thanks again for your sharp eye and speedy response. i have corrected the typos in the IP in the masq file. I am sorry to have to ask for more help but my pc''s on the local network can''t reach the dmz webserver using the webserver''s local or Public IP address. I need to be able to do this in order to test the split DNS setup for the network. Using ethereal on the firewall, i can see the packets going from the local pc to the dmz server. using IPTRAF on the dmz server, i can see the SYN packet hit the DMZ server but I never see an ACK packet returned. This server works flawlessly from the internet (NET zone) so I don''t think its a server-side firewall or routing issue. I have copies my rules and masq files below and have attached the shorewall status report as "test." Thank you for any help you can offer. INTERFAce SUBNET ADDRESS PROTO PORT(S) eth0 192.168.202.7/32 69.17.65.22 eth0:1 192.168.202.8/32 69.17.65.161 eth0:1 192.168.0.0/29 69.17.65.161 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP ACCEPT net dmz icmp echo-request - - - - ACCEPT net loc icmp echo-request - - - - ACCEPT dmz loc icmp echo-request - - - - ACCEPT loc dmz icmp echo-request - - - - # FW acts as secondary DNS and Mail server to Primary DNS at 69.17.65.22 / 192.168.202.7 REDIRECT net 53 tcp domain - !69.17.65.22 #TCP DNS FROM NET ACCEPT net fw tcp domain - #TCP DNS FROM NET REDIRECT net 53 udp domain - !69.17.65.22 #UDP DNS FROM NET ACCEPT net fw udp domain - - #UDP DNS FROM NET REDIRECT loc 53 tcp domain - !192.168.202.7 #TCP DNS FROM #Local Network ACCEPT loc fw tcp domain - - #TCP DN FROM #Local Network REDIRECT loc 53 udp domain - !192.168.202.7 #UDP DNS FROM #Local Netwok ACCEPT loc fw udp domain - - #TCP DNS FROM #Local Network REDIRECT dmz 53 tcp domain - !192.168.202.7 #TCP DNS FROM #DNZ ACCEPT dmz fw tcp domain - - #TCP DNS FROM #DMZ REDIRECT dmz 53 udp domain - !192.168.202.7 #UDP DNS FROM #DMZ ACCEPT dmz fw udp domain - - #UDP DNS FROM REDIRECT net 22 tcp ssh - !69.17.65.22 #TCP DNS FROM NET ACCEPT net fw tcp ssh - #TCP DNS FROM NET REDIRECT loc 22 tcp ssh - !69.17.65.22 #UDP DNS FROM NET ACCEPT net fw tcp ssh - - #UDP DNS FROM NET REDIRECT loc 22 tcp ssh - !192.168.202.7 #TCP DNS FROM #Local Network ACCEPT loc fw tcp domain - - #TCP DN FROM #Local Network #DMZ REDIRECT net 22 tcp smtp - !69.17.65.22 ACCEPT net fw tcp smtp - #Mail FROM #Internet REDIRECT net 22 tcp imap - !69.17.65.22 ACCEPT net fw tcp imap - - #IMAP FROM REDIRECT dmz 22 tcp smtp - !192.168.202.7 ACCEPT dmz fw tcp smtp - #Mail FROM #Internet REDIRECT dmz 22 tcp imap - !192.168.202.7 ACCEPT dmz fw tcp imap - - #IMAP FROM #Internet # Server No. 1 imap /smtp/ dns / http / https / domain DNAT net dmz:192.168.202.7 tcp smtp - 69.17.65.22 #Mail FROM #Internet DNAT net dmz:192.168.202.7 tcp imap - 69.17.65.22 #IMAP FROM #Internet DNAT loc dmz:192.168.202.7 tcp smtp - 69.17.65.22 #Mail FROM local #Network DNAT loc dmz:192.168.202.7 tcp imap - 69.17.65.22 #IMAP FROM local #Network DNAT fw dmz:192.168.202.7 tcp smtp - 69.17.65.22 #Mail FROM the #Firewall ACCEPT dmz:192.168.202.7 net tcp smtp - - #Mail to the #Firewall DNAT net dmz:192.168.202.7 tcp http - 69.17.65.22 #WWW FROM #Internet ACCEPT dmz:192.168.202.7 net tcp http - - #WWW FROM DMZ #To Local net # ACCEPT loc fw # ACCEPT loc dmz # ACCEPT dmz fw # AllowHTTP dmz fw # AllowHTTP fw dmz #Intern et DNAT loc dmz:192.168.202.7 tcp http - 69.17.65.22 #WWW FROM #Internet ACCEPT dmz:192.168.202.7 loc tcp http - - #WWW TO #Intern et DNAT fw dmz:192.168.202.7 tcp http - 69.17.65.22 #Secure WWW #FROM Internet ACCEPT dmz:192.168.202.7 fw tcp https - - #Secure WWW TO #Internet # DNAT net dmz:192.168.202.7 udp domain - 69.17.65.22 #UDP DNS FROM #Internet DNAT net dmz:192.168.202.7 tcp domain - 69.17.65.22 #TCP DNS FROM #Internet DNAT loc dmz:192.168.202.7 udp domain - 69.17.65.22 #UDP DNS FROM #Local Network DNAT loc dmz:192.168.202.7 tcp domain - 69.17.65.22 #TCP DNS FROM #Local Network DNAT fw dmz:192.168.202.7 udp domain - 69.17.65.22 #UDP DNS FROM DNAT fw dmz:192.168.202.7 udp domain - 69.17.65.22 #UDP DNS FROM #the Firewall DNAT fw dmz:192.168.202.7 tcp domain - 69.17.65.22 #TCP DNS FROM #the Firewall ACCEPT dmz:192.168.202.7 net udp domain - - #UDP DNS to #the Internet ACCEPT dmz:192.168.202.7 net tcp domain - - #TCP DNS to #the Internet ACCEPT loc dmz tcp ssh - - #SSH to the DMZ ACCEPT net fw tcp ssh - - #SSH to the #Firewall DNAT net dmz:192.168.202.8 tcp smtp - 69.17.65.161 #Mail FROM #Internet DNAT net dmz:192.168.202.8 tcp imap - 69.17.65.161 #IMAP FROM #Internet DNAT loc dmz:192.168.202.8 tcp smtp - 69.17.65.161 #Mail FROM local #Network DNAT loc dmz:192.168.202.8 tcp imap - 69.17.65.161 #IMAP FROM local #Network DNAT fw dmz:192.168.202.8 tcp smtp - 69.17.65.161 #Mail FROM the #Firewall ACCEPT dmz:192.168.202.8 net tcp smtp - - #Mail to the #Firewall DNAT net dmz:192.168.202.8 tcp http - 69.17.65.161 #WWW FROM #Internet DNAT net dmz:192.168.202.8 tcp https - 69.17.65.161 #Secure WWW #FROM Internet DNAT loc dmz:192.168.202.8 tcp https - 69.17.65.161 #Secure WWW #FROM local #Network ACCEPT dmz:192.168.202.8 net tcp https - - #Secure WWW TO> -----Original Message----- > From: Tom Eastep [mailto:teastep@shorewall.net] > Sent: Saturday, September 25, 2004 10:09 PM > To: rioguia@speakeasy.net > Subject: [Fwd: Re: [Shorewall-users] start error] > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > - -------- Original Message -------- > Subject: Re: [Shorewall-users] start error > Date: Sat, 25 Sep 2004 15:08:13 -0700 > From: Tom Eastep <teastep@shorewall.net> > To: Mailing List for Shorewall Users <shorewall-users@lists.shorewall.net> > References: <200409251426.12076.rioguia@speakeasy.net> > > rioguia@speakeasy.net wrote: > | Thank you for your kind help. Your solution (for the incorrect IP > addresses > | in my rules) allowed the firewall to load and to route most of my traffic > | correctly. I am having a difficult time resolving how to approach the > final > | problems. > | > | To briefly recap my prior posts, i am setting up a firewall with two IP > | addresses using the shorewall guide for more than one IP address and IP > | aliasing. My primary server in the DMZ in the DMZ gets DNAT / SNAT for > | public IP address 69.17.65.22 to local address 192.168.202.7/32. My > | secondary server in the DMZ and the pc''s on the local network get DNAT / > | SNAT for 69.17.65.161 for local addresses 192.168.202.8/32 and > | 192.168.0.0/24. > | > | I have two specific problems. First, I have a working mail server that can > | receive email from behind the firewall but cannot deliver mail > outside the > | firewall. The mail log (attached) shows that the mail server resolves the > | correct external address but then indicates that the connection > "timed out." > | > | Second, none of my dmz or loc computers can use a browser to reach the > | internet (i can browse to the local IP address of the dmz servers > | howerever). > | > | i have tried changing the rules and masq to do one-to-one NAT for the > server > | and have tried several DNS approaches to solve the problem (making the > | firewall a cashing firewall for the local pc''s and using my ISP''s dns > | servers for resolution) but i have had no success. Could someone take > a look > | at my shorewall status file and give me some pointers? > > Carefully check each entry in your /etc/shorewall/masq file -- not one > of the three is correct. > > - -Tom > > > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFBVeyeO/MAbZfjDLIRAsh8AJkBWaI+nDJlpLLC2dAIGBnUAQm92QCffmc1 > DOscj8Pt6/KfSitW/6ltZd4> =Rb0p > -----END PGP SIGNATURE----- >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 rioguia@speakeasy.net wrote:> thanks again for your sharp eye and speedy response. i have corrected > the typos in the IP in the masq file. I am sorry to have to ask for > more help but my pc''s on the local network can''t reach the dmz > webserver using the webserver''s local or Public IP address.It is not surprising that the local addresses don''t work since you have no rules permitting access from loc->dmz using those addresses; you rather are using DNAT rules for the public IP addresses. For the 12,945th time, this is why I prefer Proxy ARP for a DMZ rather than NAT; with Proxy ARP, the systems in the DMZ are known universally by ONE IP address. What subnet mask have you configured on the servers in the DMZ? - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBWshrO/MAbZfjDLIRAl1gAJ9Ve8LquB9PdPsB6mFj21/Ckb+VZACgk2l1 bpc2vrRod5HwgE70gqtLSLw=vFmD -----END PGP SIGNATURE-----
thanks for your help. the dmz and loc subnet mask are both 255.255.255.0 (192.168.202.0/24 and 192.168.0.0/24). i know you are busy but i have provided a lengthy explanation of my error for the benefit of those who come after me. this was a stupid error. i''ll review the excellent documentation again. [I''m not sure how you could have made it more clear: Quoting the Shorewall Setup Guide: "Just because connections of a particular type are allowed from zone A to the firewall and are also allowed from the firewall to zone B DOES NOT mean that these connections are allowed from zone A to zone B." ] In my case, traffic from the loc to the firewall is permitted and the same traffic from the dmz to the loc is permitted, but shorewall will not magically conclude that traffic from the loc to the firewall is permitted. my error comes from misunderstanding the relationship between rules and policies. i have a policy that says loc dmz ACCEPT. I thought that this would cover the connection initiated by the loc client. I misinterpreted the guide quoted here. [The Shorewall Setup Guide: This file is used to describe the firewall policy regarding establishment of connections. Connection establishment is described in terms of clients who initiate connections and servers who receive those connection requests. Policies defined in /etc/shorewall/policy describe which zones are allowed to establish connections with other zones. Policies established in /etc/shorewall/policy can be viewed as default policies. If no rule in /etc/shorewall/rules applies to a particular connection request then the policy from /etc/shorewall/policy is applied.] I thought by getting a SYN packet orginating on the loc client to DMZ server that the policy would apply. i will go back a reread this to figure out this relationship. regarding proxy arp, i would do the proxy arp but couldn''t figure out how to it with only two public IP addresses. For me, having only two public IP''s, made my set up more like a standard configuration with a single IP address with a parallel set of rules for each IP address on eth0 and eth0:1. if proxy arp is the way to go, i''ll burn down this set up in a heart beat and start over. i understand that a bridge can work without an ip address since it works at the frame level but i got lost when i was trying to use the shorewall how-to''s (this is not a criticism of the excellent quality of the documentation but an observation of my inability to apply them). All the ones i could find, seemed to assume that the bridge had its own public ip address (i''m sorry if this is wrong; i really did read the documentation as best i could). i am also trying to install logwatch with the hope that i will make the problems with my configuration more clear to me.> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > rioguia@speakeasy.net wrote: >> thanks again for your sharp eye and speedy response. i have corrected >> the typos in the IP in the masq file. I am sorry to have to ask for >> more help but my pc''s on the local network can''t reach the dmz >> webserver using the webserver''s local or Public IP address. > > It is not surprising that the local addresses don''t work since you have > no rules permitting access from loc->dmz using those addresses; you > rather are using DNAT rules for the public IP addresses. For the > 12,945th time, this is why I prefer Proxy ARP for a DMZ rather than NAT; > with Proxy ARP, the systems in the DMZ are known universally by ONE IP > address. > > What subnet mask have you configured on the servers in the DMZ? > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFBWshrO/MAbZfjDLIRAl1gAJ9Ve8LquB9PdPsB6mFj21/Ckb+VZACgk2l1 > bpc2vrRod5HwgE70gqtLSLw> =vFmD > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >-- Michael Worden
thanks for your help. the dmz and loc subnet mask are both 255.255.255.0 (192.168.202.0/24 and 192.168.0.0/24). i know you are busy but i have provided a lengthy explanation of my error for the benefit of those who come after me. this was a stupid error. i''ll review the excellent documentation again. [I''m not sure how you could have made it more clear: Quoting the Shorewall Setup Guide: "Just because connections of a particular type are allowed from zone A to the firewall and are also allowed from the firewall to zone B DOES NOT mean that these connections are allowed from zone A to zone B." ] In my case, traffic from the loc to the firewall is permitted and the same traffic from the dmz to the loc is permitted, but shorewall will not magically conclude that traffic from the loc to the firewall is permitted. my error comes from misunderstanding the relationship between rules and policies. i have a policy that says loc dmz ACCEPT. I thought that this would cover the connection initiated by the loc client. I misinterpreted the guide quoted here. [The Shorewall Setup Guide: This file is used to describe the firewall policy regarding establishment of connections. Connection establishment is described in terms of clients who initiate connections and servers who receive those connection requests. Policies defined in /etc/shorewall/policy describe which zones are allowed to establish connections with other zones. Policies established in /etc/shorewall/policy can be viewed as default policies. If no rule in /etc/shorewall/rules applies to a particular connection request then the policy from /etc/shorewall/policy is applied.] I thought by getting a SYN packet orginating on the loc client to DMZ server that the policy would apply. i will go back a reread this to figure out this relationship. regarding proxy arp, i would do the proxy arp but couldn''t figure out how to it with only two public IP addresses. For me, having only two public IP''s, made my set up more like a standard configuration with a single IP address with a parallel set of rules for each IP address on eth0 and eth0:1. if proxy arp is the way to go, i''ll burn down this set up in a heart beat and start over. i understand that a bridge can work without an ip address since it works at the frame level but i got lost when i was trying to use the shorewall how-to''s (this is not a criticism of the excellent quality of the documentation but an observation of my inability to apply them). All the ones i could find, seemed to assume that the bridge had its own public ip address (i''m sorry if this is wrong; i really did read the documentation as best i could). i am also trying to install logwatch with the hope that i will make the problems with my configuration more clear to me.> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > rioguia@speakeasy.net wrote: >> thanks again for your sharp eye and speedy response. i have corrected >> the typos in the IP in the masq file. I am sorry to have to ask for >> more help but my pc''s on the local network can''t reach the dmz >> webserver using the webserver''s local or Public IP address. > > It is not surprising that the local addresses don''t work since you have > no rules permitting access from loc->dmz using those addresses; you > rather are using DNAT rules for the public IP addresses. For the > 12,945th time, this is why I prefer Proxy ARP for a DMZ rather than NAT; > with Proxy ARP, the systems in the DMZ are known universally by ONE IP > address. > > What subnet mask have you configured on the servers in the DMZ? > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFBWshrO/MAbZfjDLIRAl1gAJ9Ve8LquB9PdPsB6mFj21/Ckb+VZACgk2l1 > bpc2vrRod5HwgE70gqtLSLw> =vFmD > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >-- Michael Worden
thank you tom for your post of September 29, 2004 in response to my request for help on accessing my dmz servers from the local network using their local private IP addresses. i appreciate your kind assistance. your suggestion allowed me to correct the problem of accessing the dmz servers from the local network using there private IP addresses. I have still one more problem before i can begin testing my DNS views for local name resolution. The problem is this. my mail serve can receive but not send email when i use my currents shorewall configuration on the firewall. when my firewall is "down," i conect the dmz server directly to the network connection. when i test the firewall, i move the serve back behind the firewall and restart the services after changing the etc/sysconfig/network-scripts/ifcfg-eth0, /etc/named.conf and /etc/resolv.conf files. now my domain name service works fine (dig, host, etc) and my dnsreport.com results look fine. my mail server can receive mail but can''t send it (my ISP has told me that arp caching is not an issue). i have attached my status report. my mail logs look like this: Oct 6 21:01:53 testy postfix/master[11041]: daemon started -- version 2.1.0 Oct 6 21:01:53 testy postfix/qmgr[11043]: 88CE5386EE1: from=<mworden@substantis.com>, size=3977, nrcpt=1 (queue active) Oct 6 21:01:53 testy postfix/qmgr[11043]: 4A612386EE6: from=<mworden@substantis.com>, size=826, nrcpt=1 (queue active) Oct 6 21:01:53 testy postfix/qmgr[11043]: 207A1386EE5: from=<mworden@substantis.com>, size=823, nrcpt=1 (queue active) Oct 6 21:03:53 testy postfix/smtp[11046]: 4A612386EE6: lost connection with mx1.hotmail.com[64.4.50.99] while receiving the initial SMTP greeting Oct 6 21:03:53 testy postfix/smtp[11045]: 88CE5386EE1: lost connection with mail.cloud9.net[168.100.1.9] while receiving the initial SMTP greeting Oct 6 21:03:54 testy postfix/smtp[11047]: 207A1386EE5: lost connection with mx4.hotmail.com[65.54.190.179] while receiving the initial SMTP greeting my capture on the firewall''s dmz interface looks like this: 5840 Len=0 MSS=1460 0.098251 168.100.1.3 -> 192.168.202.7 TCP smtp > 33920 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 0.098712 192.168.202.7 -> 168.100.1.3 TCP 33920 > smtp [ACK] Seq=1 Ack=1 Win=5840 Len=0 0.104736 168.100.1.3 -> 192.168.202.7 SMTP Response: SSH-1.99-OpenSSH_3.6.1p2 0.105255 192.168.202.7 -> 168.100.1.3 TCP 33920 > smtp [ACK] Seq=1 Ack=26 Win=5840 Len=0 0.127214 65.54.252.99 -> 192.168.202.7 TCP smtp > 33918 [FIN, ACK] Seq=0 Ack=0 Win=5840 Len=0 0.154419 192.168.202.7 -> 65.54.252.99 TCP 33918 > smtp [FIN, ACK] Seq=0 Ack=1 Win=5840 Len=0 0.154618 65.54.252.99 -> 192.168.202.7 TCP smtp > 33918 [ACK] Seq=1 Ack=1 Win=5840 Len=0 0.155717 192.168.202.7 -> 64.4.50.239 TCP 33921 > smtp [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 0.155893 64.4.50.239 -> 192.168.202.7 TCP smtp > 33921 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 0.156307 192.168.202.7 -> 64.4.50.239 TCP 33921 > smtp [ACK] Seq=1 Ack=1 Win=5840 Len=0 0.168724 64.4.50.239 -> 192.168.202.7 SMTP Response: SSH-1.99-OpenSSH_3.6.1p2 0.169263 192.168.202.7 -> 64.4.50.239 TCP 33921 > smtp [ACK] Seq=1 Ack=26 Win=5840 Len=0 my rules are as follows: #################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # PORT PORT(S) DEST LIMIT GROUP ACCEPT net dmz icmp echo-request - - - - ACCEPT net loc icmp echo-request - - - - ACCEPT dmz loc icmp echo-request - - - - ACCEPT loc dmz icmp echo-request - - - - # FW acts as secondary DNS and Mail server to Primary DNS at 69.17.65.22 / 192.168.202.7 REDIRECT net 53 tcp domain - !69.17.65.22 #TCP DNS FROM NET ACCEPT net fw tcp domain - #TCP DNS FROM NET # REDIRECT net 53 udp domain - !69.17.65.22 #UDP DNS FROM NET ACCEPT net fw udp domain - - #UDP DNS FROM NET # REDIRECT loc 53 tcp domain - !192.168.202.7 #TCP DNS FROM Local Network ACCEPT loc fw tcp domain - - #TCP DN FROM locaal # REDIRECT loc 53 udp domain - !192.168.202.7 #UDP DNS FROM Local Netwok ACCEPT loc fw udp domain - - #TCP DNS FROM Local Network REDIRECT net 22 tcp ssh - !69.17.65.22 #TCP DNS FROM NET ACCEPT net fw tcp ssh - #TCP DNS FROM NET # REDIRECT loc 22 tcp ssh - !192.168.202.7 #UDP DNS FROM NET ACCEPT loc fw tcp ssh - - #UDP DNS FROM NET # REDIRECT net 22 tcp smtp - !69.17.65.22 ACCEPT net fw tcp smtp - #Mail FROMK Internet # REDIRECT net 143 tcp imap - !69.17.65.22 ACCEPT net fw tcp imap - - #IMAP FROM # REDIRECT dmz 22 tcp smtp - !192.168.202.7 ACCEPT dmz fw tcp smtp - #Mail FROM Internet # REDIRECT dmz 143 tcp imap - !192.168.202.7 ACCEPT dmz fw tcp imap - - #IMAP FROM Internet # Server No. 1 smtp / imap DNAT net dmz:192.168.202.7 tcp smtp - 69.17.65.22 #Mail FROM Internet DNAT net dmz:192.168.202.7 tcp imap - 69.17.65.22 #IMAP FROM Internet DNAT loc dmz:192.168.202.7 tcp smtp - 69.17.65.22 #Mail FROM local Network DNAT loc dmz:192.168.202.7 tcp imap - 69.17.65.22 #IMAP FROM local Network DNAT loc dmz:192.168.202.7 tcp imap - 69.17.65.22 #IMAP FROM local Network ACCEPT dmz:192.168.202.7 net tcp smtp - - #Mail FROM the Firewall ACCEPT dmz:192.168.202.7 net tcp imap - - #Mail to the Firewall ACCEPT dmz:192.168.202.7 loc tcp smtp - - #Mail FROM the Firewall ACCEPT dmz:192.168.202.7 loc tcp imap - - #Mail to the Firewall # Server No. 1 http / https DNAT net dmz:192.168.202.7 tcp http - 69.17.65.22 #WWW FROM Internet ACCEPT dmz:192.168.202.7 net tcp http - - #WWW FROM DMZ Intern et DNAT loc dmz:192.168.202.7 tcp http - 69.17.65.22 #WWW FROM Internet ACCEPT dmz:192.168.202.7 loc tcp http - - #WWW TO Intern et DNAT fw dmz:192.168.202.7 tcp http - 69.17.65.22 #Secure WWW FROM Internet ACCEPT dmz:192.168.202.7 fw tcp http - - #Secure WWW TO Internet # Server No. 1 DNS DNAT net dmz:192.168.202.7 tcp domain - 69.17.65.22 #WWW FROM Internet DNAT net dmz:192.168.202.7 udp domain - 69.17.65.22 #WWW FROM Int ACCEPT dmz:192.168.202.7 net tcp domain - - #WWW FROM DMZ Intern et ACCEPT dmz:192.168.202.7 net udp domain - - #WWW FROM DMZ Intern et DNAT loc dmz:192.168.202.7 tcp domain - 69.17.65.22 #WWW FROM Internet DNAT loc dmz:192.168.202.7 udp domain - 69.17.65.22 #WWW FROM Interne ACCEPT dmz:192.168.202.7 loc tcp domain - - #WWW TO Intern et ACCEPT dmz:192.168.202.7 loc tcp domain - - #WWW TO Intern et ACCEPT dmz:192.168.202.7 loc udp domain - - #WWW TO Intern et DNAT fw dmz:192.168.202.7 tcp domain - 69.17.65.22 #Secure WWW FROM Internet DNAT fw dmz:192.168.202.7 udp domain - 69.17.65.22 #Secure WWW FROM Internet ACCEPT dmz:192.168.202.7 fw tcp domain - - #Secure WWW TO Internet ACCEPT dmz:192.168.202.7 fw udp domain - - #Secure WWW TO Internet #SERVER NO.2 DNAT net dmz:192.168.202.8 tcp smtp - 69.17.65.161 #Mail FROM #Internet DNAT net dmz:192.168.202.8 tcp imap - 69.17.65.161 #IMAP FROM #Internet DNAT loc dmz:192.168.202.8 tcp smtp - 69.17.65.161 #Mail FROM local #Network DNAT loc dmz:192.168.202.8 tcp imap - 69.17.65.161 #IMAP FROM local #Network DNAT fw dmz:192.168.202.8 tcp smtp - 69.17.65.161 #Mail FROM the #Firewall ACCEPT dmz:192.168.202.8 net tcp smtp - - #Mail to the #Firewall DNAT net dmz:192.168.202.8 tcp http - 69.17.65.161 #WWW FROM #Internet DNAT net dmz:192.168.202.8 tcp https - 69.17.65.161 #Secure WWW #FROM Internet DNAT loc dmz:192.168.202.8 tcp https - 69.17.65.161 #Secure WWW #FROM local #Network ACCEPT dmz:192.168.202.8 net tcp https - - #Secure WWW #Internet #Network nal Message-----> From: Michael Worden [mailto:mworden@substantis.com] > Sent: Wednesday, September 29, 2004 05:35 PM > To: ''Mailing List for Shorewall Users'' > Subject: Re: [Shorewall-users] start error] > > thanks for your help. the dmz and loc subnet mask are both 255.255.255.0 > (192.168.202.0/24 and 192.168.0.0/24). i know you are busy but i have > provided a lengthy explanation of my error for the benefit of those who > come after me. > > this was a stupid error. i''ll review the excellent documentation again. > [I''m not sure how you could have made it more clear: Quoting the Shorewall > Setup Guide: "Just because connections of a particular type are allowed > from zone A to the firewall and are also allowed from the firewall to zone > B DOES NOT mean that these connections are allowed from zone A to zone B." > ] In my case, traffic from the loc to the firewall is permitted and the > same traffic from the dmz to the loc is permitted, but shorewall will not > magically conclude that traffic from the loc to the firewall is permitted. > > my error comes from misunderstanding the relationship between rules and > policies. i have a policy that says loc dmz ACCEPT. I > thought that this would cover the connection initiated by the loc client. > I misinterpreted the guide quoted here. [The Shorewall Setup Guide: This > file is used to describe the firewall policy regarding establishment of > connections. Connection establishment is described in terms of clients who > initiate connections and servers who receive those connection requests. > Policies defined in /etc/shorewall/policy describe which zones are allowed > to establish connections with other zones. Policies established in > /etc/shorewall/policy can be viewed as default policies. If no rule in > /etc/shorewall/rules applies to a particular connection request then the > policy from /etc/shorewall/policy is applied.] I thought by getting a SYN > packet orginating on the loc client to DMZ server that the policy would > apply. i will go back a reread this to figure out this relationship. > > regarding proxy arp, i would do the proxy arp but couldn''t figure out how > to it with only two public IP addresses. For me, having only two public > IP''s, made my set up more like a standard configuration with a single IP > address with a parallel set of rules for each IP address on eth0 and > eth0:1. if proxy arp is the way to go, i''ll burn down this set up in a > heart beat and start over. i understand that a bridge can work without an > ip address since it works at the frame level but i got lost when i was > trying to use the shorewall how-to''s (this is not a criticism of the > excellent quality of the documentation but an observation of my inability > to apply them). All the ones i could find, seemed to assume that the > bridge had its own public ip address (i''m sorry if this is wrong; i really > did read the documentation as best i could). i am also trying to install > logwatch with the hope that i will make the problems with my configuration > more clear to me. > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > rioguia@speakeasy.net wrote: > >> thanks again for your sharp eye and speedy response. i have corrected > >> the typos in the IP in the masq file. I am sorry to have to ask for > >> more help but my pc''s on the local network can''t reach the dmz > >> webserver using the webserver''s local or Public IP address. > > > > It is not surprising that the local addresses don''t work since you have > > no rules permitting access from loc->dmz using those addresses; you > > rather are using DNAT rules for the public IP addresses. For the > > 12,945th time, this is why I prefer Proxy ARP for a DMZ rather than NAT; > > with Proxy ARP, the systems in the DMZ are known universally by ONE IP > > address. > > > > What subnet mask have you configured on the servers in the DMZ? > > > > - -Tom > > - -- > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.6 (GNU/Linux) > > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > > > iD8DBQFBWshrO/MAbZfjDLIRAl1gAJ9Ve8LquB9PdPsB6mFj21/Ckb+VZACgk2l1 > > bpc2vrRod5HwgE70gqtLSLw> > =vFmD > > -----END PGP SIGNATURE----- > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > > https://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > > > > -- > Michael Worden > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >