Hello all, Name is Andrew and in desperate need of some info. Setup: - Mandrake 9.1 with three interfaces (eth0 --> WAN) C-class /28 network (with tree virtual addresses which I am DNAT-ing to the DMZ) (eth1 --> LAN) A-class 10.0.0.0/8 (eth2 --> DMZ) A-class subnet 10.1.123.0/24 - Running stock Shorewall ver: shorewall-1.3.14-3.1.91mdk Dilemma: - LAN can not access the DMZ zone without using FAQ-2. (On shorewall statup I get a warning with the following: "Warning: SNAT will occur on all connections to this server and port - rule "DNAT lan dmz...." - If I miss the trailing local gateway(10.0.0.254) on the rule: "DNAT lan dmz:10.1.123.1 tcp http - x.x.x.136:10.0.0.254" Rule "DNAT lan dmz:10.1.123.1 tcp http - 216.126.78.136:10.0.0.254"; I get a constant loop from LAN to DMZ on all protocols. - IIS server is connected to the DMZ interface, all of the connections initiated to the server seem to come from 10.0.0.254 in the access log files. If I disable the DNAT rules all the logs are valid and proper external client IP address are displayed. -Tried updating shorewall to: shorewall-1.4.8-2.2.92mdk; in which case the LAN cannot access the DMZ at all. Feedback is greatly appreciated. Thanks. Andrew Nady.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrew Nady wrote: | Hello all, | | Name is Andrew and in desperate need of some info. | | Setup: | | - Mandrake 9.1 with three interfaces | (eth0 --> WAN) C-class /28 network (with tree virtual addresses which I | am DNAT-ing to the DMZ) | (eth1 --> LAN) A-class 10.0.0.0/8 | (eth2 --> DMZ) A-class subnet 10.1.123.0/24 | Fix your subnetting -- your DMZ is a subnetwork of your LAN. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBKP+LO/MAbZfjDLIRAuZ1AJ4idItyDQQbB2KVOGfLgKM7uNOknQCfeVls vEq20ow0wqETWicrOK6WqWM=6FrK -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | | - Mandrake 9.1 with three interfaces | | (eth0 --> WAN) C-class /28 network (with tree virtual addresses which I | | am DNAT-ing to the DMZ) | | (eth1 --> LAN) A-class 10.0.0.0/8 | | (eth2 --> DMZ) A-class subnet 10.1.123.0/24 | | | | Fix your subnetting -- your DMZ is a subnetwork of your LAN. Or change /etc/shorewall/interfaces to include option proxyarp for eth1 entry. It should work ok :-) - -- Tuomo Soini <tis@foobar.fi> Linux and network services +358 40 5240030 Foobar Oy <http://foobar.fi/> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBKRf1TlrZKzwul1ERAoDCAJ4qDXtSJjbSfX2RF/efdrRxOq0DSQCfU5xJ pnppjeCzI0/eoneuC/gAdk0=JvNO -----END PGP SIGNATURE-----
Thank you for the info gents, If I understand it right, I cannot have the LAN with 255.0.0.0 mask, in this case. As with the ProxyARP, I need to get more familiar, have not a clue what it does. Andrew. On Sun, 2004-08-22 at 18:02, Tuomo Soini wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Tom Eastep wrote: > > | | - Mandrake 9.1 with three interfaces > | | (eth0 --> WAN) C-class /28 network (with tree virtual addresses which I > | | am DNAT-ing to the DMZ) > | | (eth1 --> LAN) A-class 10.0.0.0/8 > | | (eth2 --> DMZ) A-class subnet 10.1.123.0/24 > | | > | > | Fix your subnetting -- your DMZ is a subnetwork of your LAN. > > Or change /etc/shorewall/interfaces to include option proxyarp for eth1 > entry. It should work ok :-) > > - -- > Tuomo Soini <tis@foobar.fi> > Linux and network services > +358 40 5240030 > Foobar Oy <http://foobar.fi/> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.1 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBKRf1TlrZKzwul1ERAoDCAJ4qDXtSJjbSfX2RF/efdrRxOq0DSQCfU5xJ > pnppjeCzI0/eoneuC/gAdk0> =JvNO > -----END PGP SIGNATURE----- > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrew Nady wrote: | Thank you for the info gents, | If I understand it right, I cannot have the LAN with 255.0.0.0 mask, in | this case. | As with the ProxyARP, I need to get more familiar, have not a clue what | it does. | I suggest that you start with the Shorewall Setup Guide (http://shorewall.net/shorewall_setup_guide.htm). It contains the information you need to understand what was wrong with your current config and why proxy ARP could work around your unwise choice of subnetworks. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBKUfNO/MAbZfjDLIRAoNLAKCUnQaYhNLHR1bZD/71CFRU3ZLxxACfSxzL TNr0wWsCe4XrMdmHeqCTm2A=9osG -----END PGP SIGNATURE-----
Thank you, once again. Problem resolved. Re-aranged the network on the DMZ side and LAN. One other question: Is ProxyARP the best way of setting up a DMZ zone with the 2.4 kernel? ~Andrew. On Sun, 2004-08-22 at 21:26, Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Andrew Nady wrote: > | Thank you for the info gents, > | If I understand it right, I cannot have the LAN with 255.0.0.0 mask, in > | this case. > | As with the ProxyARP, I need to get more familiar, have not a clue what > | it does. > | > > I suggest that you start with the Shorewall Setup Guide > (http://shorewall.net/shorewall_setup_guide.htm). It contains the > information you need to understand what was wrong with your current > config and why proxy ARP could work around your unwise choice of > subnetworks. > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBKUfNO/MAbZfjDLIRAoNLAKCUnQaYhNLHR1bZD/71CFRU3ZLxxACfSxzL > TNr0wWsCe4XrMdmHeqCTm2A> =9osG > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrew Nady wrote: | Thank you, once again. | Problem resolved. Re-aranged the network on the DMZ side and LAN. | | One other question: Is ProxyARP the best way of setting up a DMZ zone | with the 2.4 kernel? | In my opinion, if you have multiple public IP addresses then in almost all cases, the best way to run a DMZ is to use Proxy ARP; regardless of which kernel version you use. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBKqJAO/MAbZfjDLIRAktlAKDJhc8/cKo5Gjp7KHVCQLDZJKAjBACeM6iq OyvsDFUSJRmrqbetBoWsYpo=SZ0b -----END PGP SIGNATURE-----