66.224.62.121 and 122 Dmz''s Ip''s but not eth0 >> arp''s >> is that odd to you or not. >> It should be according to below???? > > I think that the upstream router is ARPing for those addresses that are > NOT in its cache. > > -TomThat makes perfect sense@! Hey its working now thats what matters and I think I could set this up in my sleep now. Now to set it up on a big network at night is my next step. Merry Christmas to your family too Tom, Mike Making sure to include your Dog------:<)
One more question,
If you make rule
ACCEPT net:66.224.62.100 dmz:66.224.62.121 tcp 3389
Thats self expanatory
but
ACCEPT net dmz tcp 22
Will shorewall allow both (in my case two dmz servers) to recieve ssh
packets or
for that matter 3 Dmz servers??
Mike
On Tue, 2004-12-07 at 15:28 -0800, Mike Lander wrote:> One more question, > If you make rule > ACCEPT net:66.224.62.100 dmz:66.224.62.121 tcp 3389 > > Thats self expanatory > > but > ACCEPT net dmz tcp 22 > > Will shorewall allow both (in my case two dmz servers) to recieve ssh > packets or > for that matter 3 Dmz servers?? >Yes. Just like: ACCEPT loc net tcp 22 Allows you to connect to any host on the internet. There''s no difference as far as Shorewall is concerned. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> >> On Tue, 2004-12-07 at 14:44 -0800, Mike Lander wrote: >> >>> You know I tryed watching this even before you advised I have not ever >>> noticed my upstream Isps router ask for >>> Dmz''s Mac everything but though. So I ran I arp dump on eth0. and the >>> log >> I think that the upstream router is ARPing for those addresses that are >> NOT in its cache. >> >> -TomIf this post every helps anyone else after cache was clear I did notice arps for the Dmz''s Mac on the Firewall''s Interface Mike
On Tue, 2004-12-07 at 17:15 -0800, Mike Lander wrote:> > > If this post every helps anyone else after cache was clear I did notice > arps > for the Dmz''s Mac on the Firewall''s InterfaceSo, although you have a /27 it is not routed -- your ISP''s router is trying to send directly to all 30 hosts. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Tuesday, December 07, 2004 5:18 PM Subject: Re: [Shorewall-users] Dmz> On Tue, 2004-12-07 at 17:15 -0800, Mike Lander wrote: > >> >> >> If this post every helps anyone else after cache was clear I did >> notice >> arps >> for the Dmz''s Mac on the Firewall''s Interface > > So, although you have a /27 it is not routed -- your ISP''s router is > trying to send directly to all 30 hosts. > > -TomYes, I must have been Hypnotized by the Docs, or could not see the Forest for the trees. But everything is clear now. Thanks, Mike
In my practice Dmz I have two interfaces eth0 eth1
net and dmz.
If I were to add one more interface for local network
Would I need proxyarp option on that the local
interface as well, in /etc/shorewall/interfaces
because it will be on a Rfc 1918 network
I am thinking does not needing arp that it will
be routed. Is that correct or not?
Mike
On Tue, 2004-12-07 at 17:57 -0800, Mike Lander wrote:> In my practice Dmz I have two interfaces eth0 eth1 > net and dmz. > > If I were to add one more interface for local network > Would I need proxyarp option on that the local > interface as well, in /etc/shorewall/interfaces > because it will be on a Rfc 1918 network > I am thinking does not needing arp that it will > be routed. Is that correct or not?That is correct. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Btw,
I waited until since its late to try a real Dmz move.
I moved a mail server (this one in fact) and it would not work until I
cleared the cache
on Isp''s router. Now its working! So your Docs are and advice are
right on the money Tom.
So if this e-mail makes it to the list its worked
Thanks
Mike
Mike Lander wrote:> Btw, > I waited until since its late to try a real Dmz move. > I moved a mail server (this one in fact) and it would not work until I > cleared the cache > on Isp''s router. Now its working! So your Docs are and advice are > right on the money Tom.Money? Did you say money? FWIW, Tom doesn''t get paid for this and in this Holiday Season may I respectfully point out this URL on his site: http://www.shorewall.net/shorewall_index.htm#Donations> So if this e-mail makes it to the list its worked-- "A common mistake that people make when trying to design something completely foolproof was to underestimate the ingenuity of complete fools." --Ford Prefect in "Mostly Harmless".