Götz Reinicke
2002-Dec-11 13:40 UTC
[Shorewall-users] some questions concerning proxy arp and dmz
Hi, recently I edited my shorewall (1.3.11) configuration on a RH 8++ firewall and added a dmz with one testwebserver. My questions are: a) I run one internal privat DNS in the local net connected to the loc firewall interface. This DNS resolves all the DNS querys from internal hosts. How can my proxyarped dmz systems use this DNS? Do I have to add a route on e.g. the webserver with the DMZ-Interface as gateway? Or will queries be routed through the firewall if I add a rule like ACCEPT DMZ:webserver -> loc:DNS (so which systen has to know which IPs in which config *-)) b) Can/should I add a policy for net <-> DMZ and loc <-> DMZ in /etc/shorewall/policy (at http://www.shorewall.net/myfiles.htm there are no policys like that, also there are no in the default config file) c) ... to be continued :-) Thanks so far! cu... ...Götz Reinicke - reinicke@linux.de
Tom Eastep
2002-Dec-11 15:10 UTC
[Shorewall-users] some questions concerning proxy arp and dmz
--On Wednesday, December 11, 2002 02:40:32 PM +0100 G=F6tz Reinicke=20 <goetz.reinicke@filmakademie.de> wrote:> a) > I run one internal privat DNS in the local net connected to the loc > firewall interface. This DNS resolves all the DNS querys from internal > hosts. > > How can my proxyarped dmz systems use this DNS? Do I have to add a route > on e.g. the webserver with the DMZ-Interface as gateway? Or will queries > be routed through the firewall if I add a rule like ACCEPT DMZ:webserver > -> loc:DNSJust add the rule.> > b) > Can/should I add a policy for net <-> DMZ and loc <-> DMZ in > /etc/shorewall/policy (at http://www.shorewall.net/myfiles.htm there are > no policys like that, also there are no in the default config file)There is no need to so long as the default net->all and all->all policies=20 meet your needs. You may want to review the Shorewall Setup Guide=20 (http://shorewall.sf.net/shorewall_setup_guide.htm) -- it has a lot of=20 information about setting up a DMZ with Proxy ARP. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net