[Shorewall-users] Complex integration question

linux@craigsimon.net linux@craigsimon.net
Wed, 11 Sep 2002 10:27:46 -0700 (PDT)

Greetings everyone.

I am noodling over a issue that I would like some comments on.  I have
been running Shorewall for several months now with no issues.  My current
firewall configuration is as follows:

Eth0 – Access to my cable modem
Eth1 – My DMZ
Eth2 – My internal network
Eth3 – Wifi card and wireless network.

Currently this is running on a box running Debian (Woody) with a custom
2.4 kernel and just a few services, the main one being a DHCP server to
hand out addresses on eth1,2, and 3.  My firewall gets its external ip
address through DHCP from my ISP (ATT broadband).   The firewall is
running Shorewall 1.3.1 and I am having no problems.

Now, where I want to be, is that I want to move my email/web server into
the DMZ that I have built.  Currently it is sitting in front of the
firewall with a DHCP address as well.  I want to move it behind the
firewall, then control access using firewall rules.

So the question now is implementation.  I believe that I can use the proxy
arp functionality within Shorewall to take requests and send them to the
proper box.  Looking at my configuration a little more in depth then:

Eth0 – Internet 12.x.x.x
Eth1 – DMZ 192.168.10.x

I need to get a 12 address assigned to my web/email server sitting in the
DMZ.  So I am attempting to get the ISC DHCP relay agent to work between
these two networks.  This is where I am having my issues.  And this is
where I would like a sanity check.  I am trying to get a DHCP REQUEST from
ETH1 through ETH0, assigned from my ISP’s servers and back again.  Then I
just write my firewall rules to support the assigned address.  This works
great for me since these assignments are pretty much static (they seldom

The problem when I put a analyzer on the network is that the DHCP OFFERS
never get send back to the server in the DMZ.  I am also not seeing any
firewall messages being sent back which might indicate that I am not
running afoul of the firewall.

Any thoughts?  Or maybe other options that I have not considered yet?