Hi List, dear Tom, I try to setup some ssl servers in a DMZ. I also need my providers DNS to handle their resolving so I decided to use the proxy-arp feature of shore wall. For testing all IP''s are internal but should be replaced later... As ''m only connected with one interface I created eth0 192.168.100.130 eth0:1 192.168.100.132 eth0:2 192.168.100.133 /shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS ext eth0 255.255.255.0 ext eth1 255.255.255.0 dmz eth2 255.255.255.0 elan eth3 255.255.255.0 lan eth4 255.255.255.0 dblan eth5 255.255.255.0 /shorewall/proxyarp #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 192.168.100.132 eth2 eth0 no yes 192.168.100.133 eth2 eth0 no yes 192.168.100.134 eth2 eth0 no yes /shorewall/rules #accept http/s traffic to the DMZ ACCEPT ext dmz:192.168.100.132 tcp http ACCEPT ext dmz:192.168.100.132 tcp https ACCEPT ext dmz:192.168.100.133 tcp http ACCEPT ext dmz:192.168.100.133 tcp https tcpdump -eth2 when pointing a browser to https://192.168.100.132 Mar 7 18:38:25 clara kernel: Shorewall:all2all:DROP:IN=eth0 OUTMAC=00:e0:81:30:a5:ce:00:30:84:78:8e:49:08:00 SRC=192.168.100.1 DST=192.168.100.132 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=49351 DF PROTO=TCP SPT=1507 DPT=443 WINDOW=32767 RES=0x00 SYN URGP=0 What''s wrong? What am I missing? thanx in advance mat ___ for info: no NAT, but /shorewall/masq #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 eth3 eth0 eth4 eth0 eth5 ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Tuesday 07 March 2006 10:56, Mathias Diehl wrote:> Hi List, > dear Tom, > > I try to setup some ssl servers in a DMZ. I also need my providers DNS to > handle their resolving so I decided to use the proxy-arp feature of shore > wall. > > For testing all IP''s are internal but should be replaced later... > > As ''m only connected with one interface I created > > eth0 192.168.100.130 > eth0:1 192.168.100.132 > eth0:2 192.168.100.133If you are going to use Proxy ARP, you do NOT add the Proxy ARPed addresses to the firewall''s external interface. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hmmmm.... thanx for the hint - but now tcpdump remains quiet :-( seem''s to be better as the syslog does not complain I''m actually still not there... Could you please (once more) point me to the right direction? Where should I find packets on my firewall when connecting to 192.168.100.132:80 (proxyarped host)... Thanx in advance Mat -----Ursprüngliche Nachricht----- Von: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net]Im Auftrag von Tom Eastep Gesendet: Dienstag, 7. März 2006 20:02 An: shorewall-users@lists.sourceforge.net Cc: Mathias Diehl Betreff: Re: [Shorewall-users] proxy arp with multiple IP''s On Tuesday 07 March 2006 10:56, Mathias Diehl wrote:> Hi List, > dear Tom, > > I try to setup some ssl servers in a DMZ. I also need my providers DNS to > handle their resolving so I decided to use the proxy-arp feature of shore > wall. > > For testing all IP''s are internal but should be replaced later... > > As ''m only connected with one interface I created > > eth0 192.168.100.130 > eth0:1 192.168.100.132 > eth0:2 192.168.100.133If you are going to use Proxy ARP, you do NOT add the Proxy ARPed addresses to the firewall''s external interface. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Tuesday 07 March 2006 12:18, Mathias Diehl wrote:> Sorry---- just a small typo... > > I appologize! >It''s working now? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Sorry---- just a small typo... I appologize! Hmmmm.... thanx for the hint - but now tcpdump remains quiet :-( seem''s to be better as the syslog does not complain I''m actually still not there... Could you please (once more) point me to the right direction? Where should I find packets on my firewall when connecting to 192.168.100.132:80 (proxyarped host)... Thanx in advance Mat -----Ursprüngliche Nachricht----- Von: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net]Im Auftrag von Tom Eastep Gesendet: Dienstag, 7. März 2006 20:02 An: shorewall-users@lists.sourceforge.net Cc: Mathias Diehl Betreff: Re: [Shorewall-users] proxy arp with multiple IP''s On Tuesday 07 March 2006 10:56, Mathias Diehl wrote:> Hi List, > dear Tom, > > I try to setup some ssl servers in a DMZ. I also need my providers DNS to > handle their resolving so I decided to use the proxy-arp feature of shore > wall. > > For testing all IP''s are internal but should be replaced later... > > As ''m only connected with one interface I created > > eth0 192.168.100.130 > eth0:1 192.168.100.132 > eth0:2 192.168.100.133If you are going to use Proxy ARP, you do NOT add the Proxy ARPed addresses to the firewall''s external interface. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd_________________________________________ ______ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Tuesday 07 March 2006 12:44, Mathias Diehl wrote:> Hi Tom, > > yes - it''s working. > > But I would like to ask / discuss an issue in this context. > > My setup is based on xen. I passed the nics of dom0 to a domU running > shorewall. Because of that all of my hosts do have a mac like FF:FE.... > > Will this be a problem when using the proxyarp in production?No -- I use proxy ARP with Xen in production. See http://www.shorewall.net/XenMyWay.html.> > Following this question - how would you as a real specialist handle a setup > with several hosts on a DMZ? Do you think NAT will be better? Or does this > causes other problems when thinking about DNS, etc... >I always prefer to use Proxy ARP to manage a DMZ. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi Tom, yes - it''s working. But I would like to ask / discuss an issue in this context. My setup is based on xen. I passed the nics of dom0 to a domU running shorewall. Because of that all of my hosts do have a mac like FF:FE.... Will this be a problem when using the proxyarp in production? Following this question - how would you as a real specialist handle a setup with several hosts on a DMZ? Do you think NAT will be better? Or does this causes other problems when thinking about DNS, etc... thanx in advance mat -----Ursprüngliche Nachricht----- Von: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net]Im Auftrag von Tom Eastep Gesendet: Dienstag, 7. März 2006 21:11 An: shorewall-users@lists.sourceforge.net Betreff: Re: AW: [Shorewall-users] proxy arp with multiple IP''s [solved] On Tuesday 07 March 2006 12:18, Mathias Diehl wrote:> Sorry---- just a small typo... > > I appologize! >It''s working now? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Am Dienstag, 7. März 2006 21:44 schrieb Mathias Diehl:> Hi Tom, > > yes - it''s working. > > But I would like to ask / discuss an issue in this context. > > My setup is based on xen. I passed the nics of dom0 to a domU running > shorewall. Because of that all of my hosts do have a mac like FF:FE.... > > Will this be a problem when using the proxyarp in production?Not if you make sure that every vif has it''s own MAC. MAC''s are layer 2, so the won''t pass a router, therefore they will never cause an issue on the net side of your FW. All happens just behind in the DMZ so no problems to expect.> > Following this question - how would you as a real specialist handle a setup > with several hosts on a DMZ? Do you think NAT will be better? Or does this > causes other problems when thinking about DNS, etc...I don''t see any relation to DNS issues if you just have enough public IP''s. But a bridging aproach would probably better in such a scenario, because it avoids trouble with stale arp caches of your upstream router. Even if I''m not Tom.. HTH, Alex> > thanx in advance > > mat > > -----Ursprüngliche Nachricht----- > Von: shorewall-users-admin@lists.sourceforge.net > [mailto:shorewall-users-admin@lists.sourceforge.net]Im Auftrag von Tom > Eastep > Gesendet: Dienstag, 7. März 2006 21:11 > An: shorewall-users@lists.sourceforge.net > Betreff: Re: AW: [Shorewall-users] proxy arp with multiple IP''s [solved] > > On Tuesday 07 March 2006 12:18, Mathias Diehl wrote: > > Sorry---- just a small typo... > > > > I appologize! > > It''s working now? > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live > webcast and join the prime developer group breaking into this new coding > territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642