[Shorewall-users] Portforwarding within a zone

Chris Freeze cfreeze@alumni.clemson.edu
Sun, 06 Jan 2002 14:13:28 -0600 (CST)

On 06-Jan-2002 Tom Eastep wrote:

> I'm unclear about exactly what you are trying to do. Is it that you have http
> clients in your DMZ other than your proxy server? If so, you have yet another
> variant on FAQ 2 (http://www.shorewall.net/FAQ.htm#faq2 and faq2a). You have 
> to be carefull though that you don't forward the proxy server's HTTP requests
> back to itself.

I have a transparent proxy sitting in my dmz zone.  I want the local and dmz
zone's to use this proxy transparently.  My problem has been in trying to get
each zone to use it.

> a) specify 'multi' on the entry for the DMZ's interface in  
> /etc/shoreall/interfaces; and
> b) you need to masquerade the DMZ to itself; and
> c) You need to ammend your rule above:
> ACCEPT  dmz:!  dmz:  tcp   http    -  all

I've made your modifications as suggested and I'm still not getting anything to
go through.  Nothing in the logs being rejected so I think it's still looping
somewhere.  This box also serves as a webserver.  I've got the rules for being
a webserver above the ones for it being a proxy.  I've also put settings in
Netscape's advanced settings to use the box as a proxy (avoiding the transparent
issue) and things work fine without the above rule.  With it, I still have the
same problem. 



Chris Freeze           Email: cfreeze@alumni.clemson.edu
                         Web: http://www.cfreeze.com