similar to: Poor Mans DMZ

I have a Smoothwall server on my network and am running three network interfaces off it. 1) local LAN 192.168.0.0 with PCs and an internal dovecot server on 192.168.0.154. 2) internet interface 3) DMZ 192.168.2.0 which has a linux web server 192.168.2.1 on which I want to install a webmail so I can access my email remotely. Originally 192.168.2.1 couldn't see the 192.168.0.0 network but with

I have a three interface network (net,loc,dmz). The internet interface (eth0) has a static IP. Windows machine in the local network (eth1) use DHCP to get IPs from the 192.168.10.0/24 netblock. The Debian machine in the DMZ (eth2) gets a fixed IP through DHCP in the 192.168.11.0/24 netblock. The DHCP server is running on the firewall machine (not ideal, I know, but that''s the way

I am trying to add a machine into my dmz. It is the first machine I''ve ever added to this dmz and fro some reason I cannot establish communication between the dmz and the machine. Here is an example of my setup: ISP router --> firewall (eth0) firewall (eth1) --> local network firewall (eth2) --> DMZ eth0 and eth2 have public IP addresses as does the machine I just added to

Hi everyone, I have a question regarding the default gateway for hosts on DMZ zone. I moved servers from parallel to the DMZ (outside the firewall, directly connected to I-net) to inside DMZ. The default gw for these servers was the DSL router(bridge) of my ISP. What should be the default gw (for the hosts inside the DMZ), when hosts are inside the DMZ now - still the DSL router (external

Hi, in a three interface firewall I have eth0, loc, 10.1.5.1/16 eth1, int, 200.41.61.228/29 eth2, dmz, 192.168.1.1/24 (un)fortunately I got a group of public ip?s to use, so here is my problem in the dmz I have 192.168.1.3 redirected from eth1 alias 200.41.61.226 (a web server, works perfect). I am trying to set up a mail server also, a different machine, so I can?t use proxyarp, as with this,

How would I use Big Brother with Shorewall and my loc and dmz zones to monitor hosts in both zones? If Big Brother''s server is on my LAN (loc) is it "safe" to forward the bb port from the dmz to the LAN? What would the security risks of this be? Common sense says that it may not be a good idea to forward stuff from the dmz to the LAN, but I''m inexperienced and unsure

My sincere apologies to all on this list. After looking for returning packets with tcpdump and not finding ANY I called our provider to confirm our IP assignment. The IP range that I was given by my boss was incorrect. After adjusting the ip assignments, everything is working perfectly. Thank you all for your time in troubleshooting this, and I hope to be able to return the favor at some

Hello all, Name is Andrew and in desperate need of some info. Setup: - Mandrake 9.1 with three interfaces (eth0 --> WAN) C-class /28 network (with tree virtual addresses which I am DNAT-ing to the DMZ) (eth1 --> LAN) A-class 10.0.0.0/8 (eth2 --> DMZ) A-class subnet 10.1.123.0/24 - Running stock Shorewall ver: shorewall-1.3.14-3.1.91mdk Dilemma: - LAN can not access the DMZ zone

Hello !! I ve just install shorewall-common and shorewall-shell I can''t defined a network using the CIDR format for my DMZ in /etc/shorewall/hosts fast eth2:172.17.0.0/16 epac eth2:172.18.0.0/16 fsa eth2:172.19.0.0/16 bu eth2:172.20.0.0/16 recto eth2:172.21.0.0/16 dmz eth1:81.91.225.224/27 I receive this error: ERROR: Invalid zone definition for

hello there, im running a 3interface inet, dmz, loc. i have some public ip addresses. one public address is the router of the provider, the second one is the linux box running shorewall. all other public interfaces are on the dmz nic with proxy-arp. now whenever i do a traceroute (the dmz boxes are windows, icmp traceroute) the very first hop gets timeout/stars, then the router of the provider

From reading the documentation, I understand that it is recommended to put servers that may be at risk in a DMZ served via proxy-arp. In this case, the local clients that are behind a NAT would have their connections to the DMZ masqueraded, yes? Is there any way around this that would still be considered secure? Just looking for advice. Thanks, A.

Hi Guys, I have been trying to configure shorewall 1) Internet Access to internal users 2) Have a DMZ that will house atleast 6 mail / web / ftp servers that will server our existing group companies outside our physical location. 3) Setup openvpn between our location and our group companies . What i have done so far is : - Created the 3 zones with the IP ranges as below. DMZ:172.16.10.x

There is such a wealth of knowledge and personal experience on this list that I'd like to get your opinions on our current situation. Currently, we have a simple tri-homed firewall with the internal network on one interface, the dmz on another, and the dirty internet on the last. Also, there is a spare interface on the box which is unused. We use CentOS and manually maintain our rule sets

Hello all, I''ve read the shorewall guides and browsed through the mailing lists, but I haven''t been able to find out if the following is possible or not using shorewall. Our provider has given us 16 IPs + 4 in a separate range for our uplink. I would like to replace that router with a Linux box running shorewall with three interfaces. I want the DMZ to be a standard, routed

Been trying to puzzle through a firewall layout here involving E-Mail. Would have thought this was a more common kind of scenario, but I haven't been able to Google me up an answer to this one. At present I have an SMTP server (Postfix) in my DMZ that is simply re-routing mail into my secure network. This is a less than optimal setup simply due to having to allow traffic from the DMZ

Hi everyone, Sorry for asking OT here, but I need your expertise :-) I am running a standard 3 I/F net, dmz, loc Shorewall 1.4.7 on a RH 9 server In the DMZ I have a web shop running with DNAT from the external address to the DMZ - this all works I want to add a develop server in the DMZ with external access so I set this up as per the live server and from internal network it works, but from

I'm dealing with an environment with AD servers in a normal working environment, all working and happy. I'm using bare Kerberos authentication for my Linux hosts to authenticate local accounts against the AD server, all well and good, I've not needed to integrate LDAP support and don't want to. But there are DMZ VLAN's with hosts exposed directly to the Internet. I'd like

Hopefully this is an easy question.... I''m using a leaf router (bearing) running shorewall. Three interfaces net, loc, and dmz. Only one computer in the dmz and its being proxy arp''d. External and internal (net and loc) can reach the dmz but the dmz cannot reach the isp''s gateway and beyond, but can reach a system adjacent to the firewall.

hello Tom >Another very likely cause is that Shorewall-shell is generating a pkttype >test to identify multicast packets. This can be unreliable and can be >avoided by setting PKTTYPE=No in shorewall.conf. After using PKTTYPE=No in shorewall.conf , my syslog is clean now. Do you mean that adding the following line in /etc/shorewall/interfaces is suffiscient? dmz eth1