Hi That did the trick!
Thanks, Robert > > I have been using DS cd 1.02 since it came out and I have had no >problems. Today I endeavored to put in a webserver on a private DMZ. It is >obvious that I am now exceeding my knowledge of this subject. My private net >still works but I can't get the dmz to go. I think that the new card is >working as it blinks when I ping but who knows... I am sure that I have >something wrong as I get denied www packets in the output log but I don't >know where I went wrong. I have include every thing I can think of including >the output of a debug script I wrote a while back. I really didn't think >that *I* would need it. I have one static IP so I a using a PRIVATE DMZ. In >short I have made these changes to /etc/network.conf. > >It looks like everything is pretty much configured correctly. Your problem >seems to be that packets headed for your DMZ webserver (192.168.2.1) are >routed out eth0, not eth2, and are being denied by the generic outbound >garbage filter. I almost didn't spot the reason, but it's pretty obvious >once found: > >> eth2_IPADDR=192.164.2.254 > >That should be *168*, not *164*. This is why your setup is acting odd, and >why the DMZ system seems disconnected from the world (because it is!). > >The only other thing I noticed is you're opening the www port twice: > >> # Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]" >> #EXTERN_TCP_PORT0="5.6.7.8 domain 1.1.1.12" >> EXTERN_TCP_PORT1="0/0 www" >> EXTERN_TCP_PORT0="0/0 www" > >The PORT0 and PORT1 definitions are identical...no real harm here (it just >creats duplicate allow rules), but you really only need PORT0 defined... > >NOTE: You should be able to see the machines in the DMZ network from your >internal network, but it doesn't work the other way around...the internal >network is masqueraded to the DMZ network, just like the internal network >gets masqueraded to the internet. You can make outgoing connections from >the internal net, but connections inbound from either the internet at large >or from the DMZ network are not allowed by default. You can also access any >port-forwarded public services using the public IP, very handy if you're >running a web server and want to access it by domain name...access other >services using the 192.168.2.xx IP address... > >Hope you get going! > >Charles Steinkuehler >http://lrp.steinkuehler.net >http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
