List added back in...comments in-line. > ok good fix > > no more ipchains errors when reloading the net configs > no more denys from the internal nets > > I now only get denys from the outside trying to access the DMZ. > And I can't access the DMZ (nothing gets denied. just no response back).
Now, all you need to do is allow packets from the internet through the firewall for the services you're port-forwarding to the DMZ...more below. > so here is my config: > ---------------------------------------------------- > VERBOSE=YES > MAX_LOOP=10 > IPFWDING_KERNEL=FILTER_ON > IPALWAYSDEFRAG_KERNEL=YES > CONFIG_HOSTNAME=YES > CONFIG_HOSTSFILE=YES > CONFIG_DNS=YES > IF_AUTO="eth0 eth1 eth2 eth3" > IF_LIST="$IF_AUTO" > ALLIF_ACCEPT_REDIRECTS=NO > DEF_IP_SPOOF=YES > DEF_IP_KRNL_LOGMARTIANS=NO > BRG_SWITCH=NO > eth0_IPADDR=66.93.80.54 > eth0_MASKLEN=24 > eth0_BROADCAST=66.93.80.255 > eth0_DEFAULT_GW=66.93.80.1 > eth0_IP_EXTRA_ADDRS="66.93.80.148" > ++ Do I need to use this??? > #eth0_ROUTES="1.1.1.13 2.2.2.0/24_via_1.1.1.18" You don't need to use any of the <iface>_ROUTES variables unless your network architecture includes networks that are *NOT* directly attached to the Dachstein box, *AND* these networks are *NOT* reached via the default gateway. This setting also comes in handy if you're running a proxy-arp DMZ, which uses routing tables to split up a single subnet connected to two physical interfaces. Most users can safely leave this commented (undefined). > eth0_IP_SPOOF=YES > eth0_IP_KRNL_LOGMARTIANS=NO > eth0_IP_SHARED_MEDIA=NO > eth0_BRIDGE=NO > > eth1_IPADDR=192.168.65.254 > eth1_MASKLEN=24 > eth1_BROADCAST=192.168.65.255 > eth1_IP_SPOOF=YES > eth1_IP_KRNL_LOGMARTIANS=NO > > eth2_IPADDR=192.168.2.254 > eth2_MASKLEN=24 > eth2_BROADCAST=192.168.2.255 > #eth2_ROUTES= > eth2_IP_SPOOF=YES > eth2_IP_KRNL_LOGMARTIANS=NO > > eth3_IPADDR=10.72.104.97 > eth3_MASKLEN=28 > eth3_BROADCAST=10.72.104.111 > eth3_IP_SPOOF=YES > eth3_IP_KRNL_LOGMARTIANS=NO > > IPFILTER_SWITCH=firewall > EXTERN_IF="eth0" > EXTERN_DHCP=NO > EXTERN_DYNADDR=NO > > EXTERN_UDP_PORT0="0/0 domain" > > EXTERN_TCP_PORT0="0/0 domain" > EXTERN_TCP_PORT1="0/0 www" > EXTERN_TCP_PORT2="0/0 25" > EXTERN_TCP_PORT3="0/0 110" > EXTERN_TCP_PORT4="0/0 143" > > INTERN_IF="eth1" > INTERN_NET="192.168.65.0/24 10.72.104.96/28" > INTERN_IP=192.168.65.254 > MASQ_SWITCH=YES > > INTERN_SMTP_SERVER=192.168.65.4 > INTERN_POP3_SERVER=192.168.65.4 > INTERN_IMAP_SERVER=192.168.65.4 > > DMZ_SWITCH=PRIVATE > DMZ_IF="eth2" > DMZ_NET=192.168.2.0/24 > > DMZ_SERVER0="tcp 66.93.80.148 www 192.168.2.1 www" > DMZ_SERVER1="tcp 66.93.80.148 ftp 192.168.2.1 ftp" > > DMZ_OUTBOUND_ALL=YES The DMZ_SERVER entries only create the port-forwarding...you still have to allow the traffic through the firewall filters. You can do this using the EXTERN_TCP_PORTS indexed list, ie: # Indexed list: "SrcAddr/Mask port [ DestAddr[/DestMask] ]" EXTERN_TCP_PORT5="0/0 www 66.93.80.148" EXTERN_TCP_PORT6="0/0 ftp 66.93.80.148" Note if you don't specify the optional destination address, EXTERN_IP is used by default. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
