> - could you please confirm that the DMZ network must be part of the > defined 'internal' network.
The DMZ network does NOT need to have any particular relationship to the internal network. The fact that when you put the DMZ 'inside' your internal network space, the DMZ is able to access the internet (and isn't able to otherwise) indicates the outbound masquerade rules are not getting generated for the DMZ. This is either a result of a mis-configured setting in network.conf, or a very large bug in the scripts. > - in a DMZ_SERVERn entry, should the extended port forward definition be > in double quotes? Or is this irrelevant? > > DMZ_SERVER0=tcp_150.101.234.2_www_192.168.2.10_www > DMZ_SERVER1="udp_150.101.234.2_www_192.168.2.10_www" Actually, both of the above are equivalent, and both are wrong. The underscores should be spaces, and since the spaces are part of the variable setting, you need double quotes: DMZ_SERVER0="tcp 150.101.234.2 www 192.168.2.10 www" DMZ_SERVER1="udp 150.101.234.2 www 192.168.2.10 www" > - if the DMZ is working, there should be some extra rules in the > ipchains list. Could one of you please provide one example rule that is > private-DMZ specific so that I can check that this is working. To date, > switching on (or off) the DMZ and then /etc/init.d/network restart seems > to have no effect on ipchains definitions (as reported in an email > yesterday). The best place to check is the forward rules. There is normally a single masquerade rule hooking your internal network to the internet. With a private DMZ, you also have a rule masquerading the DMZ network to the internet, the internal network to the DMZ network, and several individual masquerade rules for the port-forwarded services of the DMZ, allowing them to be accessed via the public IP from the internal network. If switching the DMZ on and off does not cause dramatic changes to the forward rule chain, something basic is wrong. > - and finally (and sorry for the newbie question) when accessing > services in the DMZ from the local network(s), should the actual IP > address of the server on the DMZ network or the external IP address of > the LRP box be used? When everything is setup correctly, you should be able to access the services using the public IP. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
