THIs is round two since I didn't get any responses last time. I know you guys are
busy but if you could just look through what I have so that I know I setup my firewall
correctly. I really appreciate it.
THanks in advance.
I am a complete newbie to Linux and firewalling. I have only known windows operating
systems up until now, so bear with me please.
I have recently got my LAN working with LEAF but I am now having trouble setting up my
DMZ.
I have five (Cable Modem) static IP's: 24.227.166.194 thru 24.227.166.198. My default
gateway is 24.227.166.193 with a netmask of 255.255.255.248.
In this setup, 2 of my ip's won't be used.
I have the cable modem going into eth0 of Bering-uClibc 2.1.3 machine.
I have eth1 going to a wireless router/switch which serves my lan.
Then I have eth2(trying to setup a dmz) which goes to a switch which goes to a web
sever(24.227.166.197) {you can go there now if you want[not much to see yet], i thnk
it is working now} and a media server{this server is down right now by choice}
(24.227.166.198). Both run MS Server 2003 Enterprise Edition.
Both sever's need their own port 80. I was reading Eastep's Shorwall setup for
proxyARP and was trying to duplicate that but am having trouble.
I am curious to know if you think Proxy ARP is the best way to go fo my setup? Safety
and security? My setup is at home but I am running this for commercial use, so it has
to be up and on line as much as possible.
As I was writing this email I think I got proxyARP working on my LEAF. That's the
second time that's happened to me.
But if you could, check my settings to see if everything looks right (Blocking and
Forwarding).
Here are my current settings:
In network Configuration: Interfaces File I have:
auto eth0
iface eth0 inet static
address 24.227.166.194
netmask 255.255.255.248
broadcast 24.227.166.255
gateway 24.227.166.193
up ip addr add 24.227.166.195/29 brd 24.227.166.255 dev eth0 label eth0:1
up ip addr add 24.227.166.196/29 brd 24.227.166.255 dev eth0 label eth0:2
#up ip addr add 24.227.166.197/29 brd 24.227.166.255 dev eth0 label eth0:3
#up ip addr add 24.227.166.198/29 brd 24.227.166.255 dev eth0 label eth0:4
If you notice here, I wasn't completely sure what to do, but this is how it reads
right now.
Like I said before these are my 5 static IP's. I am not trying to use *.195 and *.196.
I just added them to this file in case I need them later (maybe DNAT, port
forwarding) and it is interesting to watch their activity on the weblet log.
I want to use *.197 and *.198 as my two DMZ addresses. After reading Tom Eastep's
Shorewall setup guide ( for multiple ip addresses) I remarked the lines because he
said not to add them (ProxyARP addresses) to my interfaces file. I guess this is what
he meant, howver I am not sure if it was or not.
Then further down on Step 2 (Configure internal interface) I have:
auto eth1
iface eth1 inet static
address 192.168.1.254
netmask 255.255.255.0
broadcast 192.168.1.255
Then further down on Step 3 (Configure DMZ) I have:
auto eth2
iface eth2 inet static
address 192.168.2.254
netmask 255.255.255.0
broadcast 192.168.2.255
Then on Network configuration - Resolv.comf I have my dns nameservers entered (Given
to me by my Cable Modem ISP).
Nameserver 24.93.40.62
Nameserver 24.93.40.63
Then in Packages Configuration: Shorewall I have:
I made no changes to PARAMS file
I changed Zones file to read:
#Zone Display Comments
net Net Intenet
loc Local Local Networks
dmz DMZ Demilitarized zone
#last Line
In Interfaces file it reads:
#zone Interface broadcast options
net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect
dmz eth2 detect
#last Line
I made no changes to Hosts file
In Policy file it reads:
#source det policy log limit:burst
loc net accept
net all drop ulog
all all reject ulog
#last line
In Rules it reads:
#Action source dest proto dest port souce port origanl dest
accept net dmz tcp 80
accept loc dmz tcp 80 {[(Is this
last setting safe for my LAN????????)]}
accept fw net tcp 53
accept fw net udp 53
accept loc fw tcp 22
accept loc fw icmp 8
accept net fw icmp 8
accept fw loc icmp 8
accept fw net icmp 8
accept fw dmz icmp 8
accept loc fw udp 53
accept loc fw tcp 80
#last line
I made no changes to MAC list file
In Masq file I didn't make any changes but it reads:
#interface subnet address
eth0 eth1
#last line
In ProxyARP file I have:
#address interface external have route
24.227.166.197 eth2 eth0 no
24.227.166.198 eth2 eth0 no
#last line
I have made no changes in any other files from File 10 (Stopped) to File 28 (Template)
On my dmz servers my network connections are :
ip address: 24.227.166.197 or .198
subnet mask 255.255.255.248
default gateway 24.227.166.193
dns1 24.93.40.62
dns2 24.93.40.63
Here are my current outputs from Weblet:
::Interfaces:: (Copyclipped from Weblet)
1: lo: mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: dummy0: mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 52:54:05:c0:26:8f brd ff:ff:ff:ff:ff:ff
inet 24.227.166.194/29 brd 24.227.166.255 scope global eth0
inet 24.227.166.195/29 brd 24.227.166.255 scope global secondary eth0:1
inet 24.227.166.196/29 brd 24.227.166.255 scope global secondary eth0:2
4: eth1: mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:c0:26:62:82:20 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
5: eth2: mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:05:5d:4b:e3:6e brd ff:ff:ff:ff:ff:ff
inet 192.168.2.254/24 brd 192.168.2.255 scope global eth2
::Routes:: (Copyclipped from Weblet)
24.227.166.198 dev eth2 scope link
24.227.166.197 dev eth2 scope link
24.227.166.192/29 dev eth0 proto kernel scope link src 24.227.166.194
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254
default via 24.227.166.193 dev eth0
Kernel:Linux firewall 2.4.24 #3 Sun Feb 22 19:25:40 CET 2004 i686 unknown
Modules:
softdog 1508 1
ip_nat_irc 2128 0 (unused)
ip_nat_ftp 2736 0 (unused)
ip_conntrack_irc 2864 1
ip_conntrack_ftp 3472 1
8139too 11624 2
mii 2108 0 [8139too]
ne2k-pci 4044 1
8390 5784 0 [ne2k-pci]
crc32 2648 0 [8139too 8390]
::Installed Packages:: (Copyclipped from Weblet)
Name Version Description
===============-==============-==============================================
initrd V2.1.3 uClibc- LEAF Bering initial filesystem
root V2.1.3 uClibc- Core LEAF Bering-uClibc package
config 0.2 Core config and backup system package
etc V2.1.3 uClibc-
local V2.1.3 uClibc- LEAF Bering local package
modules V2.1.3 uClibc- Define & contain your LEAF Bering modules
iptables 1.2.9 IP packet filter administration tools for 2.4.
dhcpcd 1.3.22pl4-7 Re dhcpcd is a RFC2131 and RFC1541 compliant DHCP
keyboard 0.3 Define your keyboard settings
shorwall 1.4.10e Shoreline Firewall (Shorewall)
ulogd 1.02 The Netfilter Userspace Logging Daemon
dnscache 1.05a A fast & secure proxy DNS server, patched for
dropbear 0.42 Dropbear SSH 2 server and scp client
weblet 1.2.4 Rev 2 LEAF status via a small web server
________________________________________________________________
The best thing to hit the Internet in years - Juno SpeedBand!
Surf the Web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
