DMZ egress access problem
Hi,
I have a bit of a problem connecting from DMZ to the outside world.
I have a DMZ with real IP numbers (not masqueraded) and the corresponding
routing setup (which is working just fine). I allow port 80 and 22 to the
DMZ, which is working great too. But...
The problem is that from a DMZ host one cannot download patches; no DMZ ->
internet connection is allowed at all and I cannot find a (safe) solution.
These are my settings:
Outside net X.Y.Z.144/28
DMZ net X.Y.Z.160/28
LAN 192.168.1.0/24
My outside I/F is X.Y.Z.146. DMZ I/F is X.Y.Z.161
These are the relevant sections of SuSEfirewall I have configured
FW_DEV_EXT="eth0"
FW_DEV_INT="eth1"
FW_DEV_DMZ="eth2"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="eth0 eth2"
FW_FORWARD="0/0,X.Y.Z.160/28,tcp,80 0/0,X.Y.Z.160/28,tcp,22
X.Y.Z.160/28,0/0"
That last rule should allow access to internet, right ? But it doesn't. With
a sniffer I see packets leaving the firewall and they come back to eth0
whereafter they disappear. So probably the rule that should allow it back (I
mean the smart
Hello Maarten
Quoting maarten van den Berg
FW_MASQ_DEV="eth0 eth2"
Hmm, I don't think it is necessary to masquerade on eth2, and just maybe that is the culprit
FW_FORWARD="0/0,X.Y.Z.160/28,tcp,80 0/0,X.Y.Z.160/28,tcp,22 X.Y.Z.160/28,0/0"
This syntax looks correct indeed. So remove eth2 from FW_MASQ_DEV and the forward rule from dmz to outside, because I think the fw rules that are setup already should allow this. If this does not work have a good look at the routing table on the fw Als the DMZ if should be the default gw for the servers in the DMZ BB, Arjen ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/
On Thursday 22 May 2003 10:23, you wrote:
Hello Maarten
Hi Arjen
Quoting maarten van den Berg
: FW_MASQ_DEV="eth0 eth2"
Hmm, I don't think it is necessary to masquerade on eth2, and just maybe that is the culprit
Yeah... I wondered about that too... The thing is, If I do not masquerade LAN to my DMZ how do I allow access from LAN to my DMZ servers ? Am I overlooking something ?
FW_FORWARD="0/0,X.Y.Z.160/28,tcp,80 0/0,X.Y.Z.160/28,tcp,22 X.Y.Z.160/28,0/0"
This syntax looks correct indeed. So remove eth2 from FW_MASQ_DEV and the forward rule from dmz to outside, because I think the fw rules that are setup already should allow this.
I'll try that.
If this does not work have a good look at the routing table on the fw
Als the DMZ if should be the default gw for the servers in the DMZ
Yeah. It is. Maarten -- This email has been scanned for the presence of computer viruses. Maarten J. H. van den Berg ~~//~~ network administrator VBVB - Amsterdam - The Netherlands - http://vbvb.nl T +31204233288 F +31204233286 G +31651994273
Maarten,
Yeah... I wondered about that too... The thing is, If I do not masquerade LAN to my DMZ how do I allow access from LAN to my DMZ servers ? Am I overlooking something ?
Using FW_FORWARD="<lanipnet>/<bitmask>,X.Y.Z.160/28" Though I would expect the lan to have access to dmz, just like it has access to the outside, but when not masquerading, maybe this should be done explicitly. You could do masquerading, but then set masq nets option to internal ip range. Ah well, if that does not seem to work, build your own from the ground up. :) There are tools to make that easy too. Arjen
participants (3)
-
Arjen Runsink
-
Maarten J H van den Berg
-
maarten van den Berg