Doug Sampson wrote: > I've got a server proxy-arped in a DMZ. I've specified this machine's IP > address in the /etc/shorewall/proxyarp file. I've also specified that the > dmz zone be masqueraded.
Why in the world would you masquerade a system that has a public IP address????? > There I would think it stands to reason that I > could cvsup the server to an external web site Why does that stand to reason? Neither Proxy ARP nor Masquerading has anything to do with allowing or disallowing connections. > Mar 3 09:27:25 firewall Shorewall:all2all:REJECT: IN=eth2 OUT=eth0 > MAC=00:50:04:62:d8:52:00:50:04:83:e0:47:08:00 SRC=216.70.250.3 > DST=130.94.149.166 LEN=64 TOS=00 PREC=0x00 TTL=63 ID=102 DF PROTO=TCP > SPT=50830 DPT=5999 SEQ=1850567826 ACK=0 WINDOW=65535 SYN URGP=0 These packets are for TCP port 5999. > Processing /etc/shorewall/rules... > Rule "ACCEPT fw net tcp 53" added. > Rule "ACCEPT fw net udp 53" added. > Rule "ACCEPT fw loc tcp 53" added. > Rule "ACCEPT fw loc udp 53" added. > Rule "ACCEPT fw dmz tcp 53" added. > Rule "ACCEPT fw dmz udp 53" added. > Rule "ACCEPT loc fw tcp 53" added. > Rule "ACCEPT loc fw udp 53" added. > Rule "ACCEPT dmz fw tcp 53" added. > Rule "ACCEPT dmz fw udp 53" added. > Rule "ACCEPT dmz loc:192.168.1.254 tcp 53" added. > Rule "ACCEPT dmz loc:192.168.1.254 udp 53" added. > Rule "ACCEPT loc fw tcp 22" added. > Rule "ACCEPT loc dmz tcp 22" added. > Rule "ACCEPT dmz net tcp 53" added. > Rule "ACCEPT dmz net udp 53" added. > Rule "ACCEPT net fw icmp 8" added. > Rule "ACCEPT loc fw icmp 8" added. > Rule "ACCEPT dmz fw icmp 8" added. > Rule "ACCEPT loc dmz icmp 8" added. > Rule "ACCEPT dmz loc icmp 8" added. > Rule "ACCEPT dmz net icmp 8" added. > Rule "ACCEPT fw net icmp" added. > Rule "ACCEPT fw loc icmp" added. > Rule "ACCEPT fw dmz icmp" added. > Rule "ACCEPT net dmz icmp 8" added. > Rule "ACCEPT net loc icmp 8" added. > Rule "DNAT:ULOG net loc:192.168.1.15 tcp 8080 www 216.70.250.2" added. > Rule "DNAT net loc:192.168.1.149 tcp 52525" added. > Rule "DNAT net loc:192.168.1.149 udp 52525" added. > Rule "DNAT net loc:192.168.1.4 tcp smtp - 216.70.250.2" added. > Rule "DNAT:ULOG net loc:192.168.1.2 tcp www - 216.70.250.2" added. > Rule "DNAT:ULOG net loc:192.168.1.2 tcp 443 - 216.70.250.2" added. > Rule "DNAT net loc:192.168.1.4 tcp 8000 www 216.70.250.2" added. > Rule "ACCEPT loc fw udp 67,68" added. > Rule "ACCEPT:ULOG loc fw tcp 80,8080" added. > Rule "ACCEPT dmz net tcp 80" added. > Rule "ACCEPT dmz net tcp smtp" added. > Rule "ACCEPT dmz loc tcp smtp" added. > Rule "ACCEPT fw net tcp smtp" added. > Rule "ACCEPT fw loc:192.168.1.4 tcp smtp" added. > Rule "ACCEPT fw net tcp time" added. > Rule "ACCEPT fw net udp ntp" added. > Rule "ACCEPT loc fw udp ntp" added. > Rule "REJECT:ULOG loc net udp 1025:1031" added. > Rule "REJECT:ULOG dmz net udp 1025:1031" added. > Rule "ACCEPT:ULOG dmz net tcp 1024: 20" added. > Rule "REJECT:ULOG fw net udp 1025:1031" added. There was no rule for port 5999. > Processing /etc/shorewall/policy... > Policy REJECT for fw to net using chain all2all > Policy REJECT for fw to loc using chain all2all > Policy REJECT for fw to dmz using chain all2all > Enabled SYN flood protection > Policy DROP for net to fw using chain net2all > Enabled SYN flood protection > Policy DROP for net to loc using chain net2all > Enabled SYN flood protection > Policy DROP for net to dmz using chain net2all > Policy REJECT for loc to fw using chain all2all > Policy ACCEPT for loc to net using chain loc2net > Policy REJECT for loc to dmz using chain all2all > Policy REJECT for dmz to fw using chain all2all > Policy REJECT for dmz to net using chain all2all And the policy for dmz->net is reject. > Policy REJECT for dmz to loc using chain all2all > > Can I masquerade a proxy-arped server in a dmz? Yes -- but it's a stupid thing to do. And as I've pointed out, your problem has nothing to do with Proxy ARP. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
