I have some hosts in a DMZ zone with proxyarp. In my local zone I have a host to which I DNAT. I have discovered that I can reach the host in the local zone by attempting to connect to the fw (As expected) or ANY proxyarped host in my dmz zone (as not expected). Is this normal ? (I''ve just discovered that actually the dnated host answers to requests sent to any IP routed to my host!) Relevant configuration: /etc/shorewall/rules DNAT net loc:10.100.100.2 tcp 21 DNAT net loc:10.100.100.2 udp 21 ACCEPT net dmz:83.xx.xx.49 tcp 25 ACCEPT net dmz:83.xx.xx.49 tcp 80 /etc/shorewall/policy net dmz DROP info dmz net ACCEPT fw dmz ACCEPT dmz fw ACCEPT /etc/shorewall/proxyarp 83.xx.xx.49 eth0 eth2 no yes So, weather I telnet to my fw or to any IP routed to my fw, the 10.100.100.2 host answers on port 21. Any ideas ? --- Ligiu Uiorean departament IT - SANEX SA ligiu.uiorean@ro.lasselsberger.com tel. +40-740-116.117
This is because you need to include the original dest for those DNAT rules DNAT net loc:10.100.100.2 tcp 21 - xx.xx.xx.xx for more info check out the docs for the rules file. http://www.shorewall.net/Documentation.htm#Rules Todd Ligiu A. Uiorean wrote:> I have some hosts in a DMZ zone with proxyarp. In my local zone I have a host to which I DNAT. > I have discovered that I can reach the host in the local zone by attempting to connect to the fw (As expected) or ANY proxyarped host in my dmz zone (as not expected). Is this normal ? > > (I''ve just discovered that actually the dnated host answers to requests sent to any IP routed to my host!) > > Relevant configuration: > > /etc/shorewall/rules > > DNAT net loc:10.100.100.2 tcp 21 > DNAT net loc:10.100.100.2 udp 21 > > ACCEPT net dmz:83.xx.xx.49 tcp 25 > ACCEPT net dmz:83.xx.xx.49 tcp 80 > > > /etc/shorewall/policy > net dmz DROP info > dmz net ACCEPT > fw dmz ACCEPT > dmz fw ACCEPT > > /etc/shorewall/proxyarp > 83.xx.xx.49 eth0 eth2 no yes > > > So, weather I telnet to my fw or to any IP routed to my fw, the > 10.100.100.2 host answers on port 21. > > > Any ideas ? > > --- > Ligiu Uiorean > departament IT - SANEX SA > ligiu.uiorean@ro.lasselsberger.com > tel. +40-740-116.117 > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Todd Johnson wrote:> This is because you need to include the original dest for those DNAT rules > DNAT net loc:10.100.100.2 tcp 21 - xx.xx.xx.xx > for more info check out the docs for the rules file. > http://www.shorewall.net/Documentation.htm#Rules >Or set DETECT_DNAT_IPADDRS=Yes in shorewall.conf - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBaGF9O/MAbZfjDLIRAjZmAKCb1oJ685SUDX8ySFFN0cXkcB6RYACgw2aM wItFl94r02HLihnUfrvcRHo=nXjA -----END PGP SIGNATURE-----