Troy Aden wrote: > This is my first attempt at setting up a DMZ so I am > admitting now that I probably got it all wrong. That said, I am hoping > someone on the list can point out where I have made my mistakes and point me > in the right direction. Here is what I am attempting to accomplish. > > > -----> Internet-----> eth0 Bering box using shorewall ----> > eth1 loc zone > > ---> eth2 dmz zone
> GOAL IS: > TO ALLOW ALL INTERNET TRAFFIC INTO MY DMZ What do you mean? Do you mean that you want to forward every port on the firewall into the same host on the dmz? To what host? Any particular reason? > TO ALLOW DMZ ACCESS TO THE INTERNET (BUT TO LOG IT) I didn't see you taking steps to log this. > TO ALLOW LOC ZONE OPEN ACCESS TO DMZ > TO BLOCK ALL TRAFFIC FROM DMZ TO LOC ZONE and log it if it > tries to connect to loc zone. > TO ALLOW DNSCACHE AND DHCPD TO WORK FOR BOTH ZONES. > > I thought I had it all working until I attempted to do an > ftp file transfer between my windoz systems on the loc zone to my Linux > server in the dmz zone. My transfer rate was terrible and FTP kept giving me > a "cannot connect to data socket error". Even attempting an ftp transfer > from a remote server was failing. Ftp clients can transfer files in two modes, active or passive mode, which determines who initiates the data connection. Which were you trying to do, and what's the output of lsmod? > Please keep in mind that this is my first > attempt at this and I have tried to follow the shorewall howto for setting > up three interfaces but I am pretty sure I goofed. Doin' purty good so far I reckon. > PLEASE HELP! I have > included all the info that I think is pertinent but if you require more > please let me know and I will provide it. Thanks in advance. > > Troy > # > # Shorewall 1.3 /etc/shorewall/zones Is fine. > # Shorewall version 1.3 - Rules File > # /etc/shorewall/rules > # Accept DNS connections from the firewall to the network > # > ACCEPT fw net tcp 53 > ACCEPT fw net udp 53 Well here you figure that it might use tcp and udp, but not below.... > # > # Accept SSH connections from the local network for administration > # > ACCEPT loc fw tcp 22 > > # DENAT all my webserver from web > DNAT net dmz:192.168.2.25 tcp - > DNAT net dmz:192.168.2.25 udp - Yes I see you letting everything in. Interesting :) > # Bering specific rules: > # allow loc to fw udp/53 for dnscache to work > # allow loc to fw tcp/80 for weblet to work > # > ACCEPT loc fw udp 53 Like here you don't have the tcp 53 entry. You never know which resolver library will initiate the traffic and whether it will be tcp or udp. Best to Accept both. > ACCEPT loc fw tcp 80 > ACCEPT loc fw udp 67 > ACCEPT loc fw udp 68 > > # Bering specific rules: > # allow dmz to fw udp/53 for dnscache to work > # allow dmz to fw tcp/80 for weblet to work > # > ACCEPT dmz fw udp 53 Here too. > ACCEPT dmz fw tcp 80 > ACCEPT dmz fw udp 67 > ACCEPT dmz fw udp 68 > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE But you don't have any rules for loc to dmz... Onto the next file... > # Shorewall 1.3 - Masquerade file Is fine. > # Shorewall 1.3 -- Interfaces File Is fine also. > # /etc/shorewall/shorewall.conf V1.3 - Change the following variables to Not sure. Best to hear from T.E. about this. > # /etc/network/interfaces -- configuration file for LEAF network That's ok afaik. > # /etc/hosts.allow: list of hosts that are allowed to access the system. not an issue w/your ftp. > /ETC/HOSTS ok. > /ETC/DNSCACHE/ENV/IP > > 192.168.1.254 > 192.168.2.254 This I wouldn't do, but rather leave dnscache thinking it only listens to the 192.168.1.0 network on eth1 and tell it that you want to allow queries from all three networks in: Hub:># cat /etc/dnscache/env/IPQUERY 192.168.1 192.168.2 127.0.0.1 which is what I do and it works, but that's not to say your way doesn't also. I think using IPQUERY is more intuitive but don't understand djbdns totally. > /ETC/DHCPD.CONF no comment. Don't use it. So you didn't post your shorewall policy file. That's sort of important, plus what the right honrable long-hair RayO asked for (ip addr show, ip route show, lsmod, etc...) :) good luck naw, matthew ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
