On Tue, 13 May 2003 12:43:54 -0700, jon yeargers <jony@lupinesystems.net>
wrote:
> Am wondering about the following entry in the "documentation
index":
> Example 6. You wish to allow access to the SMTP server in your DMZ from
> all zones.
>
>
>
> Note: When ''all'' is used as a source or destination,
intra-zone traffic
> is not affected. In this example, if there were two DMZ interfaces then
> the above rule would NOT enable SMTP traffic between hosts on these
> interfaces.
>
>
>
> 1) is ''all'' a default definition? Does this apply to the
references to
> ''www'' and ''ssh'' in the manual? Or do
these have to be created in the
> ''params'' file?>
>From the DOCUMENTATION above the examples:
SOURCE - Describes the source hosts to which the rule applies..
The contents of this field must begin with the name of a zone
defined in /etc/shorewall/zones, $FW or "all".
"all" is a reserved word that means all zones.
> 2) this says ''allow access to the SMTP server in your DMZ from all
> zones'' and then it says ''When ''all'' is
used as a source or destination,
> intra-zone traffic is not affected''. So does it allow access
between
> zones or not?
"Intra-zone" means "within a zone" as opposed to
"inter-zone" which means
between zones. The part of the above example that you omitted is intended
to clarify what is meant. Beginning with Shorewall 1.4.2, intra-zone
traffic is allowed by default (you have to add a policy or rule to prevent
it) so the restriction of "all" that you quote is now largely
irrelevant.
>
>
>
> 3) Im running a tomcat process on server 192.168.1.202 (using the std
> tomcat port 8080). In my ''rules'' file I have the
following entry
> DNAT net loc:192.168.1.202:8080 tcp 635
> Is this correct? Doesn''t seem to be the proper way to do this as I
don''t
> seem to connect from the ''net'' zone. (see also #4 below)
It is a correct rule but since you haven''t told us what the rule is
trying
to accomplish, it is difficult to say whether it is "correct" or not.
Assuming that you have retained the default setting in shorewall.conf of
DETECT_DNAT_ADDRS=Yes then the rule as you have coded it says:
"Incoming traffic destined to TCP port 635 from the net zone addressed to
the first IP address defined for the interfaces to that zone will be
forwarded to the loc zone, IP address 192.168.1.202 and port 8080".
If you have having problems with this rule FAQs 1a and 1b provide guidance
in troubleshooting port forwarding problems.
> 4) I can''t seem to connect to my corp web server from the
''loc'' zone. IE
> If I try to browse to ''http://lupinesystems.net'' from my
desktop (which
> is a server running in the ''loc'' zone I get a 404. It
appears to work ok
> from the ''net'' zone though. What rule am I missing?
If you have used the default policy of ACCEPT for loc->net then this
isn''t
a rule problem -- most likely your local system''s default gateway is
mis-
defined or you have a DNS problem.
Remember -- NOT ALL CONNECTION PROBLEMS ARE SHOREWALL CONFIGURATION
PROBLEMS!!!
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
Shoreline, \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net