Howdy
I have a MNF8.2 with 3 interfaces: WAN, DMZ, LAN. There is a web server on the DMZ listening on 192.168.1.2:80
The A record for this web site is 196.31.xx.xx, which is the Firewall's external interface IP -so I have this forwarding rule.
ACCEPT:info wan dmz:192.168.1.2 tcp http 196.31.xx.xx
This works fine from the outside, but a problem occurs from the inside. The firewall is running Squid in transparent caching mode, so when a user attempts to browse to the site, Squid tries to connect to the 196.31.xx.xx interface, unsuccessfully - so I add this rule:
ACCEPT:info fw dmz:192.168.1.2 tcp http 196.31.xx.xx
This doesn't work, so I try:
ACCEPT:info fw:172.16.1.1 dmz:192.168.1.2 tcp http 196.31.xx.xx
Where 172.16.1.1 is the firewall's internal interface. This doesn't work either -the Squid tries to connect, but eventually just times out. Here's what gets logged:
Sep 8 11:36:59 napalm kernel: Shorewall:fw2dmz:ACCEPT:IN= OUT=eth2 SRC=192.168.1.1 DST=192.168.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=46007 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
eth2 is the DMZ interface. I see SRC=192.168.1.1, so I modify the rule to:
ACCEPT:info fw:192.168.1.1 dmz:192.168.1.2 tcp http 196.31.xx.xx
This makes no difference. To get around this problem, I have to 'fake' the A record for the web server, pointing it directly to 192.168.1.2. This is not ideal though :(
Any help would be much appreciated.
Regards -- Marko
____________________________________________________ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Join the Club : http://www.mandrakeclub.com ____________________________________________________
