Shorewall users - Oct 2002 - can''t use external domain name from internal network

I''m trying to allow internal hosts (one internal subnet, no DMZ) to
access
web services on one internal host by referring to the external
interface''s
real domain name.  I know I ought to do this with Bind9 views, I''m
trying to
do one thing at a time (firewall, update bind9, etc. etc. in that order) and
this way is supposed to work... :(

Internal access by internal IP address works fine and external access via
domain name works fine, and using tcpdump I can see the request for the
external address get natted to the internal address, but it looks like the
webserver is arping for the address of the requesting box instead of
replying to the address it''s supposed to.

specifics:
internal subnet is 192.168.1.16/28:  .17 is the firewall/router, .18 is the
www server (also dns & ssh)
eth1/ppp0 is the external interface, eth0 is the internal interface

(from interfaces)
#ZONE    INTERFACE      BROADCAST       OPTIONS
net      ppp0           -               noping,logunclean,blacklist
loc      eth0           192.168.1.31    multi

(from rules)
DNAT     net            loc:192.168.1.18 tcp     22
DNAT     net            loc:192.168.1.18 tcp     80
DNAT     net            loc:192.168.1.18 tcp     53
DNAT     net            loc:192.168.1.18 udp     53
ACCEPT   net            fw               tcp     25
DNAT     loc            loc:192.168.1.18:80 tcp 80 - 66.149.18.173

(for now, sendmail is running on .17 until I move it to .18)

(from policy)
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
fw              net             ACCEPT
fw              loc             ACCEPT
loc             net             ACCEPT
loc             fw              ACCEPT
net             all             DROP            info
all             all             REJECT          info
(yeah, yeah, I know the last line is redundant but I figure it doesn''t
hurt
to leave it in there)

(from masq)
#INTERFACE              SUBNET          ADDRESS
ppp0                    eth0

(from shorewall.conf)
FW=fw
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/lib/shorewall
ALLOWRELATED=yes
MODULESDIRLOGRATE=10/minute
LOGBURST=5
LOGUNCLEAN=info
LOGFILE=/var/log/messages
NAT_ENABLED=Yes
MANGLE_ENABLED=Yes
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=No
TC_ENABLED=No
BLACKLIST_DISPOSITION=DROP
BLACKLIST_LOGLEVELCLAMPMSS=Yes
ROUTE_FILTER=No
NAT_BEFORE_RULES=Yes
MULTIPORT=No
DETECT_DNAT_IPADDRS=Yes
MERGE_HOSTS=Yes
MUTEX_TIMEOUT=60
LOGNEWNOTSYNFORWARDPING=No
NEWNOTSYN=No


Help?

never mind, I was missing the :192.168.1.17 at the end of the source address
in rules.

----- Original Message -----
From: "Ian Hunter" <ihunter@ix.netcom.com>
To: <shorewall-users@shorewall.net>
Sent: Wednesday, October 16, 2002 11:05 AM
Subject: [Shorewall-users] can''t use external domain name from internal
network

> I''m trying to allow internal hosts (one internal subnet, no DMZ)
to access
> web services on one internal host by referring to the external
interface''s
> real domain name.  I know I ought to do this with Bind9 views, I''m
trying
to
> do one thing at a time (firewall, update bind9, etc. etc. in that order)
and
> this way is supposed to work... :(