After getting some help on multiple internal interfaces from the list last week, I set off to implement 2 internal + one DMZ interface on an LRP box.
The interal networks are: 192.168.1.0/24 192.168.2.0/24 and are listed in the internal network definition as 192.168.0.0/16 (the internal interface and IP address are bogus/unchanged as suggested). This works well. I added the DMZ network as 172.20.0.0/16 and, network.conf reference in hand, set DMZ_SWITCH=PRIVATE DMZ_IF="eth3" DMZ_NET=172.20.0.0/16 DMZ_OUTBOUND_ALL=YES and set some DMZ_SERVERn definitions. I didn't set any outher DMZ variables as they seemd to relate to the DMZ_SWITCH=YES. All interfaces are set properly active at boot and the internal networks work fine. However, from the DMZ network, I cannot even ping the outside world. I can ping eth0 and eth3 by IP address from the DMZ and also a router on the external subnet which is my next hop to the internet. But nothing further. Being able to ping the router suggests that it is a firewall rule that is stopping other traffic going out (?). After checking and rechecking, I'm at a loss to understand whats going on. From what I can see, despite TCP and UDP ports being open for a variety of services, and those services then being listed in DMZ_SERVERn forms, the outside world cannot see the DMZ network either. But maybe thats just because outgoing traffic from the DMZ is blocked. Any ideas what is going on here? I started to read through the ipchains stuff but didn't get far in trying to work out which rules might be responsible. Some qns: - does the DMZ network have to fall inside the internal, um, 'supernetwork' for the firewall rules to work ? ie: should I make my DMZ network 192.168.3.0/16. I should have tried this but ran out of time. - when specifiying a DMZ_SERVERn with the extended port-forward definition, should the definition be in double quotes? Seemed like it wouldn't need to be. - I added rules to log traffic from eth0 routed to the two internal networks. These were of the form: ipchains -I output -s ! 172.20.0.0/16 -d 192.168.1.0/24 ipchains -I output -s ! 172.20.0.0/16 -d 192.168.2.0/24 and were whacked in via the IP Filter/Firewall Rules (ACLs) section of lrcfg after it says "# Output stuff". After reloading the ipfilters there was no sign of these rules in the output chain (ipchains -nvL output --exact). Sorry for the newbie qn, but are there good and bad places to put these rules in that file? '-I' should place them at the beginning of the chain regardless? Do rules with no target not get listed when you say ipcahins -L output? - Is it possible to use Jacques Nilo's dnscache package to supply names to the two internal networks and the DMZ? What address should I supply for the "LRP box internal IP" in this case? The LRP box also provdes tinydns to the outside world so I guess I can't use 0.0.0.0 for dnscache. - and finally, when testing connectivity from an internal network to the DMZ, should it be possible to ping machines in the DMZ network by IP address (172.20.0.1 for example). I think this should be possible (providing the default gaetway is set on the pinging machine and DMZ server to point at the LRP box). Sorry for the big grab bag of questions. Any help much appreciated. Matt _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
