> > I missed adding this section to network.conf. Uncomment and change as > > appropriate for your desired services. > > > > # Private DMZ switches > > # Services port-forwarded to the DMZ network > > #DMZ_SERVER0="udp 1.2.3.13 domain 192.168.2.1 domain" > > #DMZ_SERVER1="tcp 1.2.3.13 domain 192.168.2.1 domain" > > #DMZ_SERVER2="tcp 1.2.3.13 www 192.168.2.1 www" > > #DMZ_SERVER3="tcp 1.2.3.13 smtp 192.168.2.1 smtp" > > #DMZ_SERVER4="tcp 1.2.3.12 www 192.168.2.1 8080" > > And I've added: > > #Private DMZ switches > #Services port-forwarded to the DMZ network > DMZ_SERVER0="tcp 1.2.3.12 22021 192.168.2.2 21" > DMZ_SERVER1="tcp 1.2.3.12 22022 192.168.2.2 22" > DMZ_SERVER2="tcp 1.2.3.12 22080 192.168.2.2 80" > DMZ_SERVER3="tcp 1.2.3.12 22180 192.168.2.2 8080" > DMZ_SERVER4="tcp 1.2.3.12 22443 192.168.2.2 443" > > I do have one question about this port-forwarding though. Would there be a > problem caused by the fact that the external/public ip address that is > listed (1.2.3.12) is not my actual ip address because it is dynamically > assigned by DHCP? Should it be changed to something like $EXTERN_IP, or > doesn't it matter? Either way, I'm pretty sure that isn't my only problem > as this shouldn't affect connections from internal net to dmz right?
You need to change all the 1.2.3.12 addresses to your local IP. Since your IP is dynamic, using $EXTERN_IP is probably the best bet. These settings having the wrong source IP can affect access from the internal network. > > If you continue to have problems, please include the output of "svi > network > > ipfilter list", as well as the information you provided this time...it > will > > help me determine if there's a problem with your network.conf settings, or > > the new firewall scripts. > > I did have one more theory that may or may not be relevant. Unlike the > (probably) more usual setup, my dmz interface is actually eth1 and my > internal one eth2. This is because my dmz has network cards with bnc > connectors, where as everything else is 10baseT. It is a workaround for the > fact that I can't (don't have the right dos disks) change the irq/dma (or > whatever it's called) on the cards to get them to detect in a different > order. Could this have anything to do with my problems? I'm pretty sure I > swapped over all the eth1/2 references in network.conf to reflect this > change though. As long as you've got the interface settings correct in network.conf, your internal, external, and DMZ interface can be any valid TCP/IP capable interface...even non-ethernet (ie ppp, token-ring, &c). > Anyway, here's the output that you asked for. Looks like some masquerading rules for the DMZ are missing...I'll have to crawl through the new scripts to see what I've broken. I'll try to post a fix or updated version today. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
