From: <ri...@sp...> - 2004-10-07 01:34:29
|
thank you tom for your post of September 29, 2004 in response to my reque= st for help on accessing my dmz servers from the local network using thei= r local private IP addresses. i appreciate your kind assistance. your suggestion allowed me to correct the problem of accessing the dmz se= rvers from the local network using there private IP addresses. I have st= ill one more problem before i can begin testing my DNS views for local na= me resolution. The problem is this. my mail serve can receive but not send email when i= use my currents shorewall configuration on the firewall. when my firewa= ll is "down," i conect the dmz server directly to the network connection.= when i test the firewall, i move the serve back behind the firewall and= restart the services after changing the etc/sysconfig/network-scripts/if= cfg-eth0, /etc/named.conf and /etc/resolv.conf files. now my domain name= service works fine (dig, host, etc) and my dnsreport.com results look fi= ne. my mail server can receive mail but can't send it (my ISP has told m= e that arp caching is not an issue). i have attached my status report. my mail logs look like this: Oct 6 21:01:53 testy postfix/master[11041]: daemon started -- version 2.= 1.0 Oct 6 21:01:53 testy postfix/qmgr[11043]: 88CE5386EE1: from=3D<mworden@s= ubstantis.com>, size=3D3977, nrcpt=3D1 (queue active) Oct 6 21:01:53 testy postfix/qmgr[11043]: 4A612386EE6: from=3D<mworden@s= ubstantis.com>, size=3D826, nrcpt=3D1 (queue active) Oct 6 21:01:53 testy postfix/qmgr[11043]: 207A1386EE5: from=3D<mworden@s= ubstantis.com>, size=3D823, nrcpt=3D1 (queue active) Oct 6 21:03:53 testy postfix/smtp[11046]: 4A612386EE6: lost connection w= ith mx1.hotmail.com[64.4.50.99] while receiving the initial SMTP greeting= Oct 6 21:03:53 testy postfix/smtp[11045]: 88CE5386EE1: lost connection w= ith mail.cloud9.net[168.100.1.9] while receiving the initial SMTP greetin= g Oct 6 21:03:54 testy postfix/smtp[11047]: 207A1386EE5: lost connection w= ith mx4.hotmail.com[65.54.190.179] while receiving the initial SMTP greet= ing my capture on the firewall's dmz interface looks like this: 5840 Len=3D0 MSS=3D1460 0.098251 168.100.1.3 -> 192.168.202.7 TCP smtp > 33920 [SYN, ACK] Seq=3D= 0 Ack=3D1 Win=3D5840 Len=3D0 MSS=3D1460 0.098712 192.168.202.7 -> 168.100.1.3 TCP 33920 > smtp [ACK] Seq=3D1 A= ck=3D1 Win=3D5840 Len=3D0 0.104736 168.100.1.3 -> 192.168.202.7 SMTP Response: SSH-1.99-OpenSSH_= 3.6.1p2 0.105255 192.168.202.7 -> 168.100.1.3 TCP 33920 > smtp [ACK] Seq=3D1 A= ck=3D26 Win=3D5840 Len=3D0 0.127214 65.54.252.99 -> 192.168.202.7 TCP smtp > 33918 [FIN, ACK] Seq=3D= 0 Ack=3D0 Win=3D5840 Len=3D0 0.154419 192.168.202.7 -> 65.54.252.99 TCP 33918 > smtp [FIN, ACK] Seq=3D= 0 Ack=3D1 Win=3D5840 Len=3D0 0.154618 65.54.252.99 -> 192.168.202.7 TCP smtp > 33918 [ACK] Seq=3D1 A= ck=3D1 Win=3D5840 Len=3D0 0.155717 192.168.202.7 -> 64.4.50.239 TCP 33921 > smtp [SYN] Seq=3D0 A= ck=3D0 Win=3D5840 Len=3D0 MSS=3D1460 0.155893 64.4.50.239 -> 192.168.202.7 TCP smtp > 33921 [SYN, ACK] Seq=3D= 0 Ack=3D1 Win=3D5840 Len=3D0 MSS=3D1460 0.156307 192.168.202.7 -> 64.4.50.239 TCP 33921 > smtp [ACK] Seq=3D1 A= ck=3D1 Win=3D5840 Len=3D0 0.168724 64.4.50.239 -> 192.168.202.7 SMTP Response: SSH-1.99-OpenSSH_= 3.6.1p2 0.169263 192.168.202.7 -> 64.4.50.239 TCP 33921 > smtp [ACK] Seq=3D1 A= ck=3D26 Win=3D5840 Len=3D0 my rules are as follows: #########################################################################= ########################### #ACTION SOURCE DEST PROTO DEST S= OURCE ORIGINAL RATE USER/ # PORT PORT(S) = DEST LIMIT GROUP ACCEPT net dmz icmp echo-request - = - - - ACCEPT net loc icmp echo-request - = - - - ACCEPT dmz loc icmp echo-request - = - - - ACCEPT loc dmz icmp echo-request - = - - - # FW acts as secondary DNS and Mail server to Primary DNS at 69.17.65.22 = / 192.168.202.7 REDIRECT net 53 tcp domain - = !69.17.65.22 #TCP DNS FROM NET ACCEPT net fw tcp domain - = #TCP DNS FROM NET # REDIRECT net 53 udp domain - = !69.17.65.22 #UDP DNS FROM NET ACCEPT net fw udp domain - = - #UDP DNS FROM NET # REDIRECT loc 53 tcp domain - = !192.168.202.7 #TCP DNS FROM Local Network ACCEPT loc fw tcp domain - = - #TCP DN FROM locaal # REDIRECT loc 53 udp domain - = !192.168.202.7 #UDP DNS FROM Local Netwok ACCEPT loc fw udp domain - = - #TCP DNS FROM Local Network REDIRECT net 22 tcp ssh - = !69.17.65.22 #TCP DNS FROM NET ACCEPT net fw tcp ssh - = #TCP DNS FROM NET # REDIRECT loc 22 tcp ssh - = !192.168.202.7 #UDP DNS FROM NET ACCEPT loc fw tcp ssh - = - #UDP DNS FROM NET # REDIRECT net 22 tcp smtp - = !69.17.65.22 ACCEPT net fw tcp smtp - = #Mail FROMK Internet # REDIRECT net 143 tcp imap - = !69.17.65.22 ACCEPT net fw tcp imap - = - #IMAP FROM # REDIRECT dmz 22 tcp smtp - = !192.168.202.7 ACCEPT dmz fw tcp smtp - = #Mail FROM Internet # REDIRECT dmz 143 tcp imap - = !192.168.202.7 ACCEPT dmz fw tcp imap - = - #IMAP FROM Internet # Server No. 1 smtp / imap DNAT net dmz:192.168.202.7 tcp smtp - = 69.17.65.22 #Mail FROM Internet DNAT net dmz:192.168.202.7 tcp imap - = 69.17.65.22 #IMAP FROM Internet DNAT loc dmz:192.168.202.7 tcp smtp - = 69.17.65.22 #Mail FROM local Network DNAT loc dmz:192.168.202.7 tcp imap - = 69.17.65.22 #IMAP FROM local Network DNAT loc dmz:192.168.202.7 tcp imap - = 69.17.65.22 #IMAP FROM local Network ACCEPT dmz:192.168.202.7 net tcp smtp - = - #Mail FROM the Firewall ACCEPT dmz:192.168.202.7 net tcp imap - = - #Mail to the Firewall ACCEPT dmz:192.168.202.7 loc tcp smtp - = - #Mail FROM the Firewall ACCEPT dmz:192.168.202.7 loc tcp imap - = - #Mail to the Firewall # Server No. 1 http / https DNAT net dmz:192.168.202.7 tcp http - = 69.17.65.22 #WWW FROM Internet ACCEPT dmz:192.168.202.7 net tcp http - = - #WWW FROM DMZ Intern et DNAT loc dmz:192.168.202.7 tcp http - = 69.17.65.22 #WWW FROM Internet ACCEPT dmz:192.168.202.7 loc tcp http - = - #WWW TO Intern et DNAT fw dmz:192.168.202.7 tcp http - = 69.17.65.22 #Secure WWW FROM Internet ACCEPT dmz:192.168.202.7 fw tcp http - = - #Secure WWW TO Internet # Server No. 1 DNS DNAT net dmz:192.168.202.7 tcp domain = - 69.17.65.22 #WWW FROM Internet DNAT net dmz:192.168.202.7 udp domain = - 69.17.65.22 #WWW FROM Int ACCEPT dmz:192.168.202.7 net tcp domain = - - #WWW FROM DMZ Intern et ACCEPT dmz:192.168.202.7 net udp domain = - - #WWW FROM DMZ Intern et DNAT loc dmz:192.168.202.7 tcp domain = - 69.17.65.22 #WWW FROM Internet DNAT loc dmz:192.168.202.7 udp domain = - 69.17.65.22 #WWW FROM Interne ACCEPT dmz:192.168.202.7 loc tcp domain = - - #WWW TO Intern et ACCEPT dmz:192.168.202.7 loc tcp domain = - - #WWW TO Intern et ACCEPT dmz:192.168.202.7 loc udp domain = - - #WWW TO Intern et DNAT fw dmz:192.168.202.7 tcp domain = - 69.17.65.22 #Secure WWW FROM Internet DNAT fw dmz:192.168.202.7 udp domain = - 69.17.65.22 #Secure WWW FROM Internet ACCEPT dmz:192.168.202.7 fw tcp domain = - - #Secure WWW TO Internet ACCEPT dmz:192.168.202.7 fw udp domain = - - #Secure WWW TO Internet #SERVER NO.2 DNAT net dmz:192.168.202.8 tcp smtp - = 69.17.65.161 #Mail FROM = #Internet DNAT net dmz:192.168.202.8 tcp imap - = 69.17.65.161 #IMAP FROM = #Internet DNAT loc dmz:192.168.202.8 tcp smtp - = 69.17.65.161 #Mail FROM local = #Network DNAT loc dmz:192.168.202.8 tcp imap - = 69.17.65.161 #IMAP FROM local = #Network DNAT fw dmz:192.168.202.8 tcp smtp - = 69.17.65.161 #Mail FROM the = #Firewall ACCEPT dmz:192.168.202.8 net tcp smtp - = - #Mail to the = #Firewall DNAT net dmz:192.168.202.8 tcp http - = 69.17.65.161 #WWW FROM = #Internet DNAT net dmz:192.168.202.8 tcp https - = 69.17.65.161 #Secure WWW = #FROM Internet DNAT loc dmz:192.168.202.8 tcp https - = 69.17.65.161 #Secure WWW = #FROM local = #Network ACCEPT dmz:192.168.202.8 net tcp https - = - #Secure WWW = #Internet = #Network nal Message----- > From: Michael Worden [mailto:mw...@su...] > Sent: Wednesday, September 29, 2004 05:35 PM > To: 'Mailing List for Shorewall Users' > Subject: Re: [Shorewall-users] start error] > > thanks for your help. the dmz and loc subnet mask are both 255.255.255= .0 > (192.168.202.0/24 and 192.168.0.0/24). i know you are busy but i have > provided a lengthy explanation of my error for the benefit of those who= > come after me. > > this was a stupid error. i'll review the excellent documentation again= . > [I'm not sure how you could have made it more clear: Quoting the Shorew= all > Setup Guide: "Just because connections of a particular type are allowed= > from zone A to the firewall and are also allowed from the firewall to z= one > B DOES NOT mean that these connections are allowed from zone A to zone = B." > ] In my case, traffic from the loc to the firewall is permitted and th= e > same traffic from the dmz to the loc is permitted, but shorewall will n= ot > magically conclude that traffic from the loc to the firewall is permitt= ed. > > my error comes from misunderstanding the relationship between rules and= > policies. i have a policy that says loc dmz ACCEPT. I > thought that this would cover the connection initiated by the loc clien= t. > I misinterpreted the guide quoted here. [The Shorewall Setup Guide: Th= is > file is used to describe the firewall policy regarding establishment of= > connections. Connection establishment is described in terms of clients = who > initiate connections and servers who receive those connection requests.= > Policies defined in /etc/shorewall/policy describe which zones are allo= wed > to establish connections with other zones. Policies established in > /etc/shorewall/policy can be viewed as default policies. If no rule in > /etc/shorewall/rules applies to a particular connection request then th= e > policy from /etc/shorewall/policy is applied.] I thought by getting a = SYN > packet orginating on the loc client to DMZ server that the policy would= > apply. i will go back a reread this to figure out this relationship. > > regarding proxy arp, i would do the proxy arp but couldn't figure out h= ow > to it with only two public IP addresses. For me, having only two publ= ic > IP's, made my set up more like a standard configuration with a single I= P > address with a parallel set of rules for each IP address on eth0 and > eth0:1. if proxy arp is the way to go, i'll burn down this set up in a > heart beat and start over. i understand that a bridge can work without= an > ip address since it works at the frame level but i got lost when i was > trying to use the shorewall how-to's (this is not a criticism of the > excellent quality of the documentation but an observation of my inabili= ty > to apply them). All the ones i could find, seemed to assume that the > bridge had its own public ip address (i'm sorry if this is wrong; i rea= lly > did read the documentation as best i could). i am also trying to instal= l > logwatch with the hope that i will make the problems with my configurat= ion > more clear to me. > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > ri...@sp... wrote: > >> thanks again for your sharp eye and speedy response. i have correct= ed > >> the typos in the IP in the masq file. I am sorry to have to ask for= > >> more help but my pc's on the local network can't reach the dmz > >> webserver using the webserver's local or Public IP address. > > > > It is not surprising that the local addresses don't work since you ha= ve > > no rules permitting access from loc->dmz using those addresses; you > > rather are using DNAT rules for the public IP addresses. For the > > 12,945th time, this is why I prefer Proxy ARP for a DMZ rather than N= AT; > > with Proxy ARP, the systems in the DMZ are known universally by ONE I= P > > address. > > > > What subnet mask have you configured on the servers in the DMZ? > > > > - -Tom > > - -- > > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > > Shoreline, \ http://shorewall.net > > Washington USA \ te...@sh... > > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.6 (GNU/Linux) > > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > > > iD8DBQFBWshrO/MAbZfjDLIRAl1gAJ9Ve8LquB9PdPsB6mFj21/Ckb+VZACgk2l1 > > bpc2vrRod5HwgE70gqtLSLw=3D > > =3DvFmD > > -----END PGP SIGNATURE----- > > _______________________________________________ > > Shorewall-users mailing list > > Post: Sho...@li... > > Subscribe/Unsubscribe: > > https://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > > > > -- > Michael Worden > _______________________________________________ > Shorewall-users mailing list > Post: Sho...@li... > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/sho= rewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > |