I forgot, when I launch prelude there is always the error "prelude: error opening '/etc/prelude/prelude.rules'".
--- Jose Bernardo Silva <[EMAIL PROTECTED]> wrote: > Hi! > I have been able to forward smtp, http and https to > my > DMZ webmail server. My problem now is how to access > it > using proxy arp. I have tried all configs I could > find > in www.shorewall.ent, and am always unable to access > the webmail server using the domain name, only using > the internal ip, when I am inside the firewall. From > the outside, everything works. > > Another (probably unrelated) problem, is that snort > is > always complaining about portscans generated by the > external interface, as if it was the one attacking > other hosts... I am not a big fan of snort, I like > better prelude, as it's logs are more > understandable, > but prelude here dies at the first malformed packet. > > Thanks! > > --- Florin <[EMAIL PROTECTED]> wrote: > Art > Mason <[EMAIL PROTECTED]> writes: > > > > > I've had hell trying to get port forwarding to > > work properly on my SNF > > > 8.2-BETA box. Everything else (squid, > > dansguardian) simply rocks, > > > though. Here's the dilemma: > > > > > > eth0: 192.168.1.254/24 > > > eth1: ext.ip.addr.inet > > > > > > NAT works great, transparent squid proxying > works > > great, but I'm trying > > > to forward SMTP from a Postfix gateway on the > DMZ > > and forward HTTPS from > > > the Internet to allow outside users to securely > > check their e-mail from > > > home w/o sending plaintext passwords all over > the > > place. The setup has > > > been working well w/ snf-7.2/ipchains, but I'd > > like to standardize on > > > snf-8.2 if possible. Here's what syslog reports > > to me when I try HTTPS > > > from the outside: > > > > > > proxy kernel: Shorewall:wan2all:DROP:IN=eth1 > OUT= > > MAC= SRC=external > > > test IP address DST=ext.ip.addr.inet LEN=60 > > TOS=0x00 PREC=0x00 TTL=64 > > > ID=46581 DF PROTO=TCP SPT=33159 DPT=443 > > WINDOW=5840 RES=0x00 SYN URGP=0 > > > > > > Relevant rules from /etc/shorewall/rules: > > > > > > ACCEPT lan wan tcp smtp - > > > ACCEPT wan lan tcp smtp - > > > ACCEPT lan wan tcp https - > > > ACCEPT wan lan tcp https - > > > ACCEPT wan lan:192.168.1.3 tcp smtp > - > > all > > > ACCEPT wan lan:192.168.1.3 tcp https > - > > all > > > > > > And /etc/shorewall/interfaces: > > > > > > lan eth0 detect routestopped > > > wan eth1 detect noping > > > > hello there, > > > > I have noticed that you have two rules on https > > > > > > I do the same thing here and this what I get on > the > > firewall: > > > > [root@firewall root]# grep https > > /etc/shorewall/rules > > ACCEPT dmz wan tcp https - > > ACCEPT lan wan tcp https - > > ACCEPT wan dmz:192.168.1.3 tcp > https > > - all > > > > > Finally, /etc/shorewall/policy: > > > > > > lan wan ACCEPT > > > fw wan ACCEPT > > > wan all DROP info > > > all all REJECT info > > > > I have everything on DROP ... > > > > in my case, a https connexion on the external IP > of > > the firewall will > > redirect me on the dmz https server. Is your > server > > inside the lan zone ? > > > > cheers, > > -- > > Florin http://www.mandrakesoft.com > > __________________________________________________ > Do You Yahoo!? > Everything you'll ever need on one web page > from News and Sport to Email and Music Charts > http://uk.my.yahoo.com __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com
