Shorewall users - Sep 2003 - Static NAT question

I am using SuSE 8.2 shorewall ver. 1.4

I have several servers on then inside configured with static IP NAT
Everything works great from outside. I can access these servers no problem.
But if internal users can''t get to these servers using their public
IPs.
It forced me to run two DNS servers one for internal users and other for
outside users.
If somebody knows a resolution to this issue. Please let me know.

On Tue, 2003-09-30 at 22:17, Alex Levit wrote:
> I am using SuSE 8.2 shorewall ver. 1.4
> 
> I have several servers on then inside configured with static IP NAT
> Everything works great from outside. I can access these servers no problem.
> But if internal users can''t get to these servers using their
public IPs.
> It forced me to run two DNS servers one for internal users and other for
> outside users.
> If somebody knows a resolution to this issue. Please let me know.
> 
Running two DNS servers or using Bind 9 "views" *is* the preferred
solution.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Unfortunately it is an old solaris with bind 8.2.4 and it doesn''t
support
''views''

Is there any other way?

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Wednesday, October 01, 2003 7:17 AM
Subject: Re: [Shorewall-users] Static NAT question

> On Tue, 2003-09-30 at 22:17, Alex Levit wrote:
> > I am using SuSE 8.2 shorewall ver. 1.4
> >
> > I have several servers on then inside configured with static IP NAT
> > Everything works great from outside. I can access these servers no
problem.
> > But if internal users can''t get to these servers using their
public IPs.
> > It forced me to run two DNS servers one for internal users and other
for
> > outside users.
> > If somebody knows a resolution to this issue. Please let me know.
> >
>
> Running two DNS servers or using Bind 9 "views" *is* the
preferred
> solution.
>
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

On Wed, 2003-10-01 at 07:43, Alex Levit wrote:
> Unfortunately it is an old solaris with bind 8.2.4 and it doesn''t
support
> ''views''
> 
> Is there any other way?
See FAQ #2

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

I followed instructions in FAQ #2
a) Set the Z->Z policy to ACCEPT.
b) Masquerade Z to itself.

I got negative results.
I have several mail servers in loc zone configured with static nat, the rest
of the users are masqueraded.

My interfaces file:
net     eth1    detect
loc     eth0    10.0.0.255
loc     ppp0


My Policy file:
loc     loc     ACCEPT
loc     net     ACCEPT
loc     fw      ACCEPT
fw      net     ACCEPT
fw      loc     ACCEPT
net     all     DROP    info
all     all     REJECT  info

My masq file:

eth0    10.0.0.0/24

My nat file:

61.100.9.11    eth1:5  10.0.0.91       no      no
61.100.9.7     eth1:1  10.0.0.67       no      no
61.100.9.5     eth1:4  10.0.0.75       no      no


My rules file:

ACCEPT:info     net     loc:10.0.0.91   tcp     80,25
ACCEPT:info     loc     loc:10.0.0.91   tcp     80,25


----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Wednesday, October 01, 2003 7:49 AM
Subject: Re: [Shorewall-users] Static NAT question

> On Wed, 2003-10-01 at 07:43, Alex Levit wrote:
> > Unfortunately it is an old solaris with bind 8.2.4 and it
doesn''t
support
> > ''views''
> >
> > Is there any other way?
>
> See FAQ #2
>
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

On Wed, 2003-10-01 at 08:19, Alex Levit wrote:
> I followed instructions in FAQ #2
> a) Set the Z->Z policy to ACCEPT.
> b) Masquerade Z to itself.
Hmmm -- my instructions are incomplete.
> 
> I got negative results.
> I have several mail servers in loc zone configured with static nat, the
rest
> of the users are masqueraded.
> 
> My interfaces file:
> net     eth1    detect
> loc     eth0    10.0.0.255
Needs to be

loc	eth0	10.0.0.255	routeback
> loc     ppp0
> 
> 
> My Policy file:
> loc     loc     ACCEPT
> loc     net     ACCEPT
> loc     fw      ACCEPT
> fw      net     ACCEPT
> fw      loc     ACCEPT
> net     all     DROP    info
> all     all     REJECT  info
> 
> My masq file:
> 
> eth0    10.0.0.0/24
> 
> My nat file:
> 
> 61.100.9.11    eth1:5  10.0.0.91       no      no
> 61.100.9.7     eth1:1  10.0.0.67       no      no
> 61.100.9.5     eth1:4  10.0.0.75       no      no
> 
You need "Yes" in the ALL INTERFACES column
> 
> My rules file:
> 
> ACCEPT:info     net     loc:10.0.0.91   tcp     80,25
> ACCEPT:info     loc     loc:10.0.0.91   tcp     80,25
This last rule is unnecessary with your policy file.

WARNING: This setup makes all loc->loc traffic look to the server as if
it came from the firewall and not from the original client system!

I personally think that this kind of setup is horrible -- but it''s your
system not mine.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

thnax
Everything is working now.

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Wednesday, October 01, 2003 9:37 AM
Subject: Re: [Shorewall-users] Static NAT question

> On Wed, 2003-10-01 at 08:19, Alex Levit wrote:
> > I followed instructions in FAQ #2
> > a) Set the Z->Z policy to ACCEPT.
> > b) Masquerade Z to itself.
>
> Hmmm -- my instructions are incomplete.
>
> >
> > I got negative results.
> > I have several mail servers in loc zone configured with static nat,
the
rest
> > of the users are masqueraded.
> >
> > My interfaces file:
> > net     eth1    detect
> > loc     eth0    10.0.0.255
>
> Needs to be
>
> loc eth0 10.0.0.255 routeback
>
> > loc     ppp0
> >
> >
> > My Policy file:
> > loc     loc     ACCEPT
> > loc     net     ACCEPT
> > loc     fw      ACCEPT
> > fw      net     ACCEPT
> > fw      loc     ACCEPT
> > net     all     DROP    info
> > all     all     REJECT  info
> >
> > My masq file:
> >
> > eth0    10.0.0.0/24
> >
> > My nat file:
> >
> > 61.100.9.11    eth1:5  10.0.0.91       no      no
> > 61.100.9.7     eth1:1  10.0.0.67       no      no
> > 61.100.9.5     eth1:4  10.0.0.75       no      no
> >
>
> You need "Yes" in the ALL INTERFACES column
>
> >
> > My rules file:
> >
> > ACCEPT:info     net     loc:10.0.0.91   tcp     80,25
> > ACCEPT:info     loc     loc:10.0.0.91   tcp     80,25
>
> This last rule is unnecessary with your policy file.
>
> WARNING: This setup makes all loc->loc traffic look to the server as if
> it came from the firewall and not from the original client system!
>
> I personally think that this kind of setup is horrible -- but it''s
your
> system not mine.
>
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

> 
> On Wed, 2003-10-01 at 07:43, Alex Levit wrote:
> > Unfortunately it is an old solaris with bind 8.2.4 and it 
> > doesn''t support ''views''
> > 
> > Is there any other way?
I run two instances of bind, which listen on different ports.
More work to set up, but it''s fine. And I get to isolate my
internal hosts from the outside world, and I have bifurcated
statistics, should I ever read them, which I usually don''t.

NYZ

-- 
_________________________________________
Nachman Yaakov Ziskind, EA, LLM         awacs@egps.com
Attorney and Counselor-at-Law           http://ziskind.us
Economic Group Pension Services         http://egps.com
Actuaries and Employee Benefit Consultants