Can you telnet from the lan zone to the dmz box? Are you positive
telnetd is running on the box? Does ''wan'' mean you may be
running
FreeS/WAN? I read in a FAQ somewhere the proxyarp and FreeS/WAN are not
entirely compatable - or more to the point - FreeS/WAN must be started
after the firewall is up. Anything sound reasonable? have you tried
eliminating the IP specs in your rules, allowing wan to dmz and dmz to
wan without restriction while testing?
just some thoughts...
-C
On Tue, 2003-01-07 at 00:32, Trifon Anguelov wrote:> Can someone help me with this problem:
>
> My host on the DMZ is inaccessible from the WAN on port 25. I tried to
> telnet but getting:
>
> $ telnet 66.58.99.84 25
> Trying 66.58.99.84...
> telnet: Unable to connect to remote host: No route to host
>
> My shorewall/proxyarp is:
>
> #address interface external haveroute
> 66.58.99.82 eth1 eth0 No
> 66.58.99.84 eth1 eth0 No
>
> And the routing is:
>
> # route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 66.58.99.84 0.0.0.0 255.255.255.255 UH 0 0 0
eth1
> 66.58.99.82 0.0.0.0 255.255.255.255 UH 0 0 0
eth1
> 66.58.99.80 0.0.0.0 255.255.255.248 U 0 0 0
eth0
> 10.10.100.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
> 10.10.200.0 0.0.0.0 255.255.255.0 U 0 0 0
eth2
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
> 0.0.0.0 66.58.99.81 0.0.0.0 UG 0 0 0
eth0
>
> 66.58.99.81 is my ISP router. My ISP doesn''t filter any traffic.
>
> Also my rules permit WAN/DMZ traffic:
>
> ACCEPT wan dmz:66.58.99.84 tcp 25 -
> ACCEPT dmz:66.58.99.84 wan tcp 25 -
>
> Policy are:
>
> #client server policy log_level
> lan lan ACCEPT info
> lan wan ACCEPT info
> fw lan ACCEPT info
> lan fw REJECT info
> wan wan ACCEPT info
> wan all DROP info
> all all REJECT info
>
>
> Thank you for your help in advance.
>
> Trifon Anguelov
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users