From what you say here, your DMZ is *INSIDE* your protected network. This won't work, or at least this is not a DMZ.
Internal network (masqueraded): 192.168.1.0/24 DMZ (masqueraded): 192.168.10.0/24 (note that third number, ten instead of one)
How many network card do you have on the firewall?
Three: Internal trusted network: eth0 External untrusted network: eth1 DMZ network: eth2
If the answer is "2" :-) keep in mind that to redirect http and https to your internal network instead of DMZ you should use different firewall.rc.config options (waring: this is *not* a safe thing to do).
*nod* That's why we set up the DMZ as a separate masqueraded network. Unencrypted connections are not allowed through to the internal network. Here's our Masq/NAT command in SuSEfirewall 4.9: FW_MASQ_NETS="192.168.1.0/24 192.168.10.0/24"
Seeing the output from "ifconfig" and "route" commands could be useful.
Here's my changes to the addresses for the purpose of posting here: My home machine: ee.ff.gg.hh/32 Trusted machines: aa.bb.cc.0/24 The firewall's external address: ii.jj.kk.ll Internal: 192.168.1.0/24 DMZ: 192.168.10.0/24 Both internal/DMZ: 192.168.0.0/16 I've stripped out the inet6 addresses as well (not really necessary) # ifconfig eth0 Link encap:Ethernet HWaddr 00:A0:C9:73:40:F2 inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:76705 errors:0 dropped:0 overruns:0 frame:0 TX packets:77455 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:10 Base address:0x1000 eth1 Link encap:Ethernet HWaddr 00:A0:C9:55:21:5D inet addr:ii.jj.kk.ll Bcast:ii.jj.kk.255 Mask:255.255.255.0 UP BROADCAST NOTRAILERS RUNNING MTU:1500 Metric:1 RX packets:340933 errors:0 dropped:0 overruns:0 frame:0 TX packets:68411 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:10 Base address:0x3000 eth2 Link encap:Ethernet HWaddr 00:A0:C9:86:B2:89 inet addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1406 errors:0 dropped:0 overruns:0 frame:0 TX packets:1501 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:9 Base address:0x5000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 ii.jj.kk.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 ii.jj.kk.1 0.0.0.0 UG 0 0 0 eth1
If this is not enough, any messages in the logs? :-)
/var/log/httpd/access_log /var/log/httpd/error_log
See my previous post to another user in suse-security... There doesn't appear to be anything amiss at the web server, which is why I strongly suspect the firewall.
/var/log/firewall /var/log/messages
Does anything get written in these logs when you try to browse the page from outside your network?
/var/log/firewall: Per my last post, here's me navigating from the first page which I see, minus the .GIF's, down through the /usr/doc link to: http://ii.jj.kk.ll/doc/howto/en/html/3Dfx-HOWTO-1.html Note: Gif images put out by Apache that you would normally see when navigating a directory tree are missing as well, but not if you view on the internal network! here's IE's error at the bottom of the error page it displays when you attempt to bring up that HTML: Cannot find server or DNS Error Internet Explorer The firewall logs for the traversal all show _accepted_ packets! Aug 10 17:31:35 scwl-firebox kernel: Packet log: input ACCEPT eth1 PROTO=6 ee.ff.gg.hh:6507 ii.jj.kk.ll:80 L=48 S=0x08 I=62220 F=0x4000 T=124 SYN (#128) Aug 10 17:31:35 scwl-firebox kernel: Packet log: input ACCEPT eth1 PROTO=6 ee.ff.gg.hh:6508 ii.jj.kk.ll:80 L=48 S=0x08 I=13994 F=0x4000 T=124 SYN (#128) Aug 10 17:31:35 scwl-firebox kernel: Packet log: input ACCEPT eth1 PROTO=6 ee.ff.gg.hh:6509 ii.jj.kk.ll:80 L=48 S=0x08 I=62236 F=0x4000 T=124 SYN (#128) Aug 10 17:31:38 scwl-firebox kernel: Packet log: input ACCEPT eth1 PROTO=6 ee.ff.gg.hh:6511 ii.jj.kk.ll:80 L=48 S=0x08 I=62357 F=0x4000 T=124 SYN (#128) Aug 10 17:31:39 scwl-firebox kernel: Packet log: input ACCEPT eth1 PROTO=6 ee.ff.gg.hh:6515 ii.jj.kk.ll:80 L=48 S=0x08 I=62437 F=0x4000 T=124 SYN (#128) Aug 10 17:31:41 scwl-firebox kernel: Packet log: input ACCEPT eth1 PROTO=6 ee.ff.gg.hh:6519 ii.jj.kk.ll:80 L=48 S=0x08 I=62477 F=0x4000 T=124 SYN (#128) Aug 10 17:31:42 scwl-firebox kernel: Packet log: input ACCEPT eth1 PROTO=6 ee.ff.gg.hh:6523 ii.jj.kk.ll:80 L=48 S=0x08 I=62520 F=0x4000 T=124 SYN (#128)
Also, seeing your firewall config could be useful... :)
I've posted some of the relevant parts... Do you need me to post the whole thing? Thanks for the help. :-) -- Argentium G. Tiger (agtiger@kc.rr.com) "Walkin' through Hell in a gasoline suit."