> OK, That change seems to have removed the
> /sbin/ipchains: invalid port/service `10.72.104.96/28' error
>
> I am getting this error now:
>
> IP filters: /sbin/ipchains: can only specify ports for icmp, tcp or
udp
> Try `/sbin/ipchains -h' or '/sbin/ipchains --help' for more
information.
>
> and these denys:
>
> Packet log: forward DENY eth2 PROTO=6 10.72.104.98:1559 192.168.2.1:80
> Packet log: forward DENY eth2 PROTO=6 192.168.65.12:3590
192.168.2.1:80
>
> when I type in the URL to the host in the DMZ. I am guessing I have
> misconfig in the network.conf that blocks traffic into the DMZ from
the
> eth0_IP_EXTRA_ADDRS? (which I never figured out from the start)
Hmm...I guess that's what you get for playing guinea pig :-) Without
any more diagnostic info, the only thing I see that might be wrong is
another section of /etc/ipfilter.conf. Find the following section of
code (around about line 775):
<quote>
elif [ "$DMZ_SWITCH" = "PRIVATE" ]; then
# port_forward services to a private DMZ
walk_list DMZ_SERVER $INIT_INDEX port_forward
# Masquerade internal network to DMZ network
$IPCH -A forward -j MASQ -p all -s $INTERN_NET -d $DMZ_NET -i
$DMZ_IF
if [ "$DMZ_OUTBOUND_ALL" = "YES" ]; then
# Masquerade DMZ network to world
$IPCH -A forward -j MASQ -p all -s $DMZ_NET -d 0/0 \
-i $EXTERN_IF
fi
# Reverse masquarade port_forwarded DMZ services
# Allows access using public IP address on internal network
walk_list DMZ_SERVER $INIT_INDEX DMZ_reverse_masq
$DMZ_OUTBOUND_ALL
fi
</quote>
You need to change the line masquerading the internal network to the DMZ
to support multiple internal networks...
Change:
# Masquerade internal network to DMZ network
$IPCH -A forward -j MASQ -p all -s $INTERN_NET -d $DMZ_NET -i
$DMZ_IF
To:
# Masquerade internal network(s) to DMZ network
for NET in $INTERN_NET; do
$IPCH -A forward -j MASQ -p all -s $NET -d $DMZ_NET -i
$DMZ_IF
done; unset NET
If this still doesn't work, please help me out by providing a bit more
in the way of diagnostics. Post the problem(s) you're having, as well
as the contents of network.conf (either unabridged, or with only
comments removed), and the outputs of "net ipfilter list", "ip addr",
and "ip route", and I'll see if I can spot what's wrong...
Sorry for all the trouble :<
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
