Thanks for enlightening me. Even after 2-3 years of using *nix systems, I learn new things every day.
I've added the outgoing rule for port 5999 and cvsup'ing now works. ~D > -----Original Message----- > From: Tom Eastep [mailto:[EMAIL PROTECTED] > Sent: Friday, March 03, 2006 05:45 PM > To: Doug Sampson > Cc: '[email protected]' > Subject: Re: [leaf-user] proxy arp > > > Doug Sampson wrote: > > I've got a server proxy-arped in a DMZ. I've specified this > machine's IP > > address in the /etc/shorewall/proxyarp file. I've also > specified that the > > dmz zone be masqueraded. > > Why in the world would you masquerade a system that has a public IP > address????? > > > There I would think it stands to reason that I > > could cvsup the server to an external web site > > Why does that stand to reason? Neither Proxy ARP nor Masquerading has > anything to do with allowing or disallowing connections. > > > > Mar 3 09:27:25 firewall Shorewall:all2all:REJECT: IN=eth2 OUT=eth0 > > MAC=00:50:04:62:d8:52:00:50:04:83:e0:47:08:00 SRC=216.70.250.3 > > DST=130.94.149.166 LEN=64 TOS=00 PREC=0x00 TTL=63 ID=102 DF > PROTO=TCP > > SPT=50830 DPT=5999 SEQ=1850567826 ACK=0 WINDOW=65535 SYN URGP=0 > > These packets are for TCP port 5999. > > > Processing /etc/shorewall/rules... > > Rule "ACCEPT fw net tcp 53" added. > > Rule "ACCEPT fw net udp 53" added. > > Rule "ACCEPT fw loc tcp 53" added. > > Rule "ACCEPT fw loc udp 53" added. > > Rule "ACCEPT fw dmz tcp 53" added. > > Rule "ACCEPT fw dmz udp 53" added. > > Rule "ACCEPT loc fw tcp 53" added. > > Rule "ACCEPT loc fw udp 53" added. > > Rule "ACCEPT dmz fw tcp 53" added. > > Rule "ACCEPT dmz fw udp 53" added. > > Rule "ACCEPT dmz loc:192.168.1.254 tcp 53" added. > > Rule "ACCEPT dmz loc:192.168.1.254 udp 53" added. > > Rule "ACCEPT loc fw tcp 22" added. > > Rule "ACCEPT loc dmz tcp 22" added. > > Rule "ACCEPT dmz net tcp 53" added. > > Rule "ACCEPT dmz net udp 53" added. > > Rule "ACCEPT net fw icmp 8" added. > > Rule "ACCEPT loc fw icmp 8" added. > > Rule "ACCEPT dmz fw icmp 8" added. > > Rule "ACCEPT loc dmz icmp 8" added. > > Rule "ACCEPT dmz loc icmp 8" added. > > Rule "ACCEPT dmz net icmp 8" added. > > Rule "ACCEPT fw net icmp" added. > > Rule "ACCEPT fw loc icmp" added. > > Rule "ACCEPT fw dmz icmp" added. > > Rule "ACCEPT net dmz icmp 8" added. > > Rule "ACCEPT net loc icmp 8" added. > > Rule "DNAT:ULOG net loc:192.168.1.15 tcp 8080 www > 216.70.250.2" added. > > Rule "DNAT net loc:192.168.1.149 tcp 52525" added. > > Rule "DNAT net loc:192.168.1.149 udp 52525" added. > > Rule "DNAT net loc:192.168.1.4 tcp smtp - 216.70.250.2" added. > > Rule "DNAT:ULOG net loc:192.168.1.2 tcp www - > 216.70.250.2" added. > > Rule "DNAT:ULOG net loc:192.168.1.2 tcp 443 - > 216.70.250.2" added. > > Rule "DNAT net loc:192.168.1.4 tcp 8000 www 216.70.250.2" added. > > Rule "ACCEPT loc fw udp 67,68" added. > > Rule "ACCEPT:ULOG loc fw tcp 80,8080" added. > > Rule "ACCEPT dmz net tcp 80" added. > > Rule "ACCEPT dmz net tcp smtp" added. > > Rule "ACCEPT dmz loc tcp smtp" added. > > Rule "ACCEPT fw net tcp smtp" added. > > Rule "ACCEPT fw loc:192.168.1.4 tcp smtp" added. > > Rule "ACCEPT fw net tcp time" added. > > Rule "ACCEPT fw net udp ntp" added. > > Rule "ACCEPT loc fw udp ntp" added. > > Rule "REJECT:ULOG loc net udp 1025:1031" added. > > Rule "REJECT:ULOG dmz net udp 1025:1031" added. > > Rule "ACCEPT:ULOG dmz net tcp 1024: 20" added. > > Rule "REJECT:ULOG fw net udp 1025:1031" added. > > There was no rule for port 5999. > > > Processing /etc/shorewall/policy... > > Policy REJECT for fw to net using chain all2all > > Policy REJECT for fw to loc using chain all2all > > Policy REJECT for fw to dmz using chain all2all > > Enabled SYN flood protection > > Policy DROP for net to fw using chain net2all > > Enabled SYN flood protection > > Policy DROP for net to loc using chain net2all > > Enabled SYN flood protection > > Policy DROP for net to dmz using chain net2all > > Policy REJECT for loc to fw using chain all2all > > Policy ACCEPT for loc to net using chain loc2net > > Policy REJECT for loc to dmz using chain all2all > > Policy REJECT for dmz to fw using chain all2all > > Policy REJECT for dmz to net using chain all2all > > And the policy for dmz->net is reject. > > > Policy REJECT for dmz to loc using chain all2all > > > > > Can I masquerade a proxy-arped server in a dmz? > > Yes -- but it's a stupid thing to do. And as I've pointed out, your > problem has nothing to do with Proxy ARP. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ [EMAIL PROTECTED] > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 ------------------------------------------------------------------------ leaf-user mailing list: [email protected] https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
