Re: [Leaf-user] Help with a webserver on a DMZ network.

Mon, 31 Dec 2001 08:24:44 -0800 

> I am trying to setup DMZ for my webserver.
>
> I have 3 NICs 1 External PUBLIC_IP
>               1 Internal LAN  192.X.X.x
>               1 DMZ  10.0.1.1
>
>
> I am using leaf 2.2.19 Dachstein. I wondering does anyone have any DMZ
> config files to share to setup the webserver on DMZ so that it is not seen
> on the network.
>
> I was able to connect to the webserverusing the private address(10.X.X.X)
> from the internal LAN.   I was told if the webserver is setup right that I
> could use the static IP address and be able to connect to the server.  I
> have not been able to do that.
>
>
> # DMZ setup
> # Whether you want a DMZ or not (YES, PROXY, NO)
> DMZ_SWITCH=YES
> DMZ_IF="eth2" # DMZ Interface
> DMZ_NET=10.0.1.0/24 # DMZ Network

Hmm...make sure you're really using the Dachstein firewall scripts.  The
above should look like:

############################################################################
###
# DMZ setup (optional)
############################################################################
###
# Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO)

You want to set DMZ=PRIVATE...none of the other settings work unless you
have more than one public IP.

<snip>

> # Inbound services to allow to the DMZ
> # __
> DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain
> tcp_${DMZ_NET}_ssh
> tcp_10.0.1.2_www

It looks like you want to setup dns, ssh, and www services on your DMZ
system.  To do this with a private DMZ, use the following:

DMZ_SERVER0="udp $EXTERN_IP domain 10.0.1.2 domain"
DMZ_SERVER1="tcp $EXTERN_IP domain 10.0.1.2 domain"
DMZ_SERVER2="tcp $EXTERN_IP ssh 10.0.1.2 ssh"
DMZ_SERVER3="tcp $EXTERN_IP www 10.0.1.2 www"

NOTE that you can change the source (or destination) port, if desired...you
may want/need to do this if you also want to ssh into your firewall from the
internet.  You can port-forward a different port (like 221) to the
web-server by using the following instead:
DMZ_SERVER2="tcp $EXTERN_IP 221 10.0.1.2 ssh"

You probably also want:
DMZ_OUTBOUND_ALL=YES

To allow your DMZ system generall masqueraded access to the internet,
otherwise it can only respond to the services you've configured (ie no
web-browsing or ftp downloading software updates).

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Reply via email to