I've got a server proxy-arped in a DMZ. I've specified this machine's IP
address in the /etc/shorewall/proxyarp file. I've also specified that the
dmz zone be masqueraded. There I would think it stands to reason that I
could cvsup the server to an external web site. But the shorewall logs show
that the outgoing packets are being rejected as follows:
<..snip..>
Mar 3 09:27:25 firewall Shorewall:all2all:REJECT: IN=eth2 OUT=eth0
MAC=00:50:04:62:d8:52:00:50:04:83:e0:47:08:00 SRC=216.70.250.3
DST=130.94.149.166 LEN=64 TOS=00 PREC=0x00 TTL=63 ID=102 DF PROTO=TCP
SPT=50830 DPT=5999 SEQ=1850567826 ACK=0 WINDOW=65535 SYN URGP=0
Mar 3 09:27:25 firewall Shorewall:all2all:REJECT: IN=eth2 OUT=eth0
MAC=00:50:04:62:d8:52:00:50:04:83:e0:47:08:00 SRC=216.70.250.3
DST=128.31.0.28 LEN=64 TOS=00 PREC=0x00 TTL=63 ID=112 DF PROTO=TCP SPT=65235
DPT=5999 SEQ=4035191759 ACK=0 WINDOW=65535 SYN URGP=0
Mar 3 09:27:25 firewall Shorewall:all2all:REJECT: IN=eth2 OUT=eth0
MAC=00:50:04:62:d8:52:00:50:04:83:e0:47:08:00 SRC=216.70.250.3
DST=204.152.184.73 LEN=64 TOS=00 PREC=0x00 TTL=63 ID=122 DF PROTO=TCP
SPT=57799 DPT=5999 SEQ=3406116159 ACK=0 WINDOW=65535 SYN URGP=0
Mar 3 09:27:26 firewall Shorewall:all2all:REJECT: IN=eth2 OUT=eth0
MAC=00:50:04:62:d8:52:00:50:04:83:e0:47:08:00 SRC=216.70.250.3
DST=64.157.15.40 LEN=64 TOS=00 PREC=0x00 TTL=63 ID=132 DF PROTO=TCP
SPT=50499 DPT=5999 SEQ=1849546663 ACK=0 WINDOW=65535 SYN URGP=0
Mar 3 09:27:26 firewall Shorewall:all2all:REJECT: IN=eth2 OUT=eth0
MAC=00:50:04:62:d8:52:00:50:04:83:e0:47:08:00 SRC=216.70.250.3
DST=69.31.98.210 LEN=64 TOS=00 PREC=0x00 TTL=63 ID=135 DF PROTO=TCP
SPT=55851 DPT=5999 SEQ=3129591545 ACK=0 WINDOW=65535 SYN URGP=0
Mar 3 09:27:26 firewall Shorewall:all2all:REJECT: IN=eth2 OUT=eth0
MAC=00:50:04:62:d8:52:00:50:04:83:e0:47:08:00 SRC=216.70.250.3
DST=129.250.31.140 LEN=64 TOS=00 PREC=0x00 TTL=63 ID=138 DF PROTO=TCP
SPT=61326 DPT=5999 SEQ=217796985 ACK=0 WINDOW=65535 SYN URGP=0
<..snip..>
The server's IP address is in the same IP address range as the external
interface's IP address. Same subnet. But for name resolution, it's being
told to reach our ISP's name server(s). I can ping www.yahoo.com
successfully.
Here's the output asfter restarting Shorewall:
Restarting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Not available
Connection Tracking Match: Not available
Packet Type Match: Available
Policy Match: Not available
Physdev Match: Not available
IP range Match: Not available
Recent Match: Not available
Owner Match: Not available
Ipset Match: Not available
ROUTE Target: Not available
Extended MARK Target: Not available
CONNMARK Target: Not available
Connmark Match: Not available
Raw Table: Not available
Determining Zones...
Zones: net loc dmz
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
Local Zone: eth1:0.0.0.0/0
DMZ Zone: eth2:0.0.0.0/0
Processing /etc/shorewall/init ...
Pre-processing Actions...
Pre-processing /usr/share/shorewall/action.DropSMB...
Pre-processing /usr/share/shorewall/action.RejectSMB...
Pre-processing /usr/share/shorewall/action.DropUPnP...
Pre-processing /usr/share/shorewall/action.RejectAuth...
Pre-processing /usr/share/shorewall/action.DropPing...
Pre-processing /usr/share/shorewall/action.DropDNSrep...
Pre-processing /usr/share/shorewall/action.AllowPing...
Pre-processing /usr/share/shorewall/action.AllowFTP...
Pre-processing /usr/share/shorewall/action.AllowDNS...
Pre-processing /usr/share/shorewall/action.AllowSSH...
Pre-processing /usr/share/shorewall/action.AllowWeb...
Pre-processing /usr/share/shorewall/action.AllowSMB...
Pre-processing /usr/share/shorewall/action.AllowAuth...
Pre-processing /usr/share/shorewall/action.AllowSMTP...
Pre-processing /usr/share/shorewall/action.AllowSubmission...
Pre-processing /usr/share/shorewall/action.AllowPOP3...
Pre-processing /usr/share/shorewall/action.AllowICMPs...
Pre-processing /usr/share/shorewall/action.AllowIMAP...
Pre-processing /usr/share/shorewall/action.AllowTelnet...
Pre-processing /usr/share/shorewall/action.AllowVNC...
Pre-processing /usr/share/shorewall/action.AllowVNCL...
Pre-processing /usr/share/shorewall/action.AllowNTP...
Pre-processing /usr/share/shorewall/action.AllowNTPbrd...
Pre-processing /usr/share/shorewall/action.AllowRdate...
Pre-processing /usr/share/shorewall/action.AllowNNTP...
Pre-processing /usr/share/shorewall/action.AllowTrcrt...
Pre-processing /usr/share/shorewall/action.AllowSNMP...
Pre-processing /usr/share/shorewall/action.AllowPCA...
Pre-processing /usr/share/shorewall/action.Drop...
Pre-processing /usr/share/shorewall/action.Reject...
Deleting user chains...
Processing /etc/shorewall/continue ...
Processing /etc/shorewall/routestopped ...
Setting up Accounting...
Creating Interface Chains...
Configuring Proxy ARP
Host 216.70.250.3 connected to eth2 added to ARP on eth0
Setting up NAT...
Setting up NETMAP...
Adding Common Rules
Processing /etc/shorewall/initdone ...
Adding rules for DHCP
Enabling RFC1918 Filtering
Setting up Kernel Route Filtering...
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Processing /etc/shorewall/ipsec...
Processing /etc/shorewall/rules...
Rule "ACCEPT fw net tcp 53" added.
Rule "ACCEPT fw net udp 53" added.
Rule "ACCEPT fw loc tcp 53" added.
Rule "ACCEPT fw loc udp 53" added.
Rule "ACCEPT fw dmz tcp 53" added.
Rule "ACCEPT fw dmz udp 53" added.
Rule "ACCEPT loc fw tcp 53" added.
Rule "ACCEPT loc fw udp 53" added.
Rule "ACCEPT dmz fw tcp 53" added.
Rule "ACCEPT dmz fw udp 53" added.
Rule "ACCEPT dmz loc:192.168.1.254 tcp 53" added.
Rule "ACCEPT dmz loc:192.168.1.254 udp 53" added.
Rule "ACCEPT loc fw tcp 22" added.
Rule "ACCEPT loc dmz tcp 22" added.
Rule "ACCEPT dmz net tcp 53" added.
Rule "ACCEPT dmz net udp 53" added.
Rule "ACCEPT net fw icmp 8" added.
Rule "ACCEPT loc fw icmp 8" added.
Rule "ACCEPT dmz fw icmp 8" added.
Rule "ACCEPT loc dmz icmp 8" added.
Rule "ACCEPT dmz loc icmp 8" added.
Rule "ACCEPT dmz net icmp 8" added.
Rule "ACCEPT fw net icmp" added.
Rule "ACCEPT fw loc icmp" added.
Rule "ACCEPT fw dmz icmp" added.
Rule "ACCEPT net dmz icmp 8" added.
Rule "ACCEPT net loc icmp 8" added.
Rule "DNAT:ULOG net loc:192.168.1.15 tcp 8080 www 216.70.250.2" added.
Rule "DNAT net loc:192.168.1.149 tcp 52525" added.
Rule "DNAT net loc:192.168.1.149 udp 52525" added.
Rule "DNAT net loc:192.168.1.4 tcp smtp - 216.70.250.2" added.
Rule "DNAT:ULOG net loc:192.168.1.2 tcp www - 216.70.250.2" added.
Rule "DNAT:ULOG net loc:192.168.1.2 tcp 443 - 216.70.250.2" added.
Rule "DNAT net loc:192.168.1.4 tcp 8000 www 216.70.250.2" added.
Rule "ACCEPT loc fw udp 67,68" added.
Rule "ACCEPT:ULOG loc fw tcp 80,8080" added.
Rule "ACCEPT dmz net tcp 80" added.
Rule "ACCEPT dmz net tcp smtp" added.
Rule "ACCEPT dmz loc tcp smtp" added.
Rule "ACCEPT fw net tcp smtp" added.
Rule "ACCEPT fw loc:192.168.1.4 tcp smtp" added.
Rule "ACCEPT fw net tcp time" added.
Rule "ACCEPT fw net udp ntp" added.
Rule "ACCEPT loc fw udp ntp" added.
Rule "REJECT:ULOG loc net udp 1025:1031" added.
Rule "REJECT:ULOG dmz net udp 1025:1031" added.
Rule "ACCEPT:ULOG dmz net tcp 1024: 20" added.
Rule "REJECT:ULOG fw net udp 1025:1031" added.
Processing Actions...
Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Drop for Chain Drop...
Rule "RejectAuth" added.
Rule "dropBcast" added.
Rule "AllowICMPs - - icmp" added.
Rule "dropInvalid" added.
Rule "DropSMB" added.
Rule "DropUPnP" added.
Rule "dropNotSyn - - tcp" added.
Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.Reject for Chain Reject...
Rule "RejectAuth" added.
Rule "dropBcast" added.
Rule "AllowICMPs - - icmp" added.
Rule "dropInvalid" added.
Rule "RejectSMB" added.
Rule "DropUPnP" added.
Rule "dropNotSyn - - tcp" added.
Rule "DropDNSrep" added.
Processing /usr/share/shorewall/action.RejectAuth for Chain RejectAuth...
Rule "REJECT - - tcp 113" added.
Processing /usr/share/shorewall/action.AllowICMPs for Chain AllowICMPs...
Rule "ACCEPT - - icmp fragmentation-needed" added.
Rule "ACCEPT - - icmp time-exceeded" added.
Processing /usr/share/shorewall/action.DropSMB for Chain DropSMB...
Rule "DROP - - udp 135" added.
Rule "DROP - - udp 137:139" added.
Rule "DROP - - udp 445" added.
Rule "DROP - - tcp 135" added.
Rule "DROP - - tcp 139" added.
Rule "DROP - - tcp 445" added.
Processing /usr/share/shorewall/action.DropUPnP for Chain DropUPnP...
Rule "DROP - - udp 1900" added.
Processing /usr/share/shorewall/action.DropDNSrep for Chain DropDNSrep...
Rule "DROP - - udp - 53" added.
Processing /usr/share/shorewall/action.RejectSMB for Chain RejectSMB...
Rule "REJECT - - udp 135" added.
Rule "REJECT - - udp 137:139" added.
Rule "REJECT - - udp 445" added.
Rule "REJECT - - tcp 135" added.
Rule "REJECT - - tcp 139" added.
Rule "REJECT - - tcp 445" added.
Processing /etc/shorewall/policy...
Policy REJECT for fw to net using chain all2all
Policy REJECT for fw to loc using chain all2all
Policy REJECT for fw to dmz using chain all2all
Enabled SYN flood protection
Policy DROP for net to fw using chain net2all
Enabled SYN flood protection
Policy DROP for net to loc using chain net2all
Enabled SYN flood protection
Policy DROP for net to dmz using chain net2all
Policy REJECT for loc to fw using chain all2all
Policy ACCEPT for loc to net using chain loc2net
Policy REJECT for loc to dmz using chain all2all
Policy REJECT for dmz to fw using chain all2all
Policy REJECT for dmz to net using chain all2all
Policy REJECT for dmz to loc using chain all2all
Masqueraded Networks and Hosts:
To 0.0.0.0/0 (all) from 192.168.1.0/24 through eth0
To 0.0.0.0/0 (all) from 192.168.2.0/24 through eth0
To 0.0.0.0/0 (all) from 216.70.250.0/28 through eth0
Processing /etc/shorewall/tos...
Processing /etc/shorewall/ecn...
Setting up Traffic Control Rules...
TC Rule "1:P 0.0.0.0/0 0.0.0.0/0 tcp 1720 " added
TC Rule "1:P 0.0.0.0/0 0.0.0.0/0 tcp 15328:15338 " added
TC Rule "1:P 0.0.0.0/0 0.0.0.0/0 udp 15328:15338 " added
TC Rule "1:P 0.0.0.0/0 0.0.0.0/0 tcp 5190,5222,5298 " added
TC Rule "1:P 0.0.0.0/0 0.0.0.0/0 udp 5060,5190,5220,5297,5298,5353,5678
" added
TC Rule "1:P 0.0.0.0/0 0.0.0.0/0 udp 16384:16403 " added
TC Rule "2:P 0.0.0.0/0 0.0.0.0/0 tcp 25 " added
TC Rule "2:P 0.0.0.0/0 0.0.0.0/0 tcp 22 " added
TC Rule "2:P 0.0.0.0/0 0.0.0.0/0 tcp 21 " added
TC Rule "2:P 0.0.0.0/0 0.0.0.0/0 icmp echo-request " added
TC Rule "2:P 0.0.0.0/0 0.0.0.0/0 icmp echo-reply " added
TC Rule "3:P 0.0.0.0/0 0.0.0.0/0 all " added
TC Rule "4:P 0.0.0.0/0 0.0.0.0/0 ipp2p " added
TC Rule "4:P 0.0.0.0/0 0.0.0.0/0 tcp 52525 " added
TC Rule "4:P 0.0.0.0/0 0.0.0.0/0 udp 52525 " added
Activating Rules...
Processing /etc/shorewall/start ...
Processing /etc/shorewall/start.d/weblet_start ...
Shorewall Restarted
Processing /etc/shorewall/started ...
firewall#
Can I masquerade a proxy-arped server in a dmz?
I've googled around and also checked the Shorewall web site to no avail...
Something tells me I am not getting the big picture of proxy-arping...
~Doug
_______________________________________
«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Doug Sampson
Information Technology
Dawn Sign Press
dougs (at) dawnsign dot com
_______________________________________
«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»§«?»¥«?»
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
------------------------------------------------------------------------
leaf-user mailing list: [email protected]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
