> I am trying to setup DMZ for my webserver.
>
> I have 3 NICs 1 External PUBLIC_IP
> 1 Internal LAN 192.X.X.x
> 1 DMZ 10.0.1.1
>
>
> I am using leaf 2.2.19 Dachstein. I wondering does anyone have any DMZ
> config files to share to setup the webserver on DMZ so that it is not seen
> on the network.
>
> I was able to connect to the webserverusing the private address(10.X.X.X)
> from the internal LAN. I was told if the webserver is setup right that I
> could use the static IP address and be able to connect to the server. I
> have not been able to do that.
>
>
> # DMZ setup
> # Whether you want a DMZ or not (YES, PROXY, NO)
> DMZ_SWITCH=YES
> DMZ_IF="eth2" # DMZ Interface
> DMZ_NET=10.0.1.0/24 # DMZ Network
Hmm...make sure you're really using the Dachstein firewall scripts. The
above should look like:
############################################################################
###
# DMZ setup (optional)
############################################################################
###
# Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO)
You want to set DMZ=PRIVATE...none of the other settings work unless you
have more than one public IP.
<snip>
> # Inbound services to allow to the DMZ
> # __
> DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain
> tcp_${DMZ_NET}_ssh
> tcp_10.0.1.2_www
It looks like you want to setup dns, ssh, and www services on your DMZ
system. To do this with a private DMZ, use the following:
DMZ_SERVER0="udp $EXTERN_IP domain 10.0.1.2 domain"
DMZ_SERVER1="tcp $EXTERN_IP domain 10.0.1.2 domain"
DMZ_SERVER2="tcp $EXTERN_IP ssh 10.0.1.2 ssh"
DMZ_SERVER3="tcp $EXTERN_IP www 10.0.1.2 www"
NOTE that you can change the source (or destination) port, if desired...you
may want/need to do this if you also want to ssh into your firewall from the
internet. You can port-forward a different port (like 221) to the
web-server by using the following instead:
DMZ_SERVER2="tcp $EXTERN_IP 221 10.0.1.2 ssh"
You probably also want:
DMZ_OUTBOUND_ALL=YES
To allow your DMZ system generall masqueraded access to the internet,
otherwise it can only respond to the services you've configured (ie no
web-browsing or ftp downloading software updates).
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user