[Shorewall-users] DMZ Access

Dubba Kor dubbakor at hotmail.com
Sat Aug 2 02:17:54 PDT 2003


Hi All, here is my setup:
RH: 9.0, Kernel: 2.4.20-8, Shorewall: 1.4.6a

Zones:
net Net
loc Local => 192.168.168.0/24
dmz DMZ => 10.10.10.0/24

Interfaces:
net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect
dmz eth2 detect

Policy:
loc net ACCEPT
fw net ACCEPT
dmz net ACCEPT
net all DROP info
all all REJECT info

Proxyarp:
65.217.69.69 eth2 eth0 No
65.217.69.70 eth2 eth0 No

Rules:
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
ACCEPT loc fw tcp 22
ACCEPT loc dmz tcp 22
ACCEPT dmz net tcp 53
ACCEPT dmz net udp 53
ACCEPT net fw icmp 8
ACCEPT loc fw icmp 8
ACCEPT dmz fw icmp 8
ACCEPT loc dmz icmp 8
ACCEPT dmz loc icmp 8
ACCEPT dmz net icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw dmz icmp 8
ACCEPT net dmz icmp 8 # Only with Proxy ARP and

ACCEPT net dmz tcp 80 => This is the only line that I added to the original 
Three Interface files

Questions:

I am not able to open the web pages from web servers running in DMZ 
(10.10.10.2 and 10.10.10.3), but when I ping from to 65.217.69.69 or 
65.217.69.70 from the Internet, I get a reply.

How does Shorewall direct http requests from Internet to the DMZ, with 
computers in DMZ having IP addresses 10.10.10.2 and 10.10.10.3? How does it 
know if the request is for 65.217.69.69 or 65.217.69.70 ?

What is missing to reach the web servers in DMZ?

Your help is highly appreciated...thanks in advance !!
DK

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.  
http://join.msn.com/?page=features/virus



More information about the Shorewall-users mailing list