Hello, Hope that you are doing well. It seems that all of the hadrware and even the cabling is correct for this Proxy ARP LRP, but I cannot get the last part to work. I can PING from the DMZ to the local (146.9.31.x) subnet, but I cannot go beyond that. When I try from the DMZ machine, I get a "network unreachable"error. I cannot also PING 146.9.31.1 from the DMZ also. Here are the PING tests: The setup is: GATEWAY (.1) LRP (.19) DMZ_NET= (146.9.31.0/24) DMZ (.29) test machine Local Remote: A system on the 146.9.31.x Remote system " www.outstep.com <http://www.outstep.com> " Also the /var/log/messages only shows some DENY of the external IP of 146.9.31.2 and 146.9.31.3 and 146.9.31.51 which are all EXTERNAL IP's in the network.conf 1.) LRP -> DMZ "Yes" 2.) DMZ -> LRP "NO" 3) Remote -> DMZ "NO" 4). DMZ -> Remote "NO" 5.) LRP -> Remote "YES" 6.) Remote -> LRP "YES" 7.) LRP -> Gateway "YES" 8.) DMZ -> Local Remote ----------------------------------------------------- My design is like this: INTERNET | Gate (146.9.31.1) | Class "C" (146.9.31.x) | | 146.9.31.19 ------ | LRP | ------ | 146.9.31.19 | | | 146.9.31.29 ------- (gate 146.9.31.1) | DMZ | | Test PC | ------- --------------------------------------------------- The Relavent configurations are like this: eth0_IPADDR=146.9.31.19 eth0_MASKLEN=24 eth0_BROADCAST=146.9.31.255 # Use this to set the default route if required - ONLY one to be set. # routed or gated could be used to set this so only use if not running these. eth0_DEFAULT_GW=146.9.31.1 # Secondary IP addresses/networks on same wire - add them here #eth0_IP_EXTRA_ADDRS="192.168.1.193 192.168.2.1/24" # Additional routes for this interface, if any # format: <PREFIX>[_<more ip route options>] # NewTek Config for SanFrancisco note: # This tells linux the Defalt GW is via this interface # All other public IP traffic will go out the DMZ interface # SA_TX Config note: 0.0.0.2 added to prevent martian errors # and allow connections from the Ops net (.2 public IP) to work eth0_ROUTES="146.9.31.1 146.9.31.2 146.9.31.3 146.9.31.11 146.9.31.12 146.9.31.14 146.9.31.15 146.9.31.17 146.9.31.20 146.9.31.21 146.9.31.22 146.9.31.23 146.9.31.24 146.9.31.25 146.9.31.26 146.9.31.27 146.9.31.30 146.9.31.31 146.9.31.32 146.9.31.33 146.9.31.34 146.9.31.35 146.9.31.36 146.9.31.39 146.9.31.40 146.9.31.43 146.9.31.44 146.9.31.45 146.9.31.46 146.9.31.47 146.9.31.48 146.9.31.49 146.9.31.50 146.9.31.52 146.9.31.53 146.9.31.54 146.9.31.55 146.9.31.56 146.9.31.28 146.9.31.18 146.9.31.16 146.9.31.13 146.9.31.38 146.9.31.41 146.9.31.42 146.9.31.51 " # IP spoofing protection on this interface - YES/NO eth0_IP_SPOOF=YES # Kernel logging of spoofed packets on this interface - YES/NO eth0_IP_KRNL_LOGMARTIANS=YES # This setting affects the processing of ICMP redirects. Setting it to NO # makes this more secure. Don't turn this off if you have two IP # networks/subnets on the same media - YES/NO eth0_IP_SHARED_MEDIA=NO # Bridge this interface - YES/NO eth0_BRIDGE=NO # Proxy-arp from this interface, no other config required to turn on proxy ARP! # - YES/NO eth0_PROXY_ARP=YES # Simple QoS/fair queueing support # Turn on Stochastic Fair Queueing - useful on busy DDS links - YES/NO eth0_FAIRQ=NO # Ethernet Transmit Queue Length # eth0_TXQLEN=100 # Complex QoS - Enable all of these + above to turn it on #eth0_BNDWIDTH=10Mbit # Device bandwidth #eth0_HNDL=2 # Queue Handle - must be unique #eth0_IABURST=100 # Interactive Burst #eth0_IARATE=1Mbit # Interactive Rate #eth0_PXMTU=1514 # Physical MTU - includes Link Layer header eth1_IPADDR=146.9.31.19 eth1_MASKLEN=24 eth1_BROADCAST=146.9.31.255 eth1_ROUTES="146.9.31.0/24" #eth1_ROUTES="146.9.31.19" eth1_IP_SPOOF=YES eth1_IP_KRNL_LOGMARTIANS=YES eth1_IP_SHARED_MEDIA=NO eth1_BRIDGE=NO eth1_PROXY_ARP=YES eth1_FAIRQ=NO <snip> # DMZ setup # Whether you want a DMZ or not (YES, PROXY, NO) DMZ_SWITCH=PROXY DMZ_IF="eth1" # DMZ Interface DMZ_NET=146.9.31.0/24 # DMZ Network #DMZ_NET=146.9.31.1 # DMZ Network # For Proxy-Arp DMZ's only: # These IP's are on the external net...all others in the network are assumed # to be DMZ addresses DMZ_EXT_ADDRS="$EXTERN_IP $eth0_ROUTES" # Shorthands for DMZ firewall rules: #Srvr1="146.9.31.28" # rem1 #Srvr2="146.9.31.18" # rem2 = mail server Srvr1="146.9.31.29" # rem3 #Srvr4="146.9.31.16" # rem4 #Srvr5="146.9.31.13" # rem5 #Srvr6="146.9.31.38" # rem6 = ORACLE DB Server #Srvr7="146.9.31.41" # rem7 #Srvr8="146.9.31.42" # rem8 = DICOM Server #Srvr9="146.9.31.51" # rem9 ## Both of the following should be used together - ie if you turn on ## DMZ_HIGH_TCP_CONNECT - DO specify DMZ_CLOSED_DEST! # Allows inbound connections to high tcp ports (>1023) # You can also allow to specific machines using 1024: as the dest port range # in DMZ_OPEN_DEST #DMZ_HIGH_TCP_CONNECT=YES ## 3306 MySQL, 6000 X, 2049 NFS, 7100 xfs #DMZ_CLOSED_DEST="tcp_${DMZ_NET}_6000:6004 tcp_${DMZ_NET}_7100" # Inbound services to allow to the DMZ # <protocol>_<destination IP/network>_<destination port or range> #DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain # tcp_${DMZ_NET}_ssh # tcp_${DMZ_NET}_domain # icmp_${DMZ_NET}_: # tcp_${Srvr1}_www # tcp_${Srvr1}_smtp # tcp_${Srvr1}_imap2 # tcp_${Srvr1}_pop-3 # " DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain tcp_${DMZ_NET}_domain icmp_${DMZ_NET}_: tcp_${Srvr1}_telnet " ----------------------------------------------------- Could you please tell me what statement is required to be put in so that my DMZ can see the rest of the Internet world? It's almost working and is really close now. Thanks for all of your help. Lonnie _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
