Henry Standing wrote:
1. What is your DMZ setup?
Is it 3-homed: __________ / \ | Internet | \__________/ | ____|_____ __________ | | | | | Firewall |--------| DMZ | |__________| |__________|
--> In the same server and rest of services, http,smtp,..
| | _____|________ | | | Internal LAN | |______________|
2. Where are your internal DNS server(s) located?
in DMZ
3. How are your Subnets set up?
three pc with linux client ( 192.168.0.10 - 192.168.0.10.11 192.168.0.10.12) route to 192.168.0.1
On Thu, 2004-10-14 at 14:41, Raul H. Lapitzondo wrote:
I have problems to connect from my internal LAN to services (http,smtp) in DMZ. Example : I can't send mail with my mail server but it's possible when i connect outside my network.
But it does not stop to connect to me with other services, outside my network
Any idea ?
Thank's in advance Raul
------------------------------------------------------------------------------
This it is my scheme of network:
ADSL-----------DMZ-----------------SWITCH --- LAN 192.168.1.1 ETH1=192.168.1.2 192.168.0.0/24 ETH0=192.168.0.1 Services: smtp, http...
Log when attempt to connect me to a virtual domain in my DMZ: -------- /var/log/messages --------------------- SFW2-INext-DROP-ICMP IN=eth1 OUT=MAC=00:50:fc:27:26:bd:00:73:03:08:df:ec:08:00 SRC=[nnn.nnn.nnn.nnn] DST=192.168.1.2 LEN=56 TOS=0x08 PREC=0x00 TTL=64 ID=31558 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.2 DST=[nnn.nnn.nnn.nnn] LEN=60 TOS=0x08 PREC=0x00 TTL=64 ID=33634 DF PROTO=TCP INCOMPLETE [8bytes] ] ------------------------------------------------
route: ------------------------------------------------ # route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0 link-local * 255.255.0.0 U 0 0 0 eth0 loopback * 255.0.0.0 U 0 0 0 lo default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1 ------------------------------------------------
SuSEfirewall2: ----------------- /etc/sysconfig/SuSEfirewall2 ---------------------
# 1.) # Should the Firewall run in quickmode? FW_QUICKMODE="no"
# 2.) FW_DEV_EXT="eth-id-00:50:fc:27:26:bd"
# 3.) FW_DEV_INT="eth-id-00:e0:7d:9d:e3:59"
# 4.) # Which is the interface that points to the dmz or dialup network? FW_DEV_DMZ="eth1"
# 5.) # Should routing between the internet, dmz and internal network be activated? FW_ROUTE="yes"
# 6.) FW_MASQUERADE="yes"
## Type: string # # You must also define on which interface(s) to masquerade on. This is # normally your external device(s) to the internet. # Most users can leave the default below. # # e.g. "ippp0" or "$FW_DEV_EXT"
FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0"
# 7.) FW_PROTECT_FROM_INTERNAL="yes"
# 8.) FW_AUTOPROTECT_SERVICES="yes"
# 9.) FW_SERVICES_EXT_TCP="53 http https imap imaps pop3 pop3s smtp" FW_SERVICES_EXT_UDP="53" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC=""
FW_SERVICES_DMZ_TCP="53 http https imap imaps pop3 pop3s smtp" FW_SERVICES_DMZ_UDP="53" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC=""
FW_SERVICES_INT_TCP="smtp domain http https 110 143 53" FW_SERVICES_INT_UDP="53" FW_SERVICES_INT_IP="" FW_SERVICES_INT_RPC=""
# 9a.) FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP=""
# 10.) FW_TRUSTED_NETS="192.168.0.0/24"
# 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
# 12.) FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="no"
# 13.) FW_FORWARD="192.168.0.0/24,192.168.1.2"
# 14.) FW_FORWARD_MASQ=""
# 15.) FW_REDIRECT="192.168.0.0/24,0/0,tcp,80,3128 192.168.0.0/24,0/0,tcp,25,3128 192.168.0.0/24,0/0,tcp,110,3128 192.168.0.0/24,0/0,tcp,143,3128"
# 16.) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no"
# 17.) FW_KERNEL_SECURITY="yes" FW_ANTISPOOF="yes"
# 18.) FW_STOP_KEEP_ROUTING_STATE="no"
# 19.) FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="no"
# 20.) FW_ALLOW_FW_TRACEROUTE="yes"
# 21.) FW_ALLOW_FW_SOURCEQUENCH="yes"
# 22.) FW_ALLOW_FW_BROADCAST="yes" FW_IGNORE_FW_BROADCAST="yes"
# 23.) FW_ALLOW_CLASS_ROUTING="no"
# 25.) FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
# 26.) FW_REJECT="yes"
# 27.) FW_HTB_TUNE_DEV=""
# 28.) FW_IPv6=""
# 28a.) FW_IPv6_REJECT_OUTGOING="yes"
# 29.) FW_IPSEC_TRUST="no"
# 29a.) FW_IPSEC_MARK="" FW_LOG=""
--------------------------------------------------------------------