Re: [opensuse] SuSEfirewall2: unable to connect to DMZ from behind NAT
Running bind on the firewall it would resolve DNS requests for http://www.rowansweb.com/ coming from an internal zone to the DMZ machine.
Whereas someone outside your network would simply get pointed to your external IP, and the firewall would route it to the DMZ.
I don't think it's a DNS issue, our DNS server is running on the internal network (windows). If I try to connect using the IP it's a no go. For some reason however I can connect to my ext:zone. I tried changing my dmz interface to an ext:zone but no luck. see config below. 192.168.1.0/24(masq)zone:int (eth0)-------[f/w ]----108.***.***.60 (eth2) zone:ext [box]-----68.***.***.234(eth1) zone:dmz for some reason my masq net cannot connect to eth1 doesn't matter if it's zone:ext or zone:dmz -- The general who advances without coveting fame and retreats without fearing disgrace, whose only thought is to protect his country and do good service for his sovereign, is the jewel of the kingdom. - Sun Tzu -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
192.168.1.0/24(masq)zone:int (eth0)-------[f/w ]----108.***.***.60 (eth2) zone:ext
[box]-----68.***.***.234(eth1) zone:dmz
for some reason my masq net cannot connect to eth1 doesn't matter if it's zone:ext or zone:dmz
I ran the following tail -f /var/log/messages Dec 1 13:16:45 linux-fw kernel: [104035.169087] ll header: 00:c0:9f:19:da:3f:00:21:70:b8:ff:c9:08:00 Dec 1 13:16:45 linux-fw kernel: [104035.169151] martian source 68.164.***.234 from 192.168.1.22, on dev eth0 Dec 1 13:16:45 linux-fw kernel: [104035.169162] ll header: 00:c0:9f:19:da:3f:00:21:70:b8:ff:c9:08:00 note 192.168.1.22 is my masq pc trying to connect to ejabberd running on my dmz 68.164.***.234 for some reason the firewall thinks my ip is a martian. I know most firewalls disallow connections from the net with a private ip. any ideas ? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 12/1/2009 1:22 PM, Rowan R. wrote:
192.168.1.0/24(masq)zone:int (eth0)-------[f/w ]----108.***.***.60 (eth2) zone:ext
[box]-----68.***.***.234(eth1) zone:dmz
for some reason my masq net cannot connect to eth1 �doesn't matter if it's zone:ext or zone:dmz
I ran the following
Dec 1 13:16:45 linux-fw kernel: [104035.169151] martian source 68.164.***.234 from 192.168.1.22, on dev eth0 Dec 1 13:16:45 linux-fw kernel: [104035.169162] ll header: 00:c0:9f:19:da:3f:00:21:70:b8:ff:c9:08:00
I remember seeing a but report somewhare about martian source message with regard to suse firewall. One solution was to set a flag to turn off the messages, but this seemed like a bandaid, as an outbound connection should never show martian source. This nonsense is why I run shorewall instead of suse firewall. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
John Andersen -
Rowan R.