thanks again for your sharp eye and speedy response. i have corrected the typos
in the IP in the masq file. I am sorry to have to ask for more help but my
pc''s on the local network can''t reach the dmz webserver using
the webserver''s local or Public IP address. I need to be able to do
this in order to test the split DNS setup for the network. Using ethereal on
the firewall, i can see the packets going from the local pc to the dmz server.
using IPTRAF on the dmz server, i can see the SYN packet hit the DMZ server but
I never see an ACK packet returned. This server works flawlessly from the
internet (NET zone) so I don''t think its a server-side firewall or
routing issue. I have copies my rules and masq files
below and have attached the shorewall status report as "test." Thank
you for any help you can offer.
INTERFAce SUBNET ADDRESS PROTO PORT(S)
eth0 192.168.202.7/32 69.17.65.22
eth0:1 192.168.202.8/32 69.17.65.161
eth0:1 192.168.0.0/29 69.17.65.161
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/
# PORT PORT(S) DEST
LIMIT GROUP
ACCEPT net dmz icmp echo-request - -
- -
ACCEPT net loc icmp echo-request - -
- -
ACCEPT dmz loc icmp echo-request - -
- -
ACCEPT loc dmz icmp echo-request - -
- -
# FW acts as secondary DNS and Mail server to Primary DNS at 69.17.65.22 /
192.168.202.7
REDIRECT net 53 tcp domain -
!69.17.65.22 #TCP DNS FROM NET
ACCEPT net fw tcp domain -
#TCP DNS FROM NET
REDIRECT net 53 udp domain -
!69.17.65.22 #UDP DNS FROM NET
ACCEPT net fw udp domain - -
#UDP DNS FROM NET
REDIRECT loc 53 tcp domain -
!192.168.202.7 #TCP DNS FROM
#Local Network
ACCEPT loc fw tcp domain - -
#TCP DN FROM
#Local Network
REDIRECT loc 53 udp domain -
!192.168.202.7 #UDP DNS FROM
#Local Netwok
ACCEPT loc fw udp domain - -
#TCP DNS FROM
#Local Network
REDIRECT dmz 53 tcp domain -
!192.168.202.7 #TCP DNS FROM
#DNZ
ACCEPT dmz fw tcp domain - -
#TCP DNS FROM
#DMZ
REDIRECT dmz 53 udp domain -
!192.168.202.7 #UDP DNS FROM
#DMZ
ACCEPT dmz fw udp domain - -
#UDP DNS FROM
REDIRECT net 22 tcp ssh -
!69.17.65.22 #TCP DNS FROM NET
ACCEPT net fw tcp ssh -
#TCP DNS FROM NET
REDIRECT loc 22 tcp ssh -
!69.17.65.22 #UDP DNS FROM NET
ACCEPT net fw tcp ssh - -
#UDP DNS FROM NET
REDIRECT loc 22 tcp ssh -
!192.168.202.7 #TCP DNS FROM
#Local Network
ACCEPT loc fw tcp domain - -
#TCP DN FROM
#Local Network
#DMZ
REDIRECT net 22 tcp smtp -
!69.17.65.22
ACCEPT net fw tcp smtp -
#Mail FROM
#Internet
REDIRECT net 22 tcp imap -
!69.17.65.22
ACCEPT net fw tcp imap - -
#IMAP FROM
REDIRECT dmz 22 tcp smtp -
!192.168.202.7
ACCEPT dmz fw tcp smtp -
#Mail FROM
#Internet
REDIRECT dmz 22 tcp imap -
!192.168.202.7
ACCEPT dmz fw tcp imap - -
#IMAP FROM
#Internet
# Server No. 1 imap /smtp/ dns / http / https / domain
DNAT net dmz:192.168.202.7 tcp smtp -
69.17.65.22 #Mail FROM
#Internet
DNAT net dmz:192.168.202.7 tcp imap -
69.17.65.22 #IMAP FROM
#Internet
DNAT loc dmz:192.168.202.7 tcp smtp -
69.17.65.22 #Mail FROM local
#Network
DNAT loc dmz:192.168.202.7 tcp imap -
69.17.65.22 #IMAP FROM local
#Network
DNAT fw dmz:192.168.202.7 tcp smtp -
69.17.65.22 #Mail FROM the
#Firewall
ACCEPT dmz:192.168.202.7 net tcp smtp - -
#Mail to the
#Firewall
DNAT net dmz:192.168.202.7 tcp http -
69.17.65.22 #WWW FROM
#Internet
ACCEPT dmz:192.168.202.7 net tcp http - -
#WWW FROM DMZ
#To Local net
# ACCEPT loc fw
# ACCEPT loc dmz
# ACCEPT dmz fw
# AllowHTTP dmz fw
# AllowHTTP fw dmz
#Intern et
DNAT loc dmz:192.168.202.7 tcp http -
69.17.65.22 #WWW FROM
#Internet
ACCEPT dmz:192.168.202.7 loc tcp http - -
#WWW TO
#Intern et
DNAT fw dmz:192.168.202.7 tcp http -
69.17.65.22 #Secure WWW
#FROM Internet
ACCEPT dmz:192.168.202.7 fw tcp https - -
#Secure WWW TO
#Internet
#
DNAT net dmz:192.168.202.7 udp domain -
69.17.65.22 #UDP DNS FROM
#Internet
DNAT net dmz:192.168.202.7 tcp domain -
69.17.65.22 #TCP DNS FROM
#Internet
DNAT loc dmz:192.168.202.7 udp domain -
69.17.65.22 #UDP DNS FROM
#Local Network
DNAT loc dmz:192.168.202.7 tcp domain -
69.17.65.22 #TCP DNS FROM
#Local Network
DNAT fw dmz:192.168.202.7 udp domain -
69.17.65.22 #UDP DNS FROM
DNAT fw dmz:192.168.202.7 udp domain -
69.17.65.22 #UDP DNS FROM
#the Firewall
DNAT fw dmz:192.168.202.7 tcp domain -
69.17.65.22 #TCP DNS FROM
#the Firewall
ACCEPT dmz:192.168.202.7 net udp domain - -
#UDP DNS to
#the Internet
ACCEPT dmz:192.168.202.7 net tcp domain - -
#TCP DNS to
#the Internet
ACCEPT loc dmz tcp ssh - -
#SSH to the DMZ
ACCEPT net fw tcp ssh - -
#SSH to the
#Firewall
DNAT net dmz:192.168.202.8 tcp smtp -
69.17.65.161 #Mail FROM
#Internet
DNAT net dmz:192.168.202.8 tcp imap -
69.17.65.161 #IMAP FROM
#Internet
DNAT loc dmz:192.168.202.8 tcp smtp -
69.17.65.161 #Mail FROM local
#Network
DNAT loc dmz:192.168.202.8 tcp imap -
69.17.65.161 #IMAP FROM local
#Network
DNAT fw dmz:192.168.202.8 tcp smtp -
69.17.65.161 #Mail FROM the
#Firewall
ACCEPT dmz:192.168.202.8 net tcp smtp - -
#Mail to the
#Firewall
DNAT net dmz:192.168.202.8 tcp http -
69.17.65.161 #WWW FROM
#Internet
DNAT net dmz:192.168.202.8 tcp https -
69.17.65.161 #Secure WWW
#FROM Internet
DNAT loc dmz:192.168.202.8 tcp https -
69.17.65.161 #Secure WWW
#FROM local
#Network
ACCEPT dmz:192.168.202.8 net tcp https - -
#Secure WWW TO
> -----Original Message-----
> From: Tom Eastep [mailto:teastep@shorewall.net]
> Sent: Saturday, September 25, 2004 10:09 PM
> To: rioguia@speakeasy.net
> Subject: [Fwd: Re: [Shorewall-users] start error]
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> - -------- Original Message --------
> Subject: Re: [Shorewall-users] start error
> Date: Sat, 25 Sep 2004 15:08:13 -0700
> From: Tom Eastep <teastep@shorewall.net>
> To: Mailing List for Shorewall Users
<shorewall-users@lists.shorewall.net>
> References: <200409251426.12076.rioguia@speakeasy.net>
>
> rioguia@speakeasy.net wrote:
> | Thank you for your kind help. Your solution (for the incorrect IP
> addresses
> | in my rules) allowed the firewall to load and to route most of my
traffic
> | correctly. I am having a difficult time resolving how to approach the
> final
> | problems.
> |
> | To briefly recap my prior posts, i am setting up a firewall with two IP
> | addresses using the shorewall guide for more than one IP address and IP
> | aliasing. My primary server in the DMZ in the DMZ gets DNAT / SNAT for
> | public IP address 69.17.65.22 to local address 192.168.202.7/32. My
> | secondary server in the DMZ and the pc''s on the local network
get DNAT /
> | SNAT for 69.17.65.161 for local addresses 192.168.202.8/32 and
> | 192.168.0.0/24.
> |
> | I have two specific problems. First, I have a working mail server that
can
> | receive email from behind the firewall but cannot deliver mail
> outside the
> | firewall. The mail log (attached) shows that the mail server resolves
the
> | correct external address but then indicates that the connection
> "timed out."
> |
> | Second, none of my dmz or loc computers can use a browser to reach the
> | internet (i can browse to the local IP address of the dmz servers
> | howerever).
> |
> | i have tried changing the rules and masq to do one-to-one NAT for the
> server
> | and have tried several DNS approaches to solve the problem (making the
> | firewall a cashing firewall for the local pc''s and using my
ISP''s dns
> | servers for resolution) but i have had no success. Could someone take
> a look
> | at my shorewall status file and give me some pointers?
>
> Carefully check each entry in your /etc/shorewall/masq file -- not one
> of the three is correct.
>
> - -Tom
>
>
> - --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ teastep@shorewall.net
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFBVeyeO/MAbZfjDLIRAsh8AJkBWaI+nDJlpLLC2dAIGBnUAQm92QCffmc1
> DOscj8Pt6/KfSitW/6ltZd4> =Rb0p
> -----END PGP SIGNATURE-----
>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 rioguia@speakeasy.net wrote:> thanks again for your sharp eye and speedy response. i have corrected > the typos in the IP in the masq file. I am sorry to have to ask for > more help but my pc''s on the local network can''t reach the dmz > webserver using the webserver''s local or Public IP address.It is not surprising that the local addresses don''t work since you have no rules permitting access from loc->dmz using those addresses; you rather are using DNAT rules for the public IP addresses. For the 12,945th time, this is why I prefer Proxy ARP for a DMZ rather than NAT; with Proxy ARP, the systems in the DMZ are known universally by ONE IP address. What subnet mask have you configured on the servers in the DMZ? - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBWshrO/MAbZfjDLIRAl1gAJ9Ve8LquB9PdPsB6mFj21/Ckb+VZACgk2l1 bpc2vrRod5HwgE70gqtLSLw=vFmD -----END PGP SIGNATURE-----
thanks for your help. the dmz and loc subnet mask are both 255.255.255.0 (192.168.202.0/24 and 192.168.0.0/24). i know you are busy but i have provided a lengthy explanation of my error for the benefit of those who come after me. this was a stupid error. i''ll review the excellent documentation again. [I''m not sure how you could have made it more clear: Quoting the Shorewall Setup Guide: "Just because connections of a particular type are allowed from zone A to the firewall and are also allowed from the firewall to zone B DOES NOT mean that these connections are allowed from zone A to zone B." ] In my case, traffic from the loc to the firewall is permitted and the same traffic from the dmz to the loc is permitted, but shorewall will not magically conclude that traffic from the loc to the firewall is permitted. my error comes from misunderstanding the relationship between rules and policies. i have a policy that says loc dmz ACCEPT. I thought that this would cover the connection initiated by the loc client. I misinterpreted the guide quoted here. [The Shorewall Setup Guide: This file is used to describe the firewall policy regarding establishment of connections. Connection establishment is described in terms of clients who initiate connections and servers who receive those connection requests. Policies defined in /etc/shorewall/policy describe which zones are allowed to establish connections with other zones. Policies established in /etc/shorewall/policy can be viewed as default policies. If no rule in /etc/shorewall/rules applies to a particular connection request then the policy from /etc/shorewall/policy is applied.] I thought by getting a SYN packet orginating on the loc client to DMZ server that the policy would apply. i will go back a reread this to figure out this relationship. regarding proxy arp, i would do the proxy arp but couldn''t figure out how to it with only two public IP addresses. For me, having only two public IP''s, made my set up more like a standard configuration with a single IP address with a parallel set of rules for each IP address on eth0 and eth0:1. if proxy arp is the way to go, i''ll burn down this set up in a heart beat and start over. i understand that a bridge can work without an ip address since it works at the frame level but i got lost when i was trying to use the shorewall how-to''s (this is not a criticism of the excellent quality of the documentation but an observation of my inability to apply them). All the ones i could find, seemed to assume that the bridge had its own public ip address (i''m sorry if this is wrong; i really did read the documentation as best i could). i am also trying to install logwatch with the hope that i will make the problems with my configuration more clear to me.> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > rioguia@speakeasy.net wrote: >> thanks again for your sharp eye and speedy response. i have corrected >> the typos in the IP in the masq file. I am sorry to have to ask for >> more help but my pc''s on the local network can''t reach the dmz >> webserver using the webserver''s local or Public IP address. > > It is not surprising that the local addresses don''t work since you have > no rules permitting access from loc->dmz using those addresses; you > rather are using DNAT rules for the public IP addresses. For the > 12,945th time, this is why I prefer Proxy ARP for a DMZ rather than NAT; > with Proxy ARP, the systems in the DMZ are known universally by ONE IP > address. > > What subnet mask have you configured on the servers in the DMZ? > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFBWshrO/MAbZfjDLIRAl1gAJ9Ve8LquB9PdPsB6mFj21/Ckb+VZACgk2l1 > bpc2vrRod5HwgE70gqtLSLw> =vFmD > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >-- Michael Worden
thanks for your help. the dmz and loc subnet mask are both 255.255.255.0 (192.168.202.0/24 and 192.168.0.0/24). i know you are busy but i have provided a lengthy explanation of my error for the benefit of those who come after me. this was a stupid error. i''ll review the excellent documentation again. [I''m not sure how you could have made it more clear: Quoting the Shorewall Setup Guide: "Just because connections of a particular type are allowed from zone A to the firewall and are also allowed from the firewall to zone B DOES NOT mean that these connections are allowed from zone A to zone B." ] In my case, traffic from the loc to the firewall is permitted and the same traffic from the dmz to the loc is permitted, but shorewall will not magically conclude that traffic from the loc to the firewall is permitted. my error comes from misunderstanding the relationship between rules and policies. i have a policy that says loc dmz ACCEPT. I thought that this would cover the connection initiated by the loc client. I misinterpreted the guide quoted here. [The Shorewall Setup Guide: This file is used to describe the firewall policy regarding establishment of connections. Connection establishment is described in terms of clients who initiate connections and servers who receive those connection requests. Policies defined in /etc/shorewall/policy describe which zones are allowed to establish connections with other zones. Policies established in /etc/shorewall/policy can be viewed as default policies. If no rule in /etc/shorewall/rules applies to a particular connection request then the policy from /etc/shorewall/policy is applied.] I thought by getting a SYN packet orginating on the loc client to DMZ server that the policy would apply. i will go back a reread this to figure out this relationship. regarding proxy arp, i would do the proxy arp but couldn''t figure out how to it with only two public IP addresses. For me, having only two public IP''s, made my set up more like a standard configuration with a single IP address with a parallel set of rules for each IP address on eth0 and eth0:1. if proxy arp is the way to go, i''ll burn down this set up in a heart beat and start over. i understand that a bridge can work without an ip address since it works at the frame level but i got lost when i was trying to use the shorewall how-to''s (this is not a criticism of the excellent quality of the documentation but an observation of my inability to apply them). All the ones i could find, seemed to assume that the bridge had its own public ip address (i''m sorry if this is wrong; i really did read the documentation as best i could). i am also trying to install logwatch with the hope that i will make the problems with my configuration more clear to me.> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > rioguia@speakeasy.net wrote: >> thanks again for your sharp eye and speedy response. i have corrected >> the typos in the IP in the masq file. I am sorry to have to ask for >> more help but my pc''s on the local network can''t reach the dmz >> webserver using the webserver''s local or Public IP address. > > It is not surprising that the local addresses don''t work since you have > no rules permitting access from loc->dmz using those addresses; you > rather are using DNAT rules for the public IP addresses. For the > 12,945th time, this is why I prefer Proxy ARP for a DMZ rather than NAT; > with Proxy ARP, the systems in the DMZ are known universally by ONE IP > address. > > What subnet mask have you configured on the servers in the DMZ? > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFBWshrO/MAbZfjDLIRAl1gAJ9Ve8LquB9PdPsB6mFj21/Ckb+VZACgk2l1 > bpc2vrRod5HwgE70gqtLSLw> =vFmD > -----END PGP SIGNATURE----- > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >-- Michael Worden
thank you tom for your post of September 29, 2004 in response to my request for
help on accessing my dmz servers from the local network using their local
private IP addresses. i appreciate your kind assistance.
your suggestion allowed me to correct the problem of accessing the dmz servers
from the local network using there private IP addresses. I have still one more
problem before i can begin testing my DNS views for local name resolution.
The problem is this. my mail serve can receive but not send email when i use my
currents shorewall configuration on the firewall. when my firewall is
"down," i conect the dmz server directly to the network connection.
when i test the firewall, i move the serve back behind the firewall and restart
the services after changing the etc/sysconfig/network-scripts/ifcfg-eth0,
/etc/named.conf and /etc/resolv.conf files. now my domain name service works
fine (dig, host, etc) and my dnsreport.com results look fine. my mail server
can receive mail but can''t send it (my ISP has told me that arp caching
is not an issue). i have attached my status report.
my mail logs look like this:
Oct 6 21:01:53 testy postfix/master[11041]: daemon started -- version 2.1.0
Oct 6 21:01:53 testy postfix/qmgr[11043]: 88CE5386EE1:
from=<mworden@substantis.com>, size=3977, nrcpt=1 (queue active)
Oct 6 21:01:53 testy postfix/qmgr[11043]: 4A612386EE6:
from=<mworden@substantis.com>, size=826, nrcpt=1 (queue active)
Oct 6 21:01:53 testy postfix/qmgr[11043]: 207A1386EE5:
from=<mworden@substantis.com>, size=823, nrcpt=1 (queue active)
Oct 6 21:03:53 testy postfix/smtp[11046]: 4A612386EE6: lost connection with
mx1.hotmail.com[64.4.50.99] while receiving the initial SMTP greeting
Oct 6 21:03:53 testy postfix/smtp[11045]: 88CE5386EE1: lost connection with
mail.cloud9.net[168.100.1.9] while receiving the initial SMTP greeting
Oct 6 21:03:54 testy postfix/smtp[11047]: 207A1386EE5: lost connection with
mx4.hotmail.com[65.54.190.179] while receiving the initial SMTP greeting
my capture on the firewall''s dmz interface looks like this:
5840 Len=0 MSS=1460
0.098251 168.100.1.3 -> 192.168.202.7 TCP smtp > 33920 [SYN, ACK] Seq=0
Ack=1 Win=5840 Len=0 MSS=1460
0.098712 192.168.202.7 -> 168.100.1.3 TCP 33920 > smtp [ACK] Seq=1
Ack=1 Win=5840 Len=0
0.104736 168.100.1.3 -> 192.168.202.7 SMTP Response:
SSH-1.99-OpenSSH_3.6.1p2
0.105255 192.168.202.7 -> 168.100.1.3 TCP 33920 > smtp [ACK] Seq=1
Ack=26 Win=5840 Len=0
0.127214 65.54.252.99 -> 192.168.202.7 TCP smtp > 33918 [FIN, ACK] Seq=0
Ack=0 Win=5840 Len=0
0.154419 192.168.202.7 -> 65.54.252.99 TCP 33918 > smtp [FIN, ACK] Seq=0
Ack=1 Win=5840 Len=0
0.154618 65.54.252.99 -> 192.168.202.7 TCP smtp > 33918 [ACK] Seq=1
Ack=1 Win=5840 Len=0
0.155717 192.168.202.7 -> 64.4.50.239 TCP 33921 > smtp [SYN] Seq=0
Ack=0 Win=5840 Len=0 MSS=1460
0.155893 64.4.50.239 -> 192.168.202.7 TCP smtp > 33921 [SYN, ACK] Seq=0
Ack=1 Win=5840 Len=0 MSS=1460
0.156307 192.168.202.7 -> 64.4.50.239 TCP 33921 > smtp [ACK] Seq=1
Ack=1 Win=5840 Len=0
0.168724 64.4.50.239 -> 192.168.202.7 SMTP Response:
SSH-1.99-OpenSSH_3.6.1p2
0.169263 192.168.202.7 -> 64.4.50.239 TCP 33921 > smtp [ACK] Seq=1
Ack=26 Win=5840 Len=0
my rules are as follows:
####################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER/
# PORT PORT(S) DEST
LIMIT GROUP
ACCEPT net dmz icmp echo-request -
- - -
ACCEPT net loc icmp echo-request -
- - -
ACCEPT dmz loc icmp echo-request -
- - -
ACCEPT loc dmz icmp echo-request -
- - -
# FW acts as secondary DNS and Mail server to Primary DNS at 69.17.65.22 /
192.168.202.7
REDIRECT net 53 tcp domain -
!69.17.65.22 #TCP DNS FROM NET
ACCEPT net fw tcp domain -
#TCP DNS FROM NET
#
REDIRECT net 53 udp domain -
!69.17.65.22 #UDP DNS FROM NET
ACCEPT net fw udp domain -
- #UDP DNS FROM NET
#
REDIRECT loc 53 tcp domain -
!192.168.202.7 #TCP DNS FROM Local Network
ACCEPT loc fw tcp domain -
- #TCP DN FROM locaal
#
REDIRECT loc 53 udp domain -
!192.168.202.7 #UDP DNS FROM Local Netwok
ACCEPT loc fw udp domain -
- #TCP DNS FROM Local Network
REDIRECT net 22 tcp ssh -
!69.17.65.22 #TCP DNS FROM NET
ACCEPT net fw tcp ssh -
#TCP DNS FROM NET
#
REDIRECT loc 22 tcp ssh -
!192.168.202.7 #UDP DNS FROM NET
ACCEPT loc fw tcp ssh -
- #UDP DNS FROM NET
#
REDIRECT net 22 tcp smtp -
!69.17.65.22
ACCEPT net fw tcp smtp -
#Mail FROMK Internet
#
REDIRECT net 143 tcp imap -
!69.17.65.22
ACCEPT net fw tcp imap -
- #IMAP FROM
#
REDIRECT dmz 22 tcp smtp -
!192.168.202.7
ACCEPT dmz fw tcp smtp -
#Mail FROM Internet
#
REDIRECT dmz 143 tcp imap -
!192.168.202.7
ACCEPT dmz fw tcp imap -
- #IMAP FROM Internet
# Server No. 1 smtp / imap
DNAT net dmz:192.168.202.7 tcp smtp -
69.17.65.22 #Mail FROM Internet
DNAT net dmz:192.168.202.7 tcp imap -
69.17.65.22 #IMAP FROM Internet
DNAT loc dmz:192.168.202.7 tcp smtp -
69.17.65.22 #Mail FROM local Network
DNAT loc dmz:192.168.202.7 tcp imap -
69.17.65.22 #IMAP FROM local Network
DNAT loc dmz:192.168.202.7 tcp imap -
69.17.65.22 #IMAP FROM local Network
ACCEPT dmz:192.168.202.7 net tcp smtp -
- #Mail FROM the Firewall
ACCEPT dmz:192.168.202.7 net tcp imap -
- #Mail to the Firewall
ACCEPT dmz:192.168.202.7 loc tcp smtp -
- #Mail FROM the Firewall
ACCEPT dmz:192.168.202.7 loc tcp imap -
- #Mail to the Firewall
# Server No. 1 http / https
DNAT net dmz:192.168.202.7 tcp http -
69.17.65.22 #WWW FROM Internet
ACCEPT dmz:192.168.202.7 net tcp http -
- #WWW FROM DMZ Intern et
DNAT loc dmz:192.168.202.7 tcp http -
69.17.65.22 #WWW FROM Internet
ACCEPT dmz:192.168.202.7 loc tcp http -
- #WWW TO Intern et
DNAT fw dmz:192.168.202.7 tcp http -
69.17.65.22 #Secure WWW FROM Internet
ACCEPT dmz:192.168.202.7 fw tcp http -
- #Secure WWW TO Internet
# Server No. 1 DNS
DNAT net dmz:192.168.202.7 tcp domain -
69.17.65.22 #WWW FROM Internet
DNAT net dmz:192.168.202.7 udp domain -
69.17.65.22 #WWW FROM Int
ACCEPT dmz:192.168.202.7 net tcp domain -
- #WWW FROM DMZ Intern et
ACCEPT dmz:192.168.202.7 net udp domain -
- #WWW FROM DMZ Intern et
DNAT loc dmz:192.168.202.7 tcp domain -
69.17.65.22 #WWW FROM Internet
DNAT loc dmz:192.168.202.7 udp domain -
69.17.65.22 #WWW FROM Interne
ACCEPT dmz:192.168.202.7 loc tcp domain -
- #WWW TO Intern et
ACCEPT dmz:192.168.202.7 loc tcp domain -
- #WWW TO Intern et
ACCEPT dmz:192.168.202.7 loc udp domain -
- #WWW TO Intern et
DNAT fw dmz:192.168.202.7 tcp domain -
69.17.65.22 #Secure WWW FROM Internet
DNAT fw dmz:192.168.202.7 udp domain -
69.17.65.22 #Secure WWW FROM Internet
ACCEPT dmz:192.168.202.7 fw tcp domain -
- #Secure WWW TO Internet
ACCEPT dmz:192.168.202.7 fw udp domain -
- #Secure WWW TO Internet
#SERVER NO.2
DNAT net dmz:192.168.202.8 tcp smtp -
69.17.65.161 #Mail FROM
#Internet
DNAT net dmz:192.168.202.8 tcp imap -
69.17.65.161 #IMAP FROM
#Internet
DNAT loc dmz:192.168.202.8 tcp smtp -
69.17.65.161 #Mail FROM local
#Network
DNAT loc dmz:192.168.202.8 tcp imap -
69.17.65.161 #IMAP FROM local
#Network
DNAT fw dmz:192.168.202.8 tcp smtp -
69.17.65.161 #Mail FROM the
#Firewall
ACCEPT dmz:192.168.202.8 net tcp smtp - -
#Mail to the
#Firewall
DNAT net dmz:192.168.202.8 tcp http -
69.17.65.161 #WWW FROM
#Internet
DNAT net dmz:192.168.202.8 tcp https -
69.17.65.161 #Secure WWW
#FROM Internet
DNAT loc dmz:192.168.202.8 tcp https -
69.17.65.161 #Secure WWW
#FROM local
#Network
ACCEPT dmz:192.168.202.8 net tcp https - -
#Secure WWW
#Internet
#Network
nal Message-----> From: Michael Worden [mailto:mworden@substantis.com]
> Sent: Wednesday, September 29, 2004 05:35 PM
> To: ''Mailing List for Shorewall Users''
> Subject: Re: [Shorewall-users] start error]
>
> thanks for your help. the dmz and loc subnet mask are both 255.255.255.0
> (192.168.202.0/24 and 192.168.0.0/24). i know you are busy but i have
> provided a lengthy explanation of my error for the benefit of those who
> come after me.
>
> this was a stupid error. i''ll review the excellent documentation
again.
> [I''m not sure how you could have made it more clear: Quoting the
Shorewall
> Setup Guide: "Just because connections of a particular type are
allowed
> from zone A to the firewall and are also allowed from the firewall to zone
> B DOES NOT mean that these connections are allowed from zone A to zone
B."
> ] In my case, traffic from the loc to the firewall is permitted and the
> same traffic from the dmz to the loc is permitted, but shorewall will not
> magically conclude that traffic from the loc to the firewall is permitted.
>
> my error comes from misunderstanding the relationship between rules and
> policies. i have a policy that says loc dmz ACCEPT. I
> thought that this would cover the connection initiated by the loc client.
> I misinterpreted the guide quoted here. [The Shorewall Setup Guide: This
> file is used to describe the firewall policy regarding establishment of
> connections. Connection establishment is described in terms of clients who
> initiate connections and servers who receive those connection requests.
> Policies defined in /etc/shorewall/policy describe which zones are allowed
> to establish connections with other zones. Policies established in
> /etc/shorewall/policy can be viewed as default policies. If no rule in
> /etc/shorewall/rules applies to a particular connection request then the
> policy from /etc/shorewall/policy is applied.] I thought by getting a SYN
> packet orginating on the loc client to DMZ server that the policy would
> apply. i will go back a reread this to figure out this relationship.
>
> regarding proxy arp, i would do the proxy arp but couldn''t figure
out how
> to it with only two public IP addresses. For me, having only two public
> IP''s, made my set up more like a standard configuration with a
single IP
> address with a parallel set of rules for each IP address on eth0 and
> eth0:1. if proxy arp is the way to go, i''ll burn down this set up
in a
> heart beat and start over. i understand that a bridge can work without an
> ip address since it works at the frame level but i got lost when i was
> trying to use the shorewall how-to''s (this is not a criticism of
the
> excellent quality of the documentation but an observation of my inability
> to apply them). All the ones i could find, seemed to assume that the
> bridge had its own public ip address (i''m sorry if this is wrong;
i really
> did read the documentation as best i could). i am also trying to install
> logwatch with the hope that i will make the problems with my configuration
> more clear to me.
>
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > rioguia@speakeasy.net wrote:
> >> thanks again for your sharp eye and speedy response. i have
corrected
> >> the typos in the IP in the masq file. I am sorry to have to ask
for
> >> more help but my pc''s on the local network can''t
reach the dmz
> >> webserver using the webserver''s local or Public IP
address.
> >
> > It is not surprising that the local addresses don''t work
since you have
> > no rules permitting access from loc->dmz using those addresses; you
> > rather are using DNAT rules for the public IP addresses. For the
> > 12,945th time, this is why I prefer Proxy ARP for a DMZ rather than
NAT;
> > with Proxy ARP, the systems in the DMZ are known universally by ONE IP
> > address.
> >
> > What subnet mask have you configured on the servers in the DMZ?
> >
> > - -Tom
> > - --
> > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> > Shoreline, \ http://shorewall.net
> > Washington USA \ teastep@shorewall.net
> > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.6 (GNU/Linux)
> > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> >
> > iD8DBQFBWshrO/MAbZfjDLIRAl1gAJ9Ve8LquB9PdPsB6mFj21/Ckb+VZACgk2l1
> > bpc2vrRod5HwgE70gqtLSLw> > =vFmD
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe:
> > https://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
> >
>
>
> --
> Michael Worden
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>