Hi,
I have a bit of a problem connecting from DMZ to the outside world.
I have a DMZ with real IP numbers (not masqueraded) and the corresponding
routing setup (which is working just fine). I allow port 80 and 22 to the
DMZ, which is working great too. But...
The problem is that from a DMZ host one cannot download patches; no DMZ ->
internet connection is allowed at all and I cannot find a (safe) solution.
These are my settings:
Outside net X.Y.Z.144/28
DMZ net X.Y.Z.160/28
LAN 192.168.1.0/24
My outside I/F is X.Y.Z.146. DMZ I/F is X.Y.Z.161
These are the relevant sections of SuSEfirewall I have configured
FW_DEV_EXT="eth0"
FW_DEV_INT="eth1"
FW_DEV_DMZ="eth2"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="eth0 eth2"
FW_FORWARD="0/0,X.Y.Z.160/28,tcp,80 0/0,X.Y.Z.160/28,tcp,22
X.Y.Z.160/28,0/0"
That last rule should allow access to internet, right ? But it doesn't. With
a sniffer I see packets leaving the firewall and they come back to eth0
whereafter they disappear. So probably the rule that should allow it back (I
mean the smart rule) doesn't apply or it has a bug.
If I add this bit it works,but then I open up the entire DMZ again (evil)
0/0,X.Y.Z.160/28
And since I cannot define SOURCE portnumbers in FW_FORWARD, only DEST
portnumbers, I see no workaround. Because obviously the destination ports are
random >1024 ports. The construct 0/0,tcp,80,X.Y.Z.160/28 is not allowed
according to the docs. Or is it...? (And besides, that is not very safe
since anyone could then spoof that source port number anyway)
I can probably solve it by patching some things around inside the real
firewallscript but that is not why I'm writing this... I wonder how you are
_supposed_ to solve this in the proper way. Are my rules wrong, or do you all
disregard the FW_FORWARD line entirely and do it all from one of the hooks in
the FW_CUSTOMRULES file ?
I searched these mailarchives but a solution is not easy to find. For one,
just looking for "DMZ" obviously gives thousands of hits and more importantly
everyone seems to use a masqueraded DMZ anyway (As do the SuSE examples) so
that does not really apply to my situation.
Any insights ?
Maarten