SuSEfirewall2 - problems with DMZ
Hi there, i use SuSEfirewall2 on a SuSE 7.2-Gateway. The Firewall has 3 Interfaces - one in direction of the internet (official IP), one to the inner-LAN (192.168.20.x) and one to the DMZ (192.168.70.x). The Computer in the DMZ (Webserver) has an internal IP-Adress (192.168.70.y), so i have to port-masquerade. The inner-LAN-Clients can reach the Webserver because i'm using the "FW_FORWARD"-Parameter in SuSEfirewall-Config-File. One of the entries is "192.168.20.0/24,192.168.70.10,tcp,80". All works fine. But now i want to add a second Server (Mail) to the DMZ. I added the appropriate entry to the FW-FORWARD-Parameter. I can ping the two Servers from the firewall succesful. But from an inner-LAN-Client i can only reach the Webserver, but not the Mailserver. Neither a ping works still a telnet to the SMTP-Port. The Firewall-Logs relative to DENYs or so what is empty. But why? When i add the Mailserver to the "FW_FORWARD_MASQ"-Parameter, i can reach the Box from the internet without problems. Thanks in advance for help. Michael
* Michael Boettjer; <michael@boettjer.org> on 13 Oct, 2002 wrote:
But why? When i add the Mailserver to the "FW_FORWARD_MASQ"-Parameter, i can reach the Box from the internet without problems.
My understanding of the parameter FW_FORWARD is the computer you are FORWARDING to has to have a valid IP. So if you are using a private IP range then you have to use FW_FORWARD_MASQ parameter which is for this purpose HTH -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Am Sonntag, 13. Oktober 2002 14:24 schrieb Michael Boettjer:
Hi there,
i use SuSEfirewall2 on a SuSE 7.2-Gateway. The Firewall has 3 Interfaces - one in direction of the internet (official IP), one to the inner-LAN (192.168.20.x) and one to the DMZ (192.168.70.x). The Computer in the DMZ (Webserver) has an internal IP-Adress (192.168.70.y), so i have to port-masquerade. The inner-LAN-Clients can reach the Webserver because i'm using the "FW_FORWARD"-Parameter in SuSEfirewall-Config-File. One of the entries is "192.168.20.0/24,192.168.70.10,tcp,80".
All works fine. But now i want to add a second Server (Mail) to the DMZ. I added the appropriate entry to the FW-FORWARD-Parameter. I can ping the two Servers from the firewall succesful. This means, you can the both IPs on 192.168.70.0 But from an inner-LAN-Client i can only reach the Webserver, but not the Mailserver. Neither a ping works still a telnet to the SMTP-Port. The Firewall-Logs relative to DENYs or so what is empty. If I understand it correct: You allow ping. So you can ping your Webserver 192.168.70.10, but not your mail-Server 192.168.70.1?.
But why? When i add the Mailserver to the "FW_FORWARD_MASQ"-Parameter, i can reach the Box from the internet without problems.
If you can reach your mail server if it's MASQ, your will masq the IP and the firewall May be, your default router is wrong. It must be the IP of NIC of firewall which belongs to DMZ. Try a traceroute from your mail server into your internal network to prove this. Greetings Harald -- Dr. Harald Wallus netlike-gmbh Am Listholze 78, D-30177 Hannover Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 95 1-90 Email: wallus@netlike-gmbh.de Internet: http://netlike-gmbh.de
participants (3)
-
Harald Wallus -
Michael Boettjer -
Togan Muftuoglu