I can't figure out what you mean by "i can ping dmz<->fw<->loc but not dmz<->loc" in what you wrote below. So I cannot answer that part of your question.
Most likely when you changed the DMZ addressing away from the default, you created a mismatch between the actual interfaces/networks and one of the Shorewall settings, but offhand I don't know which one ... you can check this through Bering's "Shorewall" menu choice.
It is possible to have both the LAN and the DMZ on the same IP-address network ... I do it here, for example, though I don't use Bering ... you just have to get the routing table and firewall rulesets right. For competent security, you want the LAN and the DMZ to be separate *physical* networks (in practice, separate Ethernets, usually), but that's a separate issue from IP-address networks.
As I said last time, unless someone else can spot the problem from the fragmentary info you sent, you'll need to provide proper diagnostics, as described in the SR FAQ, to get targeted help.
At 06:15 PM 12/17/2003 +0100, and hansen wrote:
Hi Again
>>Hello Group >> >>I have some problems in my connection to and from DMZ >>and LOC >>all other than LOC <-> DMZ works >>I'm using shorewall 1.4.8 with the three interfaces >>config examples >>not only "ping" but also ssh can't connect >>I imagine it's a small detail i missed >>but hell i can't find it, > >The ping failures you report, namely -- > >>ping dmz -> loc failure "network unreachable" >>ping dmz <- loc failure "ctrl+c 100% loss" > >-- usually indicate a problem with tsome routing table. But since you >didn't include a listing of either routing table ("ip route show" for >the >LEAF router; who knows for the DMZ host) in the "some stuff" you >provided, >that's only a guess.
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 192.168.10.0/24 dev eth2 proto kernel scope link src 192.168.10.100 128.142.112.0/20 dev eth0 proto kernel scope link src 128.142.121.254 default via 128.142.112.1 dev eth0
>If I read this "stuff" right, you changed the network numbering of your >DMZ >in /etc/network/interfaces away from the detault. But perhaps you did >not >change the corresponding entries in /etc/network.conf?
i don't have a /etc/network.conf ?? this is the default /etc/interfaces, as i understand, i can't have dmz on same network as the loc here it is 192.168.1.x for both the dmz and loc ??
auto eth1 iface eth1 inet static address 192.168.1.254 masklen 24 broadcast 192.168.1.255 auto eth2 iface eth2 inet static address 192.168.1.100 masklen 24 broadcast 192.168.1.255
>Finally, you *might* have a configuration problem on the DMZ host you >are >testing from.
if i can ping dmz<->fw<->loc but not dmz<->loc, then my dmz host net config is ok, right ??
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
