Shorewall users - Jan 2003 - mail server in dmz

Hi, in a three interface firewall I have
eth0, loc, 10.1.5.1/16
eth1, int, 200.41.61.228/29
eth2, dmz, 192.168.1.1/24

(un)fortunately I got a group of public ip?s to use, so here is my problem
in the dmz I have 192.168.1.3 redirected from eth1 alias 200.41.61.226 (a web
server,
works perfect).
I am trying to set up a mail server also, a different machine, so I can?t use
proxyarp, as
with this, I can only accept or reject, not redirect.
the mail server internet address is 200.41.61.227, so when I put in the dmz,
with
address 192.168.1.2 I add an alias to eth1 in the firewall, and redirect all
internet traffic
to the server in the dmz, that works ok for incoming traffic.
Only one little problem... mail never goes out, in fact I can?t browse web pages
also...
I set an accept policy from dmz to net, when I make a nslookup in the mail
server in
the dmz, it resolves ok, but sendmail fails all the time giving ?host name
lookup failure?
I have a cache dns in the firewall to use it when the mail server is in the dmz.
I found a posting in the list, at 
http://www.shorewall.net/pipermail/shorewall-users/2002-October/003204.html
about packets going out, but if the source ip is a private one, they?ll never
come back.
what I am missing ?
Can I make something like ?source nat? or masquerade the mail server ?
I tried 
eth1:200.41.61.227 192.168.1.2/32
in the masq file, but it?s the same thing...
thank you very much in advance
--
Yaron Zarfati
Administrador de Red
ORT Argentina
www.ort.edu.ar

--On Thursday, January 02, 2003 3:12 PM -0300 Yaron Zarfati 
<yaron@ort.edu.ar> wrote:
> Hi, in a three interface firewall I have
> eth0, loc, 10.1.5.1/16
> eth1, int, 200.41.61.228/29
> eth2, dmz, 192.168.1.1/24
>
> (un)fortunately I got a group of public ip?s to use, so here is my problem
> in the dmz I have 192.168.1.3 redirected from eth1 alias 200.41.61.226 (a
> web server,  works perfect).
> I am trying to set up a mail server also, a different machine, so I can?t
> use proxyarp, as  with this, I can only accept or reject, not redirect.
What it the world are you talking about?
> the mail server internet address is 200.41.61.227, so when I put in the
> dmz, with  address 192.168.1.2 I add an alias to eth1 in the firewall,
> and redirect all internet traffic  to the server in the dmz, that works
> ok for incoming traffic.
> Only one little problem... mail never goes out, in fact I can?t browse
> web pages also...
>From where?
> I set an accept policy from dmz to net, when I make a
> nslookup in the mail server in  the dmz, it resolves ok, but sendmail
> fails all the time giving ?host name lookup failure? I have a cache dns
> in the firewall to use it when the mail server is in the dmz. I found a
> posting in the list, at
> http://www.shorewall.net/pipermail/shorewall-users/2002-October/003204.ht
> ml about packets going out, but if the source ip is a private one,
> they?ll never come back. what I am missing ?
Maybe an entry in /etc/shorewall/masq?
> Can I make something like ?source nat? or masquerade the mail server ?
> I tried
> eth1:200.41.61.227 192.168.1.2/32
> in the masq file, but it?s the same thing...
Before you go any further, please read the Shorewall Setup Guide 
(http://www.shorewall.net/shorewall_setup_guide.htm) carefully. If I were 
you, I would be using Proxy ARP but it sounds like you don''t fully 
understand how Proxy ARP works yet. I think that the above guide will help.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net