With an FTP server in dmz, using Proxy ARP to appear as public IP, would the (broad form) rules file entry be: ACCEPT net dmz tcp ftp - <public FTP IP> /OR ...should this be different or is a more specific form required? Similarly, to reach the FTP server from loc, would I also need: ACCEPT loc dmz tcp ftp - <public FTP IP> Thanks. Ron
On Thu, 1 Aug 2002, Ron Shannon wrote:> With an FTP server in dmz, using Proxy ARP to appear as public IP, would > the (broad form) rules file entry be: > > ACCEPT net dmz tcp ftp - <public FTP IP> /OR > > ...should this be different or is a more specific form required? > > Similarly, to reach the FTP server from loc, would I also need: > > ACCEPT loc dmz tcp ftp - <public FTP IP> >ACCEPT loc dmz:<public FTP IP> tcp ftp -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> -----Original Message-----> On Thu, 1 Aug 2002, Ron Shannon wrote:>=20 > > With an FTP server in dmz, using Proxy ARP to appear as=20 > public IP, would > > the (broad form) rules file entry be: > >=20 > > ACCEPT net dmz tcp ftp - <public FTP IP> /OR > >=20 > > ...should this be different or is a more specific form required? > >=20 > > Similarly, to reach the FTP server from loc, would I also need: > >=20 > > ACCEPT loc dmz tcp ftp - <public FTP IP> > >=20 >=20 > ACCEPT loc dmz:<public FTP IP> tcp ftp >=20Is this because using the interface designation alone (dmz) for the DEST would imply only the dmz''s private IP network address and not adequately reference the ARP''ed server? Presumably, I would also need the colon (:) form for the first rule (net --> dmz:pub IP ....) as well...?
On Thu, 1 Aug 2002, Ron Shannon wrote:> > > > -----Original Message----- > > On Thu, 1 Aug 2002, Ron Shannon wrote: > > > > > With an FTP server in dmz, using Proxy ARP to appear as > > public IP, would > > > the (broad form) rules file entry be: > > > > > > ACCEPT net dmz tcp ftp - <public FTP IP> /OR > > > > > > ...should this be different or is a more specific form required? > > > > > > Similarly, to reach the FTP server from loc, would I also need: > > > > > > ACCEPT loc dmz tcp ftp - <public FTP IP> > > > > > > > ACCEPT loc dmz:<public FTP IP> tcp ftp > > > > Is this because using the interface designation alone (dmz) for the DEST > would imply only the dmz''s private IP network address and not adequately > reference the ARP''ed server?What private IP netowrk address. If you are using Proxy ARP, you are dealing with ONLY PUBLIC ADDRESSES.> Presumably, I would also need the colon (:) > form for the first rule (net --> dmz:pub IP ....) as well...? >There is only one form of rule for when you are doing proxy ARP and it is the rule that I gave you. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> > Is this because using the interface designation alone (dmz)=20 > for the DEST > > would imply only the dmz''s private IP network address and=20 > not adequately > > reference the ARP''ed server? >=20 > What private IP netowrk address. If you are using Proxy ARP, you are=20 > dealing with ONLY PUBLIC ADDRESSES. >=20 > > Presumably, I would also need the colon (:) > > form for the first rule (net --> dmz:pub IP ....) as well...? > >=20 >=20 > There is only one form of rule for when you are doing proxy=20 > ARP and it is=20 > the rule that I gave you.=20 >=20 > -TomI was just referring to the 192.168.2.1 address on your DMZ interface which, I do understand, is irrelevant to the Proxy ARP scheme. Your rules file doesn''t seem to show rules with the DEST:<address> form you gave me for any net-->dmz or loc-->dmz traffic intended for the server. That''s what confused me. Ron
On Thu, 1 Aug 2002, Ron Shannon wrote:> > > > Is this because using the interface designation alone (dmz) > > for the DEST > > > would imply only the dmz''s private IP network address and > > not adequately > > > reference the ARP''ed server? > > > > What private IP netowrk address. If you are using Proxy ARP, you are > > dealing with ONLY PUBLIC ADDRESSES. > > > > > Presumably, I would also need the colon (:) > > > form for the first rule (net --> dmz:pub IP ....) as well...? > > > > > > > There is only one form of rule for when you are doing proxy > > ARP and it is > > the rule that I gave you. > > > > -Tom > > I was just referring to the 192.168.2.1 address on your DMZ interface which, I do understand, is irrelevant to the Proxy ARP scheme. > > Your rules file doesn''t seem to show rules with the DEST:<address> form > you gave me for any net-->dmz or loc-->dmz traffic intended for the > server. That''s what confused me.That''s because my DMZ only has one system -- If I had two, I''d probably include those specifications. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Thu, 1 Aug 2002, Tom Eastep wrote:> > That''s because my DMZ only has one system -- If I had two, I''d probably > include those specifications. >Again, please refer to the new Setup Guide.... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Hi Everyone: I went to install Shorewall on a network today and found the network had to segments on it (10.1.2.x and 10.1.1.x) with the firewall at 10.1.1.1. Shorewall box has two NICs (One public and the 10.1.1.1 private). Shorewall will be replacing a WinProxy/NT4 box that keeps blue screening one a day. Is there any special that needs to be done on the Shorewall configuration to accept both IP ranges/segments to browse out to the internet? Any advance on the setup would be greatly appreciated. Thanks, Michael Bush Digital Minds International E-Mail:MikeB@DigitalMinds.net Web: http://www.DigitalMinds.net Tel: (615) 661-7900 Fax: (615) 661-7949