Stranger yet, https to the dmz host from the internal (net) works fine, which implies that proxy arp is correctly setup. The only other rule I have for http is the one for the transparent proxy, added automatically by snf... Do I need to change the order of the rules and move that one below the one allowing/forwarding access to the dmz?
Thanks! --- Jose Bernardo Silva <[EMAIL PROTECTED]> wrote: > I forgot, when I launch prelude there is always the > error "prelude: error opening > '/etc/prelude/prelude.rules'". > > --- Jose Bernardo Silva <[EMAIL PROTECTED]> > wrote: > Hi! > > I have been able to forward smtp, http and https > to > > my > > DMZ webmail server. My problem now is how to > access > > it > > using proxy arp. I have tried all configs I could > > find > > in www.shorewall.ent, and am always unable to > access > > the webmail server using the domain name, only > using > > the internal ip, when I am inside the firewall. > From > > the outside, everything works. > > > > Another (probably unrelated) problem, is that > snort > > is > > always complaining about portscans generated by > the > > external interface, as if it was the one attacking > > other hosts... I am not a big fan of snort, I like > > better prelude, as it's logs are more > > understandable, > > but prelude here dies at the first malformed > packet. > > > > Thanks! > > > > --- Florin <[EMAIL PROTECTED]> wrote: > Art > > Mason <[EMAIL PROTECTED]> writes: > > > > > > > I've had hell trying to get port forwarding to > > > work properly on my SNF > > > > 8.2-BETA box. Everything else (squid, > > > dansguardian) simply rocks, > > > > though. Here's the dilemma: > > > > > > > > eth0: 192.168.1.254/24 > > > > eth1: ext.ip.addr.inet > > > > > > > > NAT works great, transparent squid proxying > > works > > > great, but I'm trying > > > > to forward SMTP from a Postfix gateway on the > > DMZ > > > and forward HTTPS from > > > > the Internet to allow outside users to > securely > > > check their e-mail from > > > > home w/o sending plaintext passwords all over > > the > > > place. The setup has > > > > been working well w/ snf-7.2/ipchains, but I'd > > > like to standardize on > > > > snf-8.2 if possible. Here's what syslog > reports > > > to me when I try HTTPS > > > > from the outside: > > > > > > > > proxy kernel: Shorewall:wan2all:DROP:IN=eth1 > > OUT= > > > MAC= SRC=external > > > > test IP address DST=ext.ip.addr.inet LEN=60 > > > TOS=0x00 PREC=0x00 TTL=64 > > > > ID=46581 DF PROTO=TCP SPT=33159 DPT=443 > > > WINDOW=5840 RES=0x00 SYN URGP=0 > > > > > > > > Relevant rules from /etc/shorewall/rules: > > > > > > > > ACCEPT lan wan tcp smtp - > > > > ACCEPT wan lan tcp smtp - > > > > ACCEPT lan wan tcp https - > > > > ACCEPT wan lan tcp https - > > > > ACCEPT wan lan:192.168.1.3 tcp smtp > > > - > > > all > > > > ACCEPT wan lan:192.168.1.3 tcp https > > > - > > > all > > > > > > > > And /etc/shorewall/interfaces: > > > > > > > > lan eth0 detect routestopped > > > > wan eth1 detect noping > > > > > > hello there, > > > > > > I have noticed that you have two rules on https > > > > > > > > > I do the same thing here and this what I get on > > the > > > firewall: > > > > > > [root@firewall root]# grep https > > > /etc/shorewall/rules > > > ACCEPT dmz wan tcp https - > > > ACCEPT lan wan tcp https - > > > ACCEPT wan dmz:192.168.1.3 tcp > > https > > > - all > > > > > > > Finally, /etc/shorewall/policy: > > > > > > > > lan wan ACCEPT > > > > fw wan ACCEPT > > > > wan all DROP info > > > > all all REJECT info > > > > > > I have everything on DROP ... > > > > > > in my case, a https connexion on the external IP > > of > > > the firewall will > > > redirect me on the dmz https server. Is your > > server > > > inside the lan zone ? > > > > > > cheers, > > > -- > > > Florin http://www.mandrakesoft.com > > > > __________________________________________________ > > Do You Yahoo!? > > Everything you'll ever need on one web page > > from News and Sport to Email and Music Charts > > http://uk.my.yahoo.com > > __________________________________________________ > Do You Yahoo!? > Everything you'll ever need on one web page > from News and Sport to Email and Music Charts > http://uk.my.yahoo.com __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com