Help getting DMZ+reverse-proxy working
Hi, I have the following setup: LAN: 192.168.0.0/24 DMZ: 10.0.0.0/24 Internet: some DSL-connection, real IP. looks like this internal (192.168.0.0/24) ^ | | <----Internet----|FW|-->DMZ----10.0.0.0/24 I want to be able to access the webserver in the DMZ via port 443 (which works) and then reverse-proxy these requests to some internal IP on 192.168.0.0/24. That doesn't work. Here's what I have so far: FW_QUICKMODE="no" FW_DEV_EXT="eth-id-00:01:03:4c:cd:c0" FW_DEV_INT="eth-id-00:a0:24:a8:fb:a4" FW_DEV_DMZ="eth-id-00:04:76:13:6d:e5" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_INT_RPC="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="0/0,10.0.0.x,tcp,443 10.0.0.x,192.168.0.y,tcp,80" FW_REDIRECT="" Any ideas how to do that ? Or do I need a real IP also in the DMZ ? cheers, Rainer -- =================================================== ~ Rainer Duffner - rainer@ultra-secure.de ~ ~ Freising - Munich - Germany ~ ~ Unix - Linux - BSD - OpenSource - Security ~ ~ http://www.ultra-secure.de/~rainer/pubkey.pgp ~ ===================================================
Hi, Rainer Duffner schrieb:
Hi,
I have the following setup:
Snipsnap
Any ideas how to do that ?
Man rinetd (runn this in DMZ or some other proxy) Do not only use Firewall IP-Packet rewriting, cause this is no more security than Direct Access through Firewall.
Or do I need a real IP also in the DMZ ?
No Ahh, port 443. Btw. you need the correct Certificate on the Server and a propper NS record too. Man pound could help too. Dirk
cheers, Rainer
TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl -------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: rainer@ultra-secure.de, suse-security@suse.com # Dateianhänge: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
Dirk Schreiner wrote:
Hi,
Rainer Duffner schrieb:
Hi,
I have the following setup:
Snipsnap
Any ideas how to do that ?
Man rinetd (runn this in DMZ or some other proxy)
I run Apache with proxy-pass. The fw is SuSE 9.1, the Apache is on SLES. cheers, Rainer -- =================================================== ~ Rainer Duffner - rainer@ultra-secure.de ~ ~ Freising - Munich - Germany ~ ~ Unix - Linux - BSD - OpenSource - Security ~ ~ http://www.ultra-secure.de/~rainer/pubkey.pgp ~ ===================================================
Hi, Rainer Duffner schrieb:
Dirk Schreiner wrote:
Hi,
Rainer Duffner schrieb:
Hi,
I have the following setup:
Snipsnap
Any ideas how to do that ?
Man rinetd (runn this in DMZ or some other proxy)
I run Apache with proxy-pass.
Ahh, YAAM (Yet Another Apache Module) ;-) Please login into DMZ-Machine and send Output of ping 192.168.0.y tracert 192.168.0.y and telnet 192.168.0.y 80 [ENTER] GET / HTTP/1.0 [ENTER] [ENTER] I asume you have enabled (temporarily) Ping ;-) Otherwise do Ping from 192.168.0.y to DMZ. This _should_ be enabled. Dirk
The fw is SuSE 9.1, the Apache is on SLES.
cheers, Rainer
TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl -------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: rainer@ultra-secure.de, suse-security@suse.com # Dateianhänge: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
Dirk Schreiner wrote:
Hi,
Rainer Duffner schrieb:
Dirk Schreiner wrote:
Hi,
Rainer Duffner schrieb:
Hi,
I have the following setup:
Snipsnap
Any ideas how to do that ?
Man rinetd (runn this in DMZ or some other proxy)
I run Apache with proxy-pass.
Ahh, YAAM (Yet Another Apache Module) ;-)
Just standard apache-1.3.x with mod_proxy. I didn't have SLES9 with me (and FreeBSD was not an option...), otherwhise I'd have used apache2.
Please login into DMZ-Machine and send Output of
ping 192.168.0.y tracert 192.168.0.y and telnet 192.168.0.y 80 [ENTER] GET / HTTP/1.0 [ENTER] [ENTER]
That doesn't work. Jan 31 13:49:08 gtw kernel: SFW2-FWDdmz-DROP-DEFLT IN=eth2 OUT=eth1 SRC=10.0.0.x DST=192.168.0.y LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=2167 DF PROTO=ICMP TYPE=8 CODE=0 ID=34566 SEQ=7168 The proxy-pass directory should work - I can see the dropped packets there, too: Jan 31 13:56:23 gtw kernel: SFW2-FWDext-ACC-REVMASQ IN=eth0 OUT=eth2 SRC=bla DST=10.0.0.x LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=15753 DF PROTO=TCP SPT=1771 DPT=443WINDOW=57344 RES=0x00 SYN URGP=0 OPT (020405B4010303000101080A3D766DC400000000) Jan 31 13:56:35 gtw kernel: SFW2-FWDdmz-DROP-DEFLT IN=eth2 OUT=eth1 SRC=10.0.0.x DST=192.168.0.y LEN=60 TOS=0x08 PREC=0x00 TTL=63 ID=2190 DF PROTO=TCP SPT=32776 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A001123E30000000001030300) Jan 31 13:56:38 gtw kernel: SFW2-FWDdmz-DROP-DEFLT IN=eth2 OUT=eth1 SRC=10.0.0.x DST=192.168.0.y LEN=60 TOS=0x08 PREC=0x00 TTL=63 ID=2191 DF PROTO=TCP SPT=32776 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A0011250F0000000001030300)
I asume you have enabled (temporarily) Ping ;-) Otherwise do Ping from 192.168.0.y to DMZ. This _should_ be enabled.
Yes, this works. ping dmz->fw also works. Just no packets from dmz to intranet allowed. How do I tell SFW2 to do that ? Or will I need a custom-rule for that ? The SuSEFirewall2-FAQ on sf.net contained an example for this, but with a "real" IP in the DMZ. So I was wondering if it works with 2xRFC1918... cheers, Rainer -- =================================================== ~ Rainer Duffner - rainer@ultra-secure.de ~ ~ Freising - Munich - Germany ~ ~ Unix - Linux - BSD - OpenSource - Security ~ ~ http://www.ultra-secure.de/~rainer/pubkey.pgp ~ ===================================================
participants (2)
-
Dirk Schreiner -
Rainer Duffner