Hello, I have been running Shorewall for quite some time at an ISP client of mine to protect his LAN. We have just upgraded to 2.2.4 and he now wants to put his servers in a DMZ. The servers have public IPs in two classes xxx.xxx.79.0 and xxx.xxx.242.0. The public IP on the router for each class is xxx.xxx.79.126 and xxx.xxx.242.126. I am using masq and 192.168.1.0 on eth0 LAN I have tried following the setup guide example with proxy arp but have a routing problem. My question: are there other howtos out there with examples of a similar setup? Cheers Tony
> Hello, > > I have been running Shorewall for quite some time at an ISP client of > mine to protect his LAN. We have just upgraded to 2.2.4 and he now wants > to put his servers in a DMZ. > > The servers have public IPs in two classes xxx.xxx.79.0 and > xxx.xxx.242.0. The public IP on the router for each class is > xxx.xxx.79.126 and xxx.xxx.242.126. > > I am using masq and 192.168.1.0 on eth0 LAN > > I have tried following the setup guide example with proxy arp but have a > routing problem. > > My question: are there other howtos out there with examples of a similar > setup? > > Cheers > > TonyTony: Your a little short on details here. What problems with routing do you have? Can you post the output of shorewall status. Jerry
Le samedi 18 juin 2005 à 07:38 -0500, Jerry Vonau a écrit :> Your a little short on details here. > What problems with routing do you have? > Can you post the output of shorewall status.It is full of real live IP numbers. Is it safe to post the status output to a public mailing list? I just want to know if there is another howto for DMZ often reading a couple helps set off the declic Tony
> Le samedi 18 juin 2005 à 07:38 -0500, Jerry Vonau a écrit : > > > Your a little short on details here. > > What problems with routing do you have? > > Can you post the output of shorewall status. > > It is full of real live IP numbers. Is it safe to post the status output > to a public mailing list? > > I just want to know if there is another howto for DMZ often reading a > couple helps set off the declic > > Tony >1. You could send it to me off list if you like. Or at least the output of "ip route show" 2. I have a couple of different examples in my head, that need to make it to paper. There is almost always more that one way to do something, with linux ;-) Jerry
2005/6/18, tony <tony@tgds.net>:> Le samedi 18 juin 2005 à 07:38 -0500, Jerry Vonau a écrit : > > > Your a little short on details here. > > What problems with routing do you have? > > Can you post the output of shorewall status. > > It is full of real live IP numbers. Is it safe to post the status output > to a public mailing list? > > I just want to know if there is another howto for DMZ often reading a > couple helps set off the declic > > Tony >"As a general matter, please do not edit the diagnostic information in an attempt to conceal your IP address, netmask, nameserver addresses, domain name, etc. These aren''t secrets, and concealing them often misleads us (and 80% of the time, a hacker could derive them anyway from information contained in the SMTP headers of your post)." http://www.shorewall.net/support.htm#Guidelines
Le samedi 18 juin 2005 à 16:06 -0400, Cristian Rodriguez a écrit :> > It is full of real live IP numbers. Is it safe to post the status output > > to a public mailing list?> "As a general matter, please do not edit the diagnostic information in > an attempt to conceal your IP address, netmask, nameserver addresses, > domain name, etc. These aren''t secrets, and concealing them often > misleads us (and 80% of the time, a hacker could derive them anyway > from information contained in the SMTP headers of your post)."=:-D LOL I am connected through tele2 aDSL (Google thinks I''m in Sweden when I''m really in France...) and using my Rackspace mail server through a ssh tunnel from home! No my client has lots of unprotected servers (patched but not firewalled) in his IP blocks. I would have to ask his permission to post the file and we are Saturday (late)... How do I route between eth1 NET and eth2 DMZ is my question. eth0 LAN and eth1 is cool I''ve been doing that kind of iptable firewall for years. This is my first time with a DMZ and fixed IP (I used masq up till now). Cheers and thanks for your patience Tony
tony wrote:> Hello, > > I have been running Shorewall for quite some time at an ISP client of > mine to protect his LAN. We have just upgraded to 2.2.4 and he now wants > to put his servers in a DMZ. > ... > I have tried following the setup guide example with proxy arp but have a > routing problem. > > My question: are there other howtos out there with examples of a similar > setup?The previous thread might be instructive for you. In short, if you have a range of publicly-accessible IPs, it shouldn''t be necessary to use proxy arp - just use routing. -- Paul <http://paulgear.webhop.net> -- Did you know? Using accepted quoting conventions makes your email easier to understand. Learn how at <http://www.netmeister.org/news/learn2quote.html>.
> Le samedi 18 juin 2005 à 16:06 -0400, Cristian Rodriguez a écrit : > > > > It is full of real live IP numbers. Is it safe to post the statusoutput> > > to a public mailing list? > > > "As a general matter, please do not edit the diagnostic information in > > an attempt to conceal your IP address, netmask, nameserver addresses, > > domain name, etc. These aren''t secrets, and concealing them often > > misleads us (and 80% of the time, a hacker could derive them anyway > > from information contained in the SMTP headers of your post)." > > =:-D LOL > > I am connected through tele2 aDSL (Google thinks I''m in Sweden when I''m > really in France...) and using my Rackspace mail server through a ssh > tunnel from home! > > No my client has lots of unprotected servers (patched but not > firewalled) in his IP blocks. I would have to ask his permission to post > the file and we are Saturday (late)... > > How do I route between eth1 NET and eth2 DMZ is my question. eth0 LAN > and eth1 is cool I''ve been doing that kind of iptable firewall for > years. This is my first time with a DMZ and fixed IP (I used masq up > till now). > > Cheers and thanks for your patience > > TonyWell... that would depend on what you''re using for ipaddresses/netmasks on the 2 interfaces involved. There are a few variables that need to be answered before I can point you in the right direction. The dmz interface is using the same ipaddress as the net one, or is it private one? Do you have a network route on the dmz interface, the net one, or both? In general, I prefer to use the same ipaddress on both interfaces. You have to add host routes for the proxy-arped ip addresses, in shorewall that can be done with the proxyarp file or with the proxyarp option in the interfaces file. I suggest that you re-read: http://www.shorewall.net/shorewall_setup_guide.htm --- quote--- Non-routed If you have the above situation but it is non-routed, you can configure your network exactly as described above with one additional twist; simply specify the proxyarp option on all three firewall interfaces in the /etc/shorewall/interfaces file. -------- Since your non-routed, (you have an isp router that acts as the gateway for the /24) I would set a network route for the dmz, a host route for your gateway, and use the proxyarp option in the interfaces file for the net and dmz zones. Hope it helps Jerry
Le dimanche 19 juin 2005 à 06:51 +1000, Paul Gear a écrit :> The previous thread might be instructive for you. In short, if you have > a range of publicly-accessible IPs, it shouldn''t be necessary to use > proxy arp - just use routing.Thanks that is what I was thinking. Le samedi 18 juin 2005 à 16:29 -0500, Jerry Vonau a écrit :> Since your non-routed, (you have an isp router that acts as the gateway for > the /24) > I would set a network route for the dmz, a host route for your gateway, and > use the > proxyarp option in the interfaces file for the net and dmz zones.That was what I tried With these two ideas I shall progress thanks again Tony