Hi! I have been able to forward smtp, http and https to my DMZ webmail server. My problem now is how to access it using proxy arp. I have tried all configs I could find in www.shorewall.ent, and am always unable to access the webmail server using the domain name, only using the internal ip, when I am inside the firewall. From the outside, everything works.
Another (probably unrelated) problem, is that snort is always complaining about portscans generated by the external interface, as if it was the one attacking other hosts... I am not a big fan of snort, I like better prelude, as it's logs are more understandable, but prelude here dies at the first malformed packet. Thanks! --- Florin <[EMAIL PROTECTED]> wrote: > Art Mason <[EMAIL PROTECTED]> writes: > > > I've had hell trying to get port forwarding to > work properly on my SNF > > 8.2-BETA box. Everything else (squid, > dansguardian) simply rocks, > > though. Here's the dilemma: > > > > eth0: 192.168.1.254/24 > > eth1: ext.ip.addr.inet > > > > NAT works great, transparent squid proxying works > great, but I'm trying > > to forward SMTP from a Postfix gateway on the DMZ > and forward HTTPS from > > the Internet to allow outside users to securely > check their e-mail from > > home w/o sending plaintext passwords all over the > place. The setup has > > been working well w/ snf-7.2/ipchains, but I'd > like to standardize on > > snf-8.2 if possible. Here's what syslog reports > to me when I try HTTPS > > from the outside: > > > > proxy kernel: Shorewall:wan2all:DROP:IN=eth1 OUT= > MAC= SRC=external > > test IP address DST=ext.ip.addr.inet LEN=60 > TOS=0x00 PREC=0x00 TTL=64 > > ID=46581 DF PROTO=TCP SPT=33159 DPT=443 > WINDOW=5840 RES=0x00 SYN URGP=0 > > > > Relevant rules from /etc/shorewall/rules: > > > > ACCEPT lan wan tcp smtp - > > ACCEPT wan lan tcp smtp - > > ACCEPT lan wan tcp https - > > ACCEPT wan lan tcp https - > > ACCEPT wan lan:192.168.1.3 tcp smtp - > all > > ACCEPT wan lan:192.168.1.3 tcp https - > all > > > > And /etc/shorewall/interfaces: > > > > lan eth0 detect routestopped > > wan eth1 detect noping > > hello there, > > I have noticed that you have two rules on https > > > I do the same thing here and this what I get on the > firewall: > > [root@firewall root]# grep https > /etc/shorewall/rules > ACCEPT dmz wan tcp https - > ACCEPT lan wan tcp https - > ACCEPT wan dmz:192.168.1.3 tcp https > - all > > > Finally, /etc/shorewall/policy: > > > > lan wan ACCEPT > > fw wan ACCEPT > > wan all DROP info > > all all REJECT info > > I have everything on DROP ... > > in my case, a https connexion on the external IP of > the firewall will > redirect me on the dmz https server. Is your server > inside the lan zone ? > > cheers, > -- > Florin http://www.mandrakesoft.com __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com
