Hi, All :)
I hope sombody can help me with my configuration.
Following scenario:
public Internet
|
|
|
|
| eth0 - only one official Internet Address
| which is directly connected
| to the internet leased line modem.
|
<firewall> -- eth2 -- DMZ 192.168.0.0/24 ----------
This is possible using IPMASQADM to reverse masquerade the incoming http connections. (sorta like nat on one port only) Of course you could use one of the port redirectors like rinetd but then you apache logs would show up as haveing all connections from your firewall. This is obviously NOT what you want. b4 u use ipmasqadm, make sure you have normal outbound masq working. If you don't, then it will never work. The setup of this is quite simple, and I have done almost exactly this on SuSE 6.4 for a client. It was 6 months ago, and it's 4:15 am and I've just got back to my hotel after going clubbing/drinking since 10pm, so email me back if this is unclear, or you can't figure this out from the docs... Note: You will have to dl ipmasqadm i think, or maybe it comes with suse... not sure... Cheers Nix At 11:06 AM 22/11/2000 +0100, you wrote:
Hi, All :)
I hope sombody can help me with my configuration.
Following scenario:
public Internet | | | | | eth0 - only one official Internet Address | which is directly connected | to the internet leased line modem. | <firewall> -- eth2 -- DMZ 192.168.0.0/24 ----------
| | eth1 -- 192.168.30.0/24, 192.168.31.0/24 ... | | | <internal private networks> I use the <firewall> to allow accessing the Internet from the internal networks.
This part is functioning well :)
Now I like to configure a www.server with an private IP number which is reachable from public Internet (only http should be allowed).
I can Ping the www.server successfully from the firewall pc but i'm not able to get a http: connection with netscape. Also it's not possible to get a connetion from the public internet.
My SuSE Firewall Settings are :
FW_DEV_WORLD="eth0" FW_DEV_INT="eth1" FW_DEV_DMZ="eth2"
FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.30.0/24 192.168.31.0/24" FW_MASQ_DEV="$FW_DEV_WORLD" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_GLOBAL_SERVICES="no" FW_SERVICES_EXTERNAL_TCP="smtp domain nntp http" FW_SERVICES_EXTERNAL_UDP="domain" FW_SERVICES_DMZ_TCP="http" FW_SERVICES_DMZ_UDP="domain" FW_SERVICES_INTERNAL_TCP="smtp domain ftp http nntp" FW_SERVICES_INTERNAL_UDP="domain" FW_TRUSTED_NETS="" FW_SERVICES_TRUSTED_TCP="" FW_SERVICES_TRUSTED_UDP="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SAMBA="no" FW_FORWARD_TCP="" FW_FORWARD_UDP="" FW_FORWARD_MASQ_TCP="0/0,192.168.0.111,80" FW_FORWARD_MASQ_UDP="" FW_REDIRECT_TCP="" FW_REDIRECT_UDP="" FW_LOG_DENY_CRIT="yes" FW_LOG_DENY_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_PING_FW="no" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_FW_TRACEROUTE="no" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_MASQ_MODULES="autofw cuseeme ftp irc mfw portfw quake raudio user vdolive"
This is the output from
tcpdump -i eth2
when trying to connet with netscape to the www.server from the firewall.pc
10:19:21.570488 arp who-has 192.168.0.111 tell firewall.pc (0:10:5a:49:52:7) 10:19:21.570719 arp reply 192.168.0.111 is-at 0:50:fc:22:44:12 (0:10:5a:49:52:7) 10:19:21.570750 firewall.pc.rkb-oscs > 192.168.0.111.http: S 3675399427:3675399427(0) win 32120
(DF) 10:19:21.571016 192.168.0.111.http > firewall.pc.rkb-oscs: S 3200249163:3200249163(0) ack 3675399428 win 17520 (DF) 10:19:24.563563 firewall.pc.rkb-oscs > 192.168.0.111.http: S 3675399427:3675399427(0) win 32120 (DF) 10:19:24.563823 192.168.0.111.http > firewall.pc.rkb-oscs: . 1:1(0) ack 1 win 17520 (DF)10:19:24.806624 192.168.0.111.http > firewall.pc.rkb-oscs: S 3200249163:3200249163(0) ack 3675399428 win 17520 (DF) 10:19:30.563561 firewall.pc.rkb-oscs > 192.168.0.111.http: S 3675399427:3675399427(0) win 32120 (DF) 10:19:30.563822 192.168.0.111.http > firewall.pc.rkb-oscs: . 1:1(0) ack 1 win 17520 (DF) 10:19:31.368814 192.168.0.111.http > firewall.pc.rkb-oscs: S 3200249163:3200249163(0) ack 3675399428 win 17520 (DF) --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Now I like to configure a www.server with an private IP number which is reachable from public Internet (only http should be allowed). If you're using a private ip number then you cannot put the www server on the DMZ. What you need is to point the www.yourdomain to your public ip address because if you use private space the requests would never get to you. On your firewall machine do a redirect rule that redirects all requests to port 80 on the firewall to port 80 on the internal www server and put the server behind the firewall. Of course this means that you should allow connections on port 80 on your firewall. Another way to do this without redirect rules though it taxes the firewall machine is to run apache on the firewall machine and allow connections to port 80 then in your httpd.conf file I think it is normally in /etc/httpd just after document root directive add the directive ProxyPass / http://fully qualified name of your www server this name should then be put in /etc/hosts with a corresponding private ip address.
participants (3)
-
Fuchs Josef
-
Nix
-
semat