Hello, I have started to play around with a shorewall 3.2.4 setup on a debian box (2.6 kernel). The problem I am having is letting machines behind the firewall connect to the domain, share files etc. The domain controllers and rest of the LAN are not behind the firewall, the firewall''s net interface connects to the same switch they do. The firewall obviously has its own switch off its second interface. I tried Accepting SMBBI, even accepting net to local machines ip on all ports. Doesnt work. All machines behind the firewall can browse the internet and ping ip''s of the non firewalled machines. I am using proxy arp, not sure, but I think that has something to do with it. All machines are using public IP''s. Any help you can provide would be greatly appreciated as I kinda hit a wall on this. Thank You. Aaron Werley awerley@nni.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Aaron Werley wrote:> Any help you can provide would be greatly > appreciated as I kinda hit a wall on this.I would not be at all surprised if this won''t work over proxy ARP. Within a single IP network, MS networking relies heavily on broadcasts which won''t pass through your firewall. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Fri, Nov 17, 2006 at 06:12:38PM -0800, Tom Eastep wrote:> Aaron Werley wrote: > > Any help you can provide would be greatly > > appreciated as I kinda hit a wall on this. > > I would not be at all surprised if this won''t work over proxy ARP. > Within a single IP network, MS networking relies heavily on broadcasts > which won''t pass through your firewall.If this is the problem (and it seems likely to me too), it can usually be solved by ensuring that *every* client is configured to use a WINS server. If you have a domain controller, it must be used as the WINS server (if it''s a samba server, it must have "wins support = yes" and every other samba server must have "wins support = no" and "wins server = w.x.y.z"). There must not be any clients which are not configured to use the WINS server - this is an all-or-nothing change. All name lookups will then be performed by directly contacting this server, instead of using broadcasts. It''s not the only source of broadcasts in Windows, but it''s the only one you need to get file and printer sharing to work. If you can get this working, you''ve mastered one of the stupidest and buggiest parts of SMB. Do not expect any of the Windows clients to behave in a sensible way here; none of the versions yet released have done so, even when using only Microsoft software. Don''t forget to reboot them after every change, even if it doesn''t tell you to. This feature of SMB is only *slightly* less retarded than the broadcast system, but it does cross firewalls and routers. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV