Shorewall users - Sep 2003 - Routing between the DMZ and LOC zones

I have read through all the documentation I could find and searched the 
mail archives for an answer to my situation. Any help or suggestions would 
be appreciated.

I am looking to setup a 3 interface firewall very similar to the setup that 
Tom describes in the documentation. Everything is pretty straight forward 
except for routing between the DMZ and LOC zones. I will have NFS and NIS 
servers in the LOC zone and those services need to be accessible from the 
DMZ zone. Previous testing that I have done it seemed that any connection 
from the LOC zone would go through NAT when making a connection into the 
DMZ zone. I do want to use NAT when the LOC zone attempts to make 
connections to the NET zone.

Any thoughts would be appreciated. Of if I have overlooked something in the 
documentation, pointers to the docs would be also appreciated.

Thanks.
--
Gerard Hickey   <hickey@kernelrom.com>

----- Original Message ----- 
From: "Gerard Hickey" <hickey@mail.kernelrom.com>
Sent: Tuesday, September 16, 2003 2:24 PM

> I am looking to setup a 3 interface firewall very similar to the setup
that
> Tom describes in the documentation. Everything is pretty straight
forward
> except for routing between the DMZ and LOC zones. I will have NFS and
NIS
> servers in the LOC zone and those services need to be accessible from
the
> DMZ zone. Previous testing that I have done it seemed that any
connection
> from the LOC zone would go through NAT when making a connection into
the
> DMZ zone. I do want to use NAT when the LOC zone attempts to make
> connections to the NET zone.
This shouldn''t be the case. You''re usually natting the LAN
interface,
call it eth0 here, only through the outgoing interface, call it eth1
here. Ie. everything from eth0 to eth2 (being the DMZ interface here)
should not get natted and therefore you shouldn''t have an entry for
eth2
in ''masq'', but some rules to allow traffic in
''rules''. Hopefully I
haven''t got it wrong.

Regards,

Robert kehl