I have been struggling with this for a while. My problem is I can''t communicate with a computer attached to the DMZ. I followed the "Shorewall Setup Guide". I have four diffrent public IP blocks. One for the net interface (/30) one for the DMZ (/28) and two for the Local interface (2 class C''s). Am currently only running one computer on the DMZ it is web/email box. What do I need to do to be able to view my website and check e-mail from this box from the Local interface as well as the Net side of things. Is there some documentation that I missed that tells me how to set up a computer in the DMZ zone? I know that more information will probably be needed to solve this so tell me what you need to see. _ /-\ ndrew andrew@pure-wireless.net http://www.pure-wireless.net
Andrew Niemantsverdriet wrote:> I have been struggling with this for a while. My problem is I can''t > communicate with a computer attached to the DMZ. I followed the > "Shorewall Setup Guide". I have four diffrent public IP blocks. One for > the net interface (/30) one for the DMZ (/28) and two for the Local > interface (2 class C''s). Am currently only running one computer on the > DMZ it is web/email box. What do I need to do to be able to view my > website and check e-mail from this box from the Local interface as well > as the Net side of things. Is there some documentation that I missed > that tells me how to set up a computer in the DMZ zone? I know that more > information will probably be needed to solve this so tell me what you > need to see.http://shorewall.net/support.htm catalogs the things we would like to see under the heading "Problem Reporting Guidelines". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2004-06-24 at 10:02, Tom Eastep wrote:> Andrew Niemantsverdriet wrote: > > > I have been struggling with this for a while. My problem is I can''t > > communicate with a computer attached to the DMZ. I followed the > > "Shorewall Setup Guide". I have four diffrent public IP blocks. One for > > the net interface (/30) one for the DMZ (/28) and two for the Local > > interface (2 class C''s). Am currently only running one computer on the > > DMZ it is web/email box. What do I need to do to be able to view my > > website and check e-mail from this box from the Local interface as well > > as the Net side of things. Is there some documentation that I missed > > that tells me how to set up a computer in the DMZ zone? I know that more > > information will probably be needed to solve this so tell me what you > > need to see. > > http://shorewall.net/support.htm catalogs the things we would like to > see under the heading "Problem Reporting Guidelines". > > -TomThe computer in the DMZ is not / will not be running Shorewall. My actual shorewall setup is fine (I think). As I look back on my first post I left out an important point. If I attach a cheap Linksys router (that runs web interface) using the same IP and netmask I can access that web interface just fine. My question is not so much about my Shorewall setup but how to setup a computer in the DMZ because just changing the IP and netmask does not do the job. Also the firewall was off when I tried to communicate with the server so that was not causing the issue. Any suggestions on what needs to be done to the actual webserver to get it to work?
Andrew Niemantsverdriet wrote:> > The computer in the DMZ is not / will not be running Shorewall. My > actual shorewall setup is fine (I think). As I look back on my first > post I left out an important point. If I attach a cheap Linksys router > (that runs web interface) using the same IP and netmask I can access > that web interface just fine. My question is not so much about my > Shorewall setup but how to setup a computer in the DMZ because just > changing the IP and netmask does not do the job. Also the firewall was > off when I tried to communicate with the server so that was not causing > the issue. Any suggestions on what needs to be done to the actual > webserver to get it to work? >Changing the IP address/Netmask and default gateway should be all that you need to do; in addition to changing the IPV4 configuration, you may also need to change the configurations of your web and email servers if the host''s IP address is hard-coded in their configurations (both my Apache and Postfix configurations contain the IP address of my web/mail server). Do basic connectivity tests like "ping" succeed? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > Changing the IP address/Netmask and default gateway should be all that > you need to do; in addition to changing the IPV4 configuration, you may > also need to change the configurations of your web and email servers if > the host''s IP address is hard-coded in their configurations (both my > Apache and Postfix configurations contain the IP address of my web/mail > server). > > Do basic connectivity tests like "ping" succeed? >You may also have to adjust DNS (PTR and possibly A) -- incorrect DNS can cause some servers to experience startup problems. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2004-06-24 at 15:10, Tom Eastep wrote:> Tom Eastep wrote: > > > > > > Changing the IP address/Netmask and default gateway should be all that > > you need to do; in addition to changing the IPV4 configuration, you may > > also need to change the configurations of your web and email servers if > > the host''s IP address is hard-coded in their configurations (both my > > Apache and Postfix configurations contain the IP address of my web/mail > > server). > > > > Do basic connectivity tests like "ping" succeed? > > > > You may also have to adjust DNS (PTR and possibly A) -- incorrect DNS > can cause some servers to experience startup problems. > > -TomDNS was setup correctly when I tried (A records changed). Ping tests all fail destination unreachable. Good point with the hard-coded IP that would have been it had tests like ping not failed. Just to check: the computer on the DMZ is connected via crossover to my Shorewall box, the DMZ interface one the Shorewall box has an address of say 192.0.0.128/29. The DMZ web/email has an address of 192.0.0.129/29 and gateway of 192.0.0.128. No routes or anything need to be setup on the DMZ web/email host correct. And Shorewall should take care of all routes that need to be for me for the DMZ correct? I am convinced it is some stupid operator error on my part but I can''t track it down. _ /-\ ndrew andrew@pure-wireless.net http://www.pure-wireless.net
Andrew Niemantsverdriet wrote:> On Thu, 2004-06-24 at 15:10, Tom Eastep wrote: > >>Tom Eastep wrote: >> >> >> >>>Changing the IP address/Netmask and default gateway should be all that >>>you need to do; in addition to changing the IPV4 configuration, you may >>>also need to change the configurations of your web and email servers if >>>the host''s IP address is hard-coded in their configurations (both my >>>Apache and Postfix configurations contain the IP address of my web/mail >>>server). >>> >>>Do basic connectivity tests like "ping" succeed? >>> >> >>You may also have to adjust DNS (PTR and possibly A) -- incorrect DNS >>can cause some servers to experience startup problems. >> >>-Tom > > DNS was setup correctly when I tried (A records changed). Ping tests all > fail destination unreachable. Good point with the hard-coded IP that > would have been it had tests like ping not failed. > > Just to check: the computer on the DMZ is connected via crossover to my > Shorewall box, the DMZ interface one the Shorewall box has an address of > say 192.0.0.128/29. The DMZ web/email has an address of 192.0.0.129/29 > and gateway of 192.0.0.128.192.0.0.128 is the network address of 192.0.0.128/29 -- you can''t assign it to a host (this is clearly described in the addressing section of the setup guide). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net