Shorewall users - Oct 2003 - File sharing

Hello,

    I just want to start out by saying that this product "Shorewall"
is
absolutely fantastic we have it working for our organization and are rather
impressed with it''s functionality. Ok onto my question, we successfully
implemented Shorewall with a DMZ zone in place. Within the DMZ we are
currently running a Windows NT 4.0 server that acts as our Internet Proxy
and email Gateway. That server once used to be on our "Private" LAN
utilized
specificaly for file sharing, software repository and as a backup domain
controller. But since we placed the server within the DMZ,  we have been
unable to access the files that exist on the harddrive. In terms of being
able to access system resources on the server such as Internet "Proxy
server" on port 80 there are no problems at all. What firewall rules within
Shorewall will i have to open up that will allow me to access the files on
the NT server?

Or is doing something that even suggested at all, will that undermine
security and allow a potential hacker to compromise our private LAN ? Any
help would greatly be appreciated.

Thanks,
James

Redhat Linux 7.2

Shorewall version 1.4.6b

ip addr show

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:c0:df:e7:87:c7 brd ff:ff:ff:ff:ff:ff
    inet 65.115.171.251/29 brd 65.115.171.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:50:ba:ad:69:8c brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:10:4b:c6:f2:8a brd ff:ff:ff:ff:ff:ff
    inet 192.168.5.184/24 brd 192.168.5.255 scope global eth2



ip route show

65.115.171.252 dev eth1  scope link
65.115.171.250 dev eth1  scope link
65.115.171.248/29 dev eth0  scope link
192.168.85.0/24 via 192.168.5.1 dev eth2
192.168.5.0/24 dev eth2  scope link
192.168.36.0/24 via 192.168.5.1 dev eth2
192.168.71.0/24 via 192.168.5.1 dev eth2
192.168.20.0/24 via 192.168.5.1 dev eth2
192.168.65.0/24 via 192.168.5.1 dev eth2
192.168.96.0/24 via 192.168.5.1 dev eth2
192.168.2.0/24 dev eth1  scope link
192.168.80.0/24 via 192.168.5.1 dev eth2
192.168.150.0/24 via 192.168.5.1 dev eth2
192.168.17.0/24 via 192.168.5.1 dev eth2
192.168.67.0/24 via 192.168.5.1 dev eth2
192.168.82.0/24 via 192.168.5.1 dev eth2
192.168.15.0/24 via 192.168.5.1 dev eth2
192.168.14.0/24 via 192.168.5.1 dev eth2
192.168.63.0/24 via 192.168.5.1 dev eth2
192.168.60.0/24 via 192.168.5.1 dev eth2
192.168.45.0/24 via 192.168.5.1 dev eth2
192.168.42.0/24 via 192.168.5.1 dev eth2
192.168.40.0/24 via 192.168.5.1 dev eth2
192.168.75.0/24 via 192.168.5.1 dev eth2
192.168.41.0/24 via 192.168.5.1 dev eth2
192.168.140.0/24 via 192.168.5.1 dev eth2
127.0.0.0/8 dev lo  scope link
default via 65.115.171.249 dev eth0

On Tue, 2003-10-14 at 09:33, james lopez wrote:
> What firewall rules within
> Shorewall will i have to open up that will allow me to access the files on
> the NT server?
> 
> Or is doing something that even suggested at all, will that undermine
> security and allow a potential hacker to compromise our private LAN ? Any
> help would greatly be appreciated.
> 
There is that potential. Unless applications running in the DMZ need to
share these files also, I would install another file server in my local
zone.

If you *do* need to share files between the local zone and the DMZ then
see http://shorewall.net/Samba.htm. In the rules shown there, simply
replace ''fw'' with ''dmz''.

There may also be network browsing issues -- check the list Archives for
posts from Steve Cowles; more than once, Steve has posted expert advise
on MS networking across a router (including Shorewall-based
firewall/routers).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 2003-10-15 at 10:30, Tom Eastep wrote:
> 
> If you *do* need to share files between the local zone and the DMZ then
> see http://shorewall.net/Samba.htm. In the rules shown there, simply
> replace ''fw'' with ''dmz''.
For those who couldn''t find the above page and who don''t know
how to use
the alphabetical site index, the correct URL is:

	http://shorewall.net/samba.htm

-Tom 
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net