Protect from internal is on, if that blocks the internal requests....you may
need to build a route between the two internal IP blocks as well. Route add
xxx
The redirects are where you are passing the requests from the real IP to the
fake DMZ IP.
Regards,
Jon
----- Original Message -----
From:
Hi Gang !
Given the following scenario...Firewall running SuSE 7.3 / SuSEfirewall2 with 3 NICs:
************ * Internet * ************ * "Real" IP address * eth0 * ************ eth1 ****************** * Firewall ********** DMZ - www/mail * ************ ****************** * eth2 * * ************ * switch * ************ * * * * * * *********************** * Internal Machine(s) * ***********************
If AA.aaa.aaa.aaa is a private IP on eth1 and BB.bbb.bbb.bbb is private IP on eth2 (to feed the rest of the network)
How are questions answered in /etc/rc.config.d/firewall2.rc.config to get to the dmz computer ?? This is what I have (and I get dropped in the firewall without seeing the DMZ) ... I know I have NOT yet turned on mail, because I want to see www services running first.....
FWD_DEV_EXT="eth0" FWD_DEV_INT="eth2" FWD_DEV_DMZ="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASW_DEV="$FW_DEV_EXT" FW_MASQ_NETS="BB.bb.bbb.0/24" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="www" FW_SERVICES_EXT_UDP="www" FW_SERVICES_EXT_IP="www" FW_SERVICES_DMZ_TCP="domain www" FW_SERVICES_DMZ_UDP="www" FW_SERVICES_DMZ_IP="www" FW_SERVICES_INT_TCP="www" FW_SERVICES_INT_UDP="www" FW_SERVICES_INT_IP="www" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" ?? -or- FW_FORWARD="0/0,AA.aaa.aaa.aaa,tcp,80" ?? FW_FORWARD_MASQ="0/0,AA.aaa.aaa.aaa,tcp,80" FW_REDIRECT="" ?? -or- FW_REDIRECT="0/0,AA.aaa.aaa.aaa,tcp,80" ??
The "-or-" is my guessing.....no combination seems to work, any help appreciated. What am I missing ?? I always get dropped in the "firewall" box and never get to the web-server.
The SuSEfirewall2 examples given by Marc do not seem to address the setup I am attempting ... Is my inherent design bad ?
- Bill