I am trying to set up a small web server on a DMZ and I am having trouble with connecting to the DMZ computer from my internal network. My set up is as follows:
Bering 1.2 firewall Shorewall configured per 3 interfaces examples. DMZ uses a stripped version of Bering 1.2. It will eventually run qmail and weblet open to the internet. My goal is to be able to host my own domain using ezipupdate with local access to pop mail and simple web pages. I may also host some ebay photos. I plan to boot the DMZ from a CD with only data files stored on the attached IDE drive. The firewall is working well as configured for the loc zone (eth1) ip addr show results # ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:a0:c9:9c:a7:a7 brd ff:ff:ff:ff:ff:ff inet 24.210.193.xxx/21 brd 255.255.255.255 scope global eth0 4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:a0:c9:86:30:05 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 5: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:60:97:df:a7:7e brd ff:ff:ff:ff:ff:ff inet 192.168.10.254/24 brd 192.168.10.255 scope global eth2 ip route show results # ip route show 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 192.168.10.0/24 dev eth2 proto kernel scope link src 192.168.10.254 24.210.192.0/21 dev eth0 proto kernel scope link src 24.210.193.xxx default via 24.210.192.1 dev eth0 Shorewall stuff Interfaces: net eth0 detect dhcp,routefilter,norfc1918 loc eth1 detect dmz eth2 detect Policy #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT net all DROP ULOG all all REJECT ULOG Rules #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST # # Accept DNS connections from the firewall to the network # DROP net fw tcp 67,68 DROP net fw tcp 4662 DROP net fw udp 4662 ACCEPT fw net tcp 53 ACCEPT fw net udp 53 ACCEPT dmz net tcp 53 ACCEPT dmz net udp 53 # # Accept SSH connections from the local network for administration # ACCEPT loc fw tcp 22 # # Allow Ping To And From Firewall # ACCEPT loc fw icmp 8 ACCEPT net fw icmp 8 ACCEPT fw loc icmp 8 ACCEPT fw net icmp 8 ACCEPT dmz fw icmp 8 ACCEPT loc dmz icmp 8 ACCEPT dmz loc icmp 8 ACCEPT dmz net icmp 8 ACCEPT fw dmz icmp 8 # # Bering specific rules: # allow loc to fw udp/53 for dnscache to work # allow loc to fw tcp/80 for weblet to work # ACCEPT loc fw udp 53 ACCEPT loc fw tcp 80 # #Enable Samba ports ACCEPT loc fw udp 137,138 ACCEPT loc fw tcp 139 # #Open http and mail ports on dmz DNAT net dmz:192.168.10.1 tcp 80 DNAT net dmz:192.168.10.1 tcp 25 DNAT net dmz:192.168.10.1 udp 25 I can ping eth2 on the firewall from the DMZ I can ping loc machines from the firewall I can ping the DMZ from the firewall I cannot ping from loc (Win2K) to the DMZ Pinging 192.168.10.1 with 32 bytes of data: Request timed out. Request timed out. I can ping loc machines from the DMZ after I issued ip route add 192.168.1.0 via 192.168.10.254 on the DMZ I cannot browse the weblet on the dmz using the internal IP 192.168.10.1. If I point a browser at the external IP address I get the firewall weblet not the DMZ. I know I am missing something simple but I can't figure out what. Any suggestions are appreciated. Kory Krofft ------------------------------------------------------- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html