[Shorewall-users] Portforwarding within a zone

Tom Eastep teastep@shorewall.net
Sun, 6 Jan 2002 11:13:35 -0800


On Sunday 06 January 2002 11:02 am, Chris Freeze wrote:
> I have a transparent squid proxy in the DMZ, but would like to also pro=
> outbound http traffic as well as local zone traffic.  I've tried settin=
> this rule,
> ACCEPT  dmz     dmz:  tcp   http    -  all
> I've also got the policy file to allow all traffic from the DMZ to the =
> zone.  Can you portforward/redirect within a zone?

I'm unclear about exactly what you are trying to do. Is it that you have =
clients in your DMZ other than your proxy server? If so, you have yet ano=
variant on FAQ 2 (http://www.shorewall.net/FAQ.htm#faq2 and faq2a). You h=
to be carefull though that you don't forward the proxy server's HTTP requ=
back to itself.

Try this:

a) specify 'multi' on the entry for the DMZ's interface in =20
/etc/shoreall/interfaces; and
b) you need to masquerade the DMZ to itself; and
c) You need to ammend your rule above:

ACCEPT  dmz:!  dmz:  tcp   http    -  all

Tom Eastep    \  teastep@shorewall.net
AIM: tmeastep  \  http://www.shorewall.net
ICQ: #60745924  \  Firewalls for Linux 2.4