similar to: NAT and DMZ

Hi All, >From the documentation I have read on Shorewall, the preferred approach seems to be, to use Proxy ARP instead of Static NAT for hosting web servers in the DMZ Zone. But I have also read that this could cause problems for VPN configurations. I essentially have multiple public IP''s, which I want to map to private addresses in the DMZ. I also intend to setup a gateway between 2

Hi everyone, I have a question regarding the default gateway for hosts on DMZ zone. I moved servers from parallel to the DMZ (outside the firewall, directly connected to I-net) to inside DMZ. The default gw for these servers was the DSL router(bridge) of my ISP. What should be the default gw (for the hosts inside the DMZ), when hosts are inside the DMZ now - still the DSL router (external

Hello all, Name is Andrew and in desperate need of some info. Setup: - Mandrake 9.1 with three interfaces (eth0 --> WAN) C-class /28 network (with tree virtual addresses which I am DNAT-ing to the DMZ) (eth1 --> LAN) A-class 10.0.0.0/8 (eth2 --> DMZ) A-class subnet 10.1.123.0/24 - Running stock Shorewall ver: shorewall-1.3.14-3.1.91mdk Dilemma: - LAN can not access the DMZ zone

Hi, in a three interface firewall I have eth0, loc, 10.1.5.1/16 eth1, int, 200.41.61.228/29 eth2, dmz, 192.168.1.1/24 (un)fortunately I got a group of public ip?s to use, so here is my problem in the dmz I have 192.168.1.3 redirected from eth1 alias 200.41.61.226 (a web server, works perfect). I am trying to set up a mail server also, a different machine, so I can?t use proxyarp, as with this,

Hello Tom, I seem to be missing the big picture here.. can you shed some light? I have a three interface setup loc,dmz, net I have 4 global addresses that I want to attach to eth0 (net) address 1 - fw address address 2- I want to forward to a (loc)router that uses dynamic dns vpn (gre) (Yamaha router) address 3 - web server/Bind9 (dmz)forward port 80,443,53 address 4 - mail server (dmz)pop3,

Hi, I''m trying to configure QOS , but I''m don''t have success. My files: #/etc/shorewall/tcdevices #INTERFACE IN-BANDWITH OUT-BANDWIDTH eth0 256kbit 256kbit eth1 256kbit 256kbit eth2 256kbit 256kbit #/etc/shorewall/tcclasses #INTERFACE MARK RATE CEIL PRIORITY OPTIONS eth1

Hello, I have been running Shorewall for quite some time at an ISP client of mine to protect his LAN. We have just upgraded to 2.2.4 and he now wants to put his servers in a DMZ. The servers have public IPs in two classes xxx.xxx.79.0 and xxx.xxx.242.0. The public IP on the router for each class is xxx.xxx.79.126 and xxx.xxx.242.126. I am using masq and 192.168.1.0 on eth0 LAN I have tried

Hi, I''m trying to block Windows Messenger by Shorewall 1.4.10b, but I]m don´t have success. If the rules below, all access are blocked /etc/shorewall/rules # Windows Messenger Rules REJECT:info loc net tcp 1863 REJECT:info fw net tcp 1863 But if use the rules below, any access are allowed, why ???? /etc/shorewall/rules # Windows

Hello, Currenly I've ASterik@Home 1.5 running on DMZ. I can register SJphone there, good audio on 8200 (webmeet me calls) and i also can dial Zapata extensions. When I dial sip phone extensions nothing happens if the client that i'm calling is registred, if the client has voicemail it goes to voicemail. IMPORTANT: I get this error message on my Check Point Firewall: "sip

Hi ! I have setup a complete shorewall now with DMZ, and Private zones and masq, rules, port-forwarding etc. worx like expected. BUT I have a wish to use a couple of more public IP''s and relate those to inernal servers on the DMZ zone and i am now so confused about it. I have searched this archive for SNAT port allow Setup: 3 public adresses on the WAN nic. lets call them 80.80.80.80 -

Hi! I''ve been searching the net for information about this topic, but I can''t find anything relevant to my problem or I don''t understand the answer completely. Please enlighten me... :-) I''m trying to replace a Cisco PIX firewall with a Linux Shorewall box. Today the users behind the Cisco FW is on a NAT-network and in the same network there are a couple of

Hi all! I''ve set up a Linux box with shorewall doing proxy arp as per http://www.shorewall.net/shorewall_setup_guide.htm#ProxyARP the 5.2 (non routed) example. Everything is working great except for one thing, and that leads me to my question: is there a conflict between proxy arp and pptp? I''ve set the apropriate ACCEPT rules to allow tcp port 1723 and protocol 47 to the host

Hi all! I posted earlier about the proxy arp configuration = http://shorewall.sourceforge.net/shorewall_setup_guide.htm#NonRouted, = and was probably not sufficiently knowledgeable on the subject. I''ve = gone through a bunch of documents on proxy arp, subnetting with proxy = arp and the documentation at shorewall, and have come up with a setup = that would be perfect for the job at hand

I have a three interface network (net,loc,dmz). The internet interface (eth0) has a static IP. Windows machine in the local network (eth1) use DHCP to get IPs from the 192.168.10.0/24 netblock. The Debian machine in the DMZ (eth2) gets a fixed IP through DHCP in the 192.168.11.0/24 netblock. The DHCP server is running on the firewall machine (not ideal, I know, but that''s the way

I have been studying Tom''s configuration at: http://www.shorewall.net/myfiles.htm -and- http://www.shorewall.net/NAT.htm I am using SBC as an ISP and also have 5 "real" IP addresses and because of other issues, have to re-do my set-up. If I have a block at .120/29 assigned to me, what SBC does is give you 5 usable addresses, in my case .121 is the SBC modem/router and

I am trying to add a machine into my dmz. It is the first machine I''ve ever added to this dmz and fro some reason I cannot establish communication between the dmz and the machine. Here is an example of my setup: ISP router --> firewall (eth0) firewall (eth1) --> local network firewall (eth2) --> DMZ eth0 and eth2 have public IP addresses as does the machine I just added to

I am not quite sure if this issue relates to iptables, routing or Xen virtual machines. Too many variables for my simple mind, so I'm asking some advice :) This is my network setup: Internet --- eth2 + CentOS dom0 / firewall / router + eth1 (xenbr1) --- LAN with private IPs --- separate file server and workstations + eth0 (xenbr0)

How would I use Big Brother with Shorewall and my loc and dmz zones to monitor hosts in both zones? If Big Brother''s server is on my LAN (loc) is it "safe" to forward the bb port from the dmz to the LAN? What would the security risks of this be? Common sense says that it may not be a good idea to forward stuff from the dmz to the LAN, but I''m inexperienced and unsure

hello there, im running a 3interface inet, dmz, loc. i have some public ip addresses. one public address is the router of the provider, the second one is the linux box running shorewall. all other public interfaces are on the dmz nic with proxy-arp. now whenever i do a traceroute (the dmz boxes are windows, icmp traceroute) the very first hop gets timeout/stars, then the router of the provider