As per the advice that I was given earlier today, I am hoping that this
information will be more helpful in getting to the bottom of my problem.
Please note that this configuration is slighly different than the one I posted
earlier. The differance being that I have NOT opened all internet traffic to my
DMZ. Instead I have chosen block all of the ports in my DMZ except the ones I
need for my server. Regardless of these changes, the problem still persists.
This is my first attempt at setting up a DMZ so I am
> admitting now that I probably got it all wrong. That said, I am hoping
> someone on the list can point out where I have made my mistakes and point
me in the right direction. Here is what I am attempting to accomplish.
GOAL IS:
> TO ALLOW "specific" traffic from the INTERNET INTO MY DMZ
> TO ALLOW DMZ ACCESS TO THE INTERNET (BUT LOG IT)
> TO ALLOW LOC ZONE OPEN ACCESS TO DMZ AND THE INTERNET
> TO BLOCK ALL TRAFFIC FROM DMZ TO LOC ZONE and log it if it
> tries to connect to loc zone.
> TO ALLOW DNSCACHE TO WORK FOR BOTH ZONES.
NETWORK LOOKS LIKE THIS:
-----> Internet to eth0 on Bering box
-----> eth0 Bering box using shorewall
----> eth1 loc zone
-----> eth2 dmz zone
THE PROBLEM IS:
POOR FILE TRANSFER RATE (ftp) BETWEEN LOC ZONE AND DMZ ZONE.
I thought I had it all working until I attempted to do an
ftp file transfer between my windoz systems on the loc zone to my Linux
server in the dmz zone. My transfer rate was terrible. (45kb/s should be
1400kb/s!) But, if I connect to a remote ftp server though my windoz box in the
loc zone,or my Linux server in the dmz zone, the transfer rate is normal. The
problem only seems to effect ftp but truthfully that is the only file tranfer
protocol that I use between my Linux server in the dmz and my windows box in the
loc zone so I can't say if it effects anything else.
> Please keep in mind that this is my first
> attempt at this and I have tried to follow the shorewall howto for setting
> up three interfaces but I am pretty sure I goofed.
> PLEASE HELP! I have included all the info that I think is pertinent but if you
require more please let me know and I will provide it. Thanks in advance.
>
> Troy
#
# Shorewall 1.3 -- Policy File
#
# /etc/shorewall/policy
###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
loc dmz ACCEPT
dmz net ACCEPT info
dmz loc DROP info
#
# If you want open access to the internet from your firewall, uncomment the
# following line
#fw net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE
#
# Shorewall version 1.3 - Rules File
#
# /etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
# Accept DNS connections from the firewall to the network
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
#
# Accept SSH connections from the local network for administration
#
ACCEPT loc fw tcp 22
# DENAT to my webserver from web
DNAT net dmz:192.168.2.26:80 tcp 80
# DENAT to my sshserver from web
DNAT net dmz:192.168.2.26 tcp 22
# DENAT to my ftpserver from web
DNAT net dmz:192.168.2.2 tcp 21
# DENAT to my sshserver from web
DNAT net dmz:192.168.2.26 tcp 22
#DNAT to my SSL webmin server from web
DNAT net dmz:192.168.2.26:25000 tcp https -
DNAT net dmz:192.168.2.26:25000 tcp 25000
# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80
ACCEPT loc fw udp 67
ACCEPT loc fw udp 68
# Bering specific rules:
# allow dmz to fw udp/53 for dnscache to work
# allow dmz to fw tcp/80 for weblet to work
#
ACCEPT dmz fw udp 53
ACCEPT dmz fw tcp 80
ACCEPT dmz fw udp 67
ACCEPT dmz fw udp 68
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall 1.3 - Masquerade file
#
# /etc/shorewall/masq
#
##############################################################################
#INTERFACE SUBNET ADDRESS
eth0 eth1
eth0 eth2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#
# Shorewall 1.3 -- Interfaces File
#
# /etc/shorewall/interfaces
##############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect dhcp,routefilter,norfc1918,noping
loc eth1 detect routestopped
dmz eth2 detect routestopped
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
# uname -a
Linux firewall 2.4.18 #4 Sun Jun 9 09:46:15 CEST 2002 i586 unknown
# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:5a:51:c2:3f brd ff:ff:ff:ff:ff:ff
inet 192.139.75.34/27 brd 192.139.75.63 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:04:5a:51:c1:91 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:50:fc:21:01:6c brd ff:ff:ff:ff:ff:ff
inet 192.168.2.254/24 brd 192.168.2.255 scope global eth2
# ip route show
192.139.75.32/27 dev eth0 proto kernel scope link src 192.139.75.34
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254
default via 192.139.75.33 dev eth0
# lsmod
Module Pages Used by
ip_nat_h323 2628 0 (unused)
ip_conntrack_h323 2280 1
ip_nat_irc 2384 0 (unused)
ip_nat_ftp 2960 0 (unused)
ip_conntrack_irc 3056 1
ip_conntrack_ftp 3824 1
ppp_mppe 20168 0 (unused)
ppp_async 5932 0 (unused)
ppp_generic 14920 0 [ppp_mppe ppp_async]
slhc 4264 0 [ppp_generic]
8139too 13308 1
mii 912 0 [8139too]
tulip 36928 2
Shorewall-1.3.1 Chain at firewall - Tue Oct 8 21:22:26 UTC 2002
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT ah -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 eth0_in ah -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 eth1_in ah -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 eth2_in ah -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0 0.0.0.0/0
LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 1 packets, 48 bytes)
pkts bytes target prot opt in out source destination
0 0 eth0_fwd ah -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 eth1_fwd ah -- eth1 * 0.0.0.0/0 0.0.0.0/0
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
