The oddity in your report is this part:ACCEPT loc fw tcp 80
I can ping loc machines from the DMZ after I issued ip route add 192.168.1.0 via 192.168.10.254 on the DMZ
It suggests the possibility of an error in the routing table on the DMZ host, so that it does not know that 192.168.10.254 is its default route. That omission is consistent with everything else you report. Check the DMZ host's general routing table for errors.
As to ...
If I point a browser at the external IP address I get the firewall weblet not the DMZ.
... am I right in thinking that you are doing this from the LAN (that is, from loc)? If so, it is consistent with your Shorewall rules, which DNAT port 80 ONLY from the Internet (that is, it DNATs only port-80 traffic that arrives on eth0),
If you meant, though, that you were trying this from someplace else on the Internet ... well, your setup is a bit odd, in that you both run the weblet on the firewall and try to port-forward some port-80 traffic. My reading of iptables says this should be possible, but it's just odd enough that it may not actually work (or there may be some Shorewall-specific quirk that causes it not to work when set up through Shorewall).
Shorewall stuff
Interfaces:
net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect
dmz eth2 detect
# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
This is no problem. The Bering box accepts port 80 from the local network for weblet.#Open http and mail ports on dmz DNAT net dmz:192.168.10.1 tcp 80
If the routefilter is removed from the interfaces file - then it will forward port 80 from the net side to the dmz box. Two different destinations from two different sources for port 80. Works fine for me.
------------------------------------------------------- This SF.Net email sponsored by: ApacheCon 2003, 16-19 November in Las Vegas. Learn firsthand the latest developments in Apache, PHP, Perl, XML, Java, MySQL, WebDAV, and more! http://www.apachecon.com/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
