> I am trying to setup DMZ for my webserver. > > I have 3 NICs 1 External PUBLIC_IP > 1 Internal LAN 192.X.X.x > 1 DMZ 10.0.1.1 > > > I am using leaf 2.2.19 Dachstein. I wondering does anyone have any DMZ > config files to share to setup the webserver on DMZ so that it is not seen > on the network. > > I was able to connect to the webserverusing the private address(10.X.X.X) > from the internal LAN. I was told if the webserver is setup right that I > could use the static IP address and be able to connect to the server. I > have not been able to do that. > > > # DMZ setup > # Whether you want a DMZ or not (YES, PROXY, NO) > DMZ_SWITCH=YES > DMZ_IF="eth2" # DMZ Interface > DMZ_NET=10.0.1.0/24 # DMZ Network
Hmm...make sure you're really using the Dachstein firewall scripts. The above should look like: ############################################################################ ### # DMZ setup (optional) ############################################################################ ### # Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO) You want to set DMZ=PRIVATE...none of the other settings work unless you have more than one public IP. <snip> > # Inbound services to allow to the DMZ > # __ > DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain > tcp_${DMZ_NET}_ssh > tcp_10.0.1.2_www It looks like you want to setup dns, ssh, and www services on your DMZ system. To do this with a private DMZ, use the following: DMZ_SERVER0="udp $EXTERN_IP domain 10.0.1.2 domain" DMZ_SERVER1="tcp $EXTERN_IP domain 10.0.1.2 domain" DMZ_SERVER2="tcp $EXTERN_IP ssh 10.0.1.2 ssh" DMZ_SERVER3="tcp $EXTERN_IP www 10.0.1.2 www" NOTE that you can change the source (or destination) port, if desired...you may want/need to do this if you also want to ssh into your firewall from the internet. You can port-forward a different port (like 221) to the web-server by using the following instead: DMZ_SERVER2="tcp $EXTERN_IP 221 10.0.1.2 ssh" You probably also want: DMZ_OUTBOUND_ALL=YES To allow your DMZ system generall masqueraded access to the internet, otherwise it can only respond to the services you've configured (ie no web-browsing or ftp downloading software updates). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user