Shorewall users - Dec 2004 - Reflecting internal connections to public IP back into network?

I''ve got a Shorewall firewall setup that''s similar to the
standard 3
interface configuration (net,loc,dmz). Several ports are forwarded from the
internet to computers in the dmz. I''d like to have any connections to
that
same public IP address from either loc or dmz to be treated exactly as if
they were coming in from the internet itself.

There''s some documentation for this on the website, but the problem is
there''s a bit too much documentation and it''s conflicting.
Could someone
please explain to me the best way to accomplish what I want and the
difference between these 3 methods?

1) The "Three Interface Firewall" quick-start guide recommends this
rule:

   DNAT loc dmz:10.10.11.2 tcp 80 - <external IP>

2) FAQ Question 2 recommends the more complicated:

   In /etc/shorewall/interfaces:
      loc eth1 detect routeback
   In /etc/shorewall/masq:
      eth1:192.168.1.5 eth1 192.168.1.254 tcp www
   In /etc/shorewall/rules:
      DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69

3) The Shorewall 2.x reference adds a few more possibilities but I _think_
they''re just variations on those already listed.

So could someone please help me understand what all of that means (like what
exactly does "routeback" do and is it necessary or not)? I''d
really like to
eliminate the necessity of having to list specific rules for each port and
of having the public IP address specifically listed in the rules. I''ll
be
adding a second internet connection and it would complicate the rules
immensely. All I''d really like is to treat any connection to any public
IP
address the same whether they are from the net, loc, or dmz zones.

Thanks for the help! Happy Holidays!

On Thu, 2004-12-23 at 10:13 -0800, Scott Bussinger wrote:
> 
> 1) The "Three Interface Firewall" quick-start guide recommends
this rule:
> 
>    DNAT loc dmz:10.10.11.2 tcp 80 - <external IP>
That provides access from the ''loc''
zone.
> 
> 2) FAQ Question 2 recommends the more complicated:
> 
>    In /etc/shorewall/interfaces:
>       loc eth1 detect routeback
>    In /etc/shorewall/masq:
>       eth1:192.168.1.5 eth1 192.168.1.254 tcp www
>    In /etc/shorewall/rules:
>       DNAT loc loc:192.168.1.5 tcp www - 130.151.100.69
That provides access from the ''dmz'' zone (but of course you
will have to
replace ''loc'' with ''dmz'').

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Thu, 2004-12-23 at 10:13 -0800, Scott Bussinger wrote:
> 
> So could someone please help me understand what all of that means (like
what
> exactly does "routeback" do and is it necessary or not)?
Why don''t you consult the documentation
(http://shorewall.net/Documentation.htm#Interfaces) and read about what
it does? If you do that, you will conclude that it is necessary to be
able to use public IP addresses from the DMZ to connect to other DMZ
servers. Note that such traffic always appears to the server receiving
it to originate on the firewall and not on the client system which sent
it. This is just one of the reasons that I prefer to use DNS to handle
this type of setup rather than using a ridiculous IP-based solution.
>  I''d really like to
> eliminate the necessity of having to list specific rules for each port and
> of having the public IP address specifically listed in the rules.
Then don''t. You can use PROTO ''any'' and
don''t specify any ports.
> I''ll be
> adding a second internet connection and it would complicate the rules
> immensely. All I''d really like is to treat any connection to any
public IP
> address the same whether they are from the net, loc, or dmz zones.
> 
Sorry -- no way to do that.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key