Rommel Rodriguez Toirac <romme...@nauta.cu> wrote: > I know is hard to belive, but I have not access from Internet or to Internet > from my job. All my network is in a Private range of 172.16.x.x IPs > Any computer out of this range will access to my network. For example the > municipal network of X is in subnetwork 172.16.123.0/26 the municipal network > for Y is in subnetwork 172.16.123.64/26 and so on. > Is posible to use shorewall firewall with this, just with Private IPs? No > access from or to Public IPs.
Yes, Shorewall doesn't care - it just follows the rules you set. > My network are in 192.168.41.0/24, the DMZ are in 192.168.14.0/24, the IP of > the outside interface is 172.16.120.1, the router IP is 172.6.120.254 and all > the network that going to access to my services are between of > 172.16.121.0/26 and 172.16.123.64/26 subnetworks. > I configure a DMZ using Shorewall and will serve just to PCs that are using > Private IPs but in different subnetworks. I have bind with views for DNS. > When PCs that are out of my network (192.164.41.0/24) try to access some > services using name or alias is unsuccessfull the comunication, but if they > try using IP the communication is successfull. OK, so it works by IP, but not by name ? Almost certainly a DNS issue. This comes back to: How do devices outside of your network get to resolve your DNS entries ? Put simply, without the right delegations this will NOT work. For any device in the municipal network to be able to reach your servers by name, whatever DNS resolver they are using must know how to resolve your names. That means that there must be the right delegations in place such that each resolver involved can learn that to resolve names in gtm.onat.gob.cu they must contact your DNS server. Unless all devices (across the whole network) are restricted to using some ISP provided DNS resolver, then there must be delegation down from the root servers (which there isn't). If everything is restricted to "internal" resolvers, then it's sufficient for there to be a delegation from there - but there's no way I can test if this is the case. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
