RE: [Leaf-user] Proxy ARP DMZ to Internal Forwarding

Mon, 25 Jun 2001 12:29:49 -0700 

Nice catch, EagleEye!  :)

Please send me the specifications for your adult beverage of choice, and
forwarding instructions!

Dan

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Charles
Steinkuehler
Sent: Monday, June 25, 2001 2:39 PM
To: [EMAIL PROTECTED]
Subject: Re: [Leaf-user] Proxy ARP DMZ to Internal Forwarding


> Charles,
>
> Here's the output --- thanks again:

See comments below...

> #
> #
> # ipfilter.conf This file contains the functions that contain the firewall
> #               and ipfilter configuration. This is an example setup for
> #               IP masquearding
> #
> IPFILTER_CONF_VERSION=20010330

<snip>

> #
> # Set up forwarding
> #
> # Set up masquerading timout values
> $IPCH -M -S 14400 0 0
> # Stop forwarding of ICMP redirects
> $IPCH -A forward -j DENY -p icmp --icmp-type redirect -l
> # Handle masquerading denial - always valid because this controls access
> # to DMZ from inside etc.
> for PORT in $NOMASQ_DEST_BYPASS; do
> for NET in $INTERN_NET; do
> $IPCH -A forward -j MASQ -p `echoProto $PORT` \
> -s $NET -d `echoIpPort $PORT`
> done; unset NET
> done; unset PORT
> for PORT in $NOMASQ_DEST; do
> for NET in $INTERN_NET; do
> $IPCH -A forward -j REJECT -p `echoProto $PORT` \
> -s $NET -d `echoIpPort $PORT`
> done; unset NET
> done; unset PORT
> # Connect DMZ to internet
> if [ "$DMZ_SWITCH" = "YES" -o "$DMZ_SWITCH" = "Yes" \
> -o "$DMZ_SWITCH" = "yes" -o "$DMZ_SWITCH" = "PROXY" \
> -o "$DMZ_SWITCH" = "Proxy" -o "$DMZ_SWITCH" = "proxy" ]; then
> # Masquerade internal network to DMZ network
> for NET in $INTERN_NET; do
> : $IPCH -A forward -j MASQ -p all -s $NET -d $DMZ_NET -i $DMZ_IF
> done; unset NET

Oops!  Note the colon at the start of the last $IPCH line?  Me-thinks this
is what is preventing you from talking to your DMZ, as this is the rule that
masquerades the internal network(s) to the DMZ.  Just remove the colon (line
should start with $IPCH) and re-load your firewall rules...

Welcome to the dangers of editing ipfilter.conf, especially if you're used
to vi instead of ae. ;-)

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)


_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user


_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Reply via email to