From: Tom E. <te...@sh...> - 2006-08-27 03:08:54
|
Jason Flatt wrote: > On Saturday 26 August 2006 17:45, Tom Eastep wrote: >> Jason Flatt wrote: >>> 2) People from net cannot access dmz (I did test this with a PC outs= ide >>> of the network). It started working when I created a net->dmz ACCEPT >>> policy, but, based on the instructions, I don't think I should have t= o do >>> that. >> Folks -- I can't emphasize enough. I need to know what destination IP >> address, protocol and port is being accessed from the net to the dmz. >> "People from the net cannot access dmz" is completely useless as a >> problem description. If that is the level at which you yourself are >> thinking about your problem, then you will never solve it! You have to= >> get down to the details. >> >> -Tom >=20 > I'm sorry. I guess I thought it was obvious, but you're absolutely corr= ect. I=20 > can not assume that the correct information would be inferred from the = dump=20 > file. I will try to recite all I can remember (which should be most, if= not=20 > all), as I am no longer on site. >=20 > There are two domain names: caringnurses.com and caringnurses.net > There is one static IP address: 208.57.199.83 (The public IP for the co= mpany.) >=20 > The internal network is set to use a class C of 192.168.144.0/24 >=20 > There is a server (the dmz) at 192.168.120.26 (originally 192.168.144.2= 6, but=20 > changed for the firewall, based on the document) handling HTTP on port = 80. >=20 > There is another server (in loc) at 192.168.144.22 handling FTP on port= 21 and=20 > HTTPS on port 443. >=20 > There is another server (also in loc) at 192.168.144.151 handling FTP o= n port=20 > 2188 and HTTP on port 8088. >=20 > Webmin is setup on the firewall at HTTP port 8696. >=20 > There is a Windows Domain Controller handling DNS on port 53 for the in= ternal=20 > network. Currently I have a firewall rule set to allow all DNS traffic,= but I=20 > suspect I will limit it to outbound only once the dust settles. >=20 > I generally allow both TCP and UDP for any port I open up. >=20 > So, for the tests from the outside, I simply had my wife try to access = > http://www.caringnurses.com/, and she couldn't until I created the poli= cy to=20 > allow net to dmz (which I think I removed before I sent the dump file).= You didn't. > I know one does not preclude the other, but with the problems I was hav= ing=20 > getting out of the network, I didn't expect inbound to work. >=20 > I think that's it. Did I leave anything out? >=20 So www.caringnurses.com is now working -- what it the current state of the firewall? All of the internal system (including the web server) *do* have the Shorewall box configured as their default gateway, right? -Tom --=20 Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |