Shorewall users - Oct 2003 - help seeing DMZ from LOC

I have a three interface network (net,loc,dmz).

The internet interface (eth0) has a static IP.

Windows machine in the local network (eth1) use DHCP to get IPs from 
the 192.168.10.0/24 netblock.

The Debian machine in the DMZ (eth2) gets a fixed IP through DHCP in 
the 192.168.11.0/24 netblock.

The DHCP server is running on the firewall machine (not ideal, I know, 
but that''s the way it is for now).  I am also running dnsmasq on the 
firewall.

Everything works fine (LOC<->NET, LOC<->FW, DMZ<->FW,
DMZ<->NET).  I
now want to be able to set up Samba on a DMZ machine, but machines in 
the local network can''t see the DMZ''s 192.168.11.0 block.

Here are my shorewall conf files.  I''m not sure what other information 
I need to provide, so let me know if I should post my dhcpd.conf or 
dnsmasq.conf files, or anything else.

Thanks in advance,

- Colin



--interfaces--
net     eth0            xxx.xxx.xxx.xxx  routefilter,norfc1918
loc     eth1            192.168.10.255  dhcp
dmz     eth2            192.168.11.255  dhcp


--masq--
eth0                    192.168.10.0/24
eth0                    192.168.11.0/24


--routestopped--
eth1            -
eth2            -

--policy--
loc             net             ACCEPT
fw              net             ACCEPT
dmz             net             ACCEPT          ULOG
net             all             DROP            ULOG
all             all             REJECT          ULOG

--rules--
ACCEPT          fw              net             tcp     53
ACCEPT          fw              net             udp     53
ACCEPT          loc             fw              tcp     53
ACCEPT          loc             fw              udp     53
ACCEPT          dmz             fw              tcp     53
ACCEPT          dmz             fw              udp     53
ACCEPT          loc             fw              tcp     22
ACCEPT          loc             dmz             tcp     22
ACCEPT:ULOG     fw              loc             tcp     22
ACCEPT:ULOG     fw              dmz             tcp     22
ACCEPT:ULOG     net             fw              tcp     22
ACCEPT          net             fw              icmp    8
ACCEPT          loc             fw              icmp    8
ACCEPT          dmz             fw              icmp    8
ACCEPT          loc             dmz             icmp    8
ACCEPT          dmz             loc             icmp    8
ACCEPT          dmz             net             icmp    8
ACCEPT          fw              loc             icmp    8
ACCEPT          fw              dmz             icmp    8
ACCEPT          dmz             loc             udp     137:139
ACCEPT          dmz             loc             tcp     137,139,445
ACCEPT          dmz             loc             udp     1024:           
137
ACCEPT          loc             dmz             udp     137:139
ACCEPT          loc             dmz             tcp     137,139,445
ACCEPT          loc             dmz             udp     1024:           
137

On Wed, 2003-10-22 at 12:27, Colin Viebrock wrote:
> Everything works fine (LOC<->NET, LOC<->FW, DMZ<->FW,
DMZ<->NET).  I
> now want to be able to set up Samba on a DMZ machine, but machines in 
> the local network can''t see the DMZ''s 192.168.11.0 block.
> 
Computers do not have eyes and there cannot "see" anything. What
exactly
doesn''t work?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

normaly you would need a wins server for this setup
(smb network spread over different subnets)

what happens if you enter the ip address of the dmz host in explorer ?!?
\\ip_here\ 

either you have a wins server in loca and point all clients and the dmz
machine to it (i think better way), or you use sambas wins support on
the dmz machine and point all local clients to that wins server.

cya

Holger Brueckner
net-labs Systemhaus GmbH

On Wed, 2003-10-22 at 21:27, Colin Viebrock wrote:
> I have a three interface network (net,loc,dmz).
> 
> The internet interface (eth0) has a static IP.
> 
> Windows machine in the local network (eth1) use DHCP to get IPs from 
> the 192.168.10.0/24 netblock.
> 
> The Debian machine in the DMZ (eth2) gets a fixed IP through DHCP in 
> the 192.168.11.0/24 netblock.
> 
> The DHCP server is running on the firewall machine (not ideal, I know, 
> but that''s the way it is for now).  I am also running dnsmasq on
the
> firewall.
> 
> Everything works fine (LOC<->NET, LOC<->FW, DMZ<->FW,
DMZ<->NET).  I
> now want to be able to set up Samba on a DMZ machine, but machines in 
> the local network can''t see the DMZ''s 192.168.11.0 block.
> 
> Here are my shorewall conf files.  I''m not sure what other
information
> I need to provide, so let me know if I should post my dhcpd.conf or 
> dnsmasq.conf files, or anything else.
> 
> Thanks in advance,
> 
> - Colin
> 
> 
> 
> --interfaces--
> net     eth0            xxx.xxx.xxx.xxx  routefilter,norfc1918
> loc     eth1            192.168.10.255  dhcp
> dmz     eth2            192.168.11.255  dhcp
> 
> 
> --masq--
> eth0                    192.168.10.0/24
> eth0                    192.168.11.0/24
> 
> 
> --routestopped--
> eth1            -
> eth2            -
> 
> --policy--
> loc             net             ACCEPT
> fw              net             ACCEPT
> dmz             net             ACCEPT          ULOG
> net             all             DROP            ULOG
> all             all             REJECT          ULOG
> 
> --rules--
> ACCEPT          fw              net             tcp     53
> ACCEPT          fw              net             udp     53
> ACCEPT          loc             fw              tcp     53
> ACCEPT          loc             fw              udp     53
> ACCEPT          dmz             fw              tcp     53
> ACCEPT          dmz             fw              udp     53
> ACCEPT          loc             fw              tcp     22
> ACCEPT          loc             dmz             tcp     22
> ACCEPT:ULOG     fw              loc             tcp     22
> ACCEPT:ULOG     fw              dmz             tcp     22
> ACCEPT:ULOG     net             fw              tcp     22
> ACCEPT          net             fw              icmp    8
> ACCEPT          loc             fw              icmp    8
> ACCEPT          dmz             fw              icmp    8
> ACCEPT          loc             dmz             icmp    8
> ACCEPT          dmz             loc             icmp    8
> ACCEPT          dmz             net             icmp    8
> ACCEPT          fw              loc             icmp    8
> ACCEPT          fw              dmz             icmp    8
> ACCEPT          dmz             loc             udp     137:139
> ACCEPT          dmz             loc             tcp     137,139,445
> ACCEPT          dmz             loc             udp     1024:           
> 137
> ACCEPT          loc             dmz             udp     137:139
> ACCEPT          loc             dmz             tcp     137,139,445
> ACCEPT          loc             dmz             udp     1024:           
> 137
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm