Hi Guys, I have been trying to configure shorewall 1) Internet Access to internal users 2) Have a DMZ that will house atleast 6 mail / web / ftp servers that will server our existing group companies outside our physical location. 3) Setup openvpn between our location and our group companies . What i have done so far is : - Created the 3 zones with the IP ranges as below. DMZ:172.16.10.x Local : 192.168.1.x Internet : 64.x.x.x - Setup 1to 1 NAT so that the public IP''s are mapped to the internal DMZ ip''s for mail / web / ftp access to users outside our location. - Setup DNAT so that local users can access the servers with the public IP''s. I have to say that the documentation on the website is great and i was able to do this in just a few hours after starting. I have one peculiar problem that i have not been able to resolve for the past 2 weeks : - There is a mail server running on postfix (domain A) and a couple of other domains running Mdaemon (domain b,c,d,e) ,Whenever we send a mail from domain A to domain B (or those Mdaemon is running on) , we get a connection refused error. When i do a telnet from Domain A to domain B i get the following : [root@mail root]# telnet domainb.com 25 Trying 172.16.10.4... Connected to Domainb.com. Escape character is ''^]''. 220 domainb ESMTP MDaemon 6.0.4; Mon, 11 Apr 2005 20:02:32 -0400 When i try to send a mail from domain A to domainb i get the following in the log file Apr 11 19:45:20 mail postfix/qmgr[25954]: EB4871F47F: from=<root@domainA <mailto:root@domainAnteplan.com> .com>, size=282, nrcpt=1 (queue active) Apr 11 19:45:20 mail postfix/qmgr[25954]: EB4871F47F: to=<sushesh.mallya@domainB.com>, relay=none, delay=1, status=deferred (delivery temporarily suspended: connect to smtp.domainB.com[64.x.x.x]: Connection refused) The rules that i have set related to smtp are : #Allow STMP connections ACCEPT INET DMZ tcp smtp ACCEPT LOC DMZ tcp smtp ACCEPT fw DMZ tcp smtp ACCEPT DMZ INET tcp smtp and dns #DNS access to the internet AllowDNS INET DMZ AllowDNS LOC DMZ AllowDNS fw DMZ AllowDNS DMZ INET We are however able to send mails from the domains hosted on Mdaemon to domainA . I assume the data that i have given above would help you guys in getting an idea of what i am facing.. if not let me know what additional information is requried. I am sure that you guys out there would have faced this problem or atleast heard about it.. Would really appreciate it if i get some tips /pointers as to where the problem could be and how it could be resolved.. Thanks and looking forward to your reply. Regards, Sushesh
Sushesh wrote:> > > I assume the data that i have given above would help you guys in getting > an idea of what i am facing.. if not let me know what additional > information is requried. > > I am sure that you guys out there would have faced this problem or > atleast heard about it.. Would really appreciate it if i get some tips > /pointers as to where the problem could be and how it could be > resolved.. >We need the following information: a) Incredibly, you didn''t tell us if both of the domains are handled by servers in your DMZ! We need to know that. <soapbox> If that is the case, then you are seeing just one of the MANY reasons that I recommend Proxy ARP over NAT when dealing with a DMZ </soapbox> b) If not, then we need to know where the sending and receiving MXs are located. c) We need to see the output of "dig <receiving domain> MX" on the system hosing the <sending domain>''s server. d) As always, we need the information requested at http://shorewall.net/support.htm#Guidelines (And your problem is a connection problem!!!) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> > We need the following information: > > a) Incredibly, you didn''t tell us if both of the domains are handled by > servers in your DMZ! We need to know that. > > <soapbox> > If that is the case, then you are seeing just one of the MANY reasons that I > recommend Proxy ARP over NAT when dealing with a DMZ > </soapbox> >You can work around this particular problem by: a) Specifying ''Yes'' in the ALL INTERFACES column in /etc/shorewall/nat (you may have this already since you are NATing local traffic to the DMZ servers). b) Set the ''routeback'' option on the DMZ interface in /etc/shorewall/interfaces. The above will route traffic between the DMZ servers through the firewall (the height of silliness, IMHO). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom, Thanks for the info.. I am however unable to send out mails even after this.. I should be able to send u the details you required sometime today. Also I do plan to look at the proxy-arp option, as you mention this is a better option than NAT for DMZ. Regards, Sushesh -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Tuesday, April 12, 2005 10:58 AM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] SMTP / DMZ Tom Eastep wrote:> > We need the following information: > > a) Incredibly, you didn''t tell us if both of the domains are handled > by servers in your DMZ! We need to know that. > > <soapbox> > If that is the case, then you are seeing just one of the MANY reasons > that I recommend Proxy ARP over NAT when dealing with a DMZ </soapbox> >You can work around this particular problem by: a) Specifying ''Yes'' in the ALL INTERFACES column in /etc/shorewall/nat (you may have this already since you are NATing local traffic to the DMZ servers). b) Set the ''routeback'' option on the DMZ interface in /etc/shorewall/interfaces. The above will route traffic between the DMZ servers through the firewall (the height of silliness, IMHO). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
This thread brought up a question for me. I don''t currently use shorewall in this type of setup, but its something my company is starting to be interested in. Is there any sort of speed/responsiveness advantage to using proxy arp vs. doing traditional NAT? I have a set of about 15 production servers that need to be quarantined behind a firewall. The original idea was to put them on rfc1918 addresses and use a combination of DNAT and SNAT rules to maintain the illusion of these machines being on the Internet. A simpler (seemingly) solution would be to have the firewall do proxyarp and have the machines maintain their existing IP addresses. The question was then raised as to which of these two solutions would be more robust. Common sense seems to dictate that using proxyarp would be the way to go, but I''m absolutely open to input.
Gary Buckmaster wrote:> This thread brought up a question for me. I don''t currently use > shorewall in this type of setup, but its something my company is > starting to be interested in. Is there any sort of > speed/responsiveness advantage to using proxy arp vs. doing > traditional NAT? > > I have a set of about 15 production servers that need to be > quarantined behind a firewall. The original idea was to put them on > rfc1918 addresses and use a combination of DNAT and SNAT rules to > maintain the illusion of these machines being on the Internet. A > simpler (seemingly) solution would be to have the firewall do proxyarp > and have the machines maintain their existing IP addresses. The > question was then raised as to which of these two solutions would be > more robust. Common sense seems to dictate that using proxyarp would > be the way to go, but I''m absolutely open to input.The problem with NAT of any kind for a host is that the IP address used to access the host is context-dependent. If you are "outside" of the firewall you use one address and if you are "inside" the firewall you use another address. As I say in my response to Shorewall FAQ 2, I think that hacking up the firewall configuration to allow using a single address from any context is wrong. That definitely has a performance penalty, especially when one NATted host communicates with another. If DNS is set up such that it responds appropriately based on where the client resides (handing out the internal IP if the client is internal and handing out the external IP if the client is external) then NAT works ok. Unfortunately, many people find Bind 9 configuration only slightly less daunting than they find Sendmail configuration so most tend to want a quick (if ugly) fix. All of these problems are avoided if one uses Proxy ARP. Each host is known by one and only one IP address, regardless of where the client is. Proxy ARPed hosts can communicate between themselves without interaction with the firewall. I think that it is a win all the way around. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Sushesh wrote:> Tom, > Thanks for the info.. I am however unable to send out mails even after > this..Are you seeing any message in the Shorewall log? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom, This is the seen in the shorewall log : Apr 12 14:26:53 INPUT:REJECT:IN=eth2 OUT= SRC=172.16.10.12 DST=x.x.x.x LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34918 DF PROTO=TCP SPT=36435 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 When a mail is sent from the postfix mail server to the Mdeamon server both housed in the DMZ. Sushesh -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Tuesday, April 12, 2005 11:33 AM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] SMTP / DMZ Sushesh wrote:> Tom, > Thanks for the info.. I am however unable to send out mails even after> this..Are you seeing any message in the Shorewall log? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Sushesh wrote:> Tom, > This is the seen in the shorewall log : > Apr 12 14:26:53 INPUT:REJECT:IN=eth2 OUT= SRC=172.16.10.12 DST=x.x.x.x > LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=34918 DF PROTO=TCP SPT=36435 DPT=25 > WINDOW=5840 RES=0x00 SYN URGP=0 > When a mail is sent from the postfix mail server to the Mdeamon server > both housed in the DMZ.I need to see the full output of "shorewall status" (as an attachment, not cut and paste) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key