I set up one Bering 1.2 router with Proxyarp. I don't recall needing to add the IP addresses to the external interface. I just had to specify them in the proxyarp file. For the interface addressing I believe I followed Tom Eastep's recommendations. The client I built this for is dragging its feet on implementation so I can't get to it right now to send you the config, but I'll ask them to put it up this afternoon so I can take a look.
>From what I can tell, Proxyarp is what you want. - Bob Coffman -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, July 22, 2004 9:59 AM To: [EMAIL PROTECTED] Subject: [leaf-user] Bering-uClibc 2.1.3 ProxyARP and DMZ settings again THIs is round two since I didn't get any responses last time. I know you guys are busy but if you could just look through what I have so that I know I setup my firewall correctly. I really appreciate it. THanks in advance. I am a complete newbie to Linux and firewalling. I have only known windows operating systems up until now, so bear with me please. I have recently got my LAN working with LEAF but I am now having trouble setting up my DMZ. I have five (Cable Modem) static IP's: 24.227.166.194 thru 24.227.166.198. My default gateway is 24.227.166.193 with a netmask of 255.255.255.248. In this setup, 2 of my ip's won't be used. I have the cable modem going into eth0 of Bering-uClibc 2.1.3 machine. I have eth1 going to a wireless router/switch which serves my lan. Then I have eth2(trying to setup a dmz) which goes to a switch which goes to a web sever(24.227.166.197) {you can go there now if you want[not much to see yet], i thnk it is working now} and a media server{this server is down right now by choice} (24.227.166.198). Both run MS Server 2003 Enterprise Edition. Both sever's need their own port 80. I was reading Eastep's Shorwall setup for proxyARP and was trying to duplicate that but am having trouble. I am curious to know if you think Proxy ARP is the best way to go fo my setup? Safety and security? My setup is at home but I am running this for commercial use, so it has to be up and on line as much as possible. As I was writing this email I think I got proxyARP working on my LEAF. That's the second time that's happened to me. But if you could, check my settings to see if everything looks right (Blocking and Forwarding). Here are my current settings: In network Configuration: Interfaces File I have: auto eth0 iface eth0 inet static address 24.227.166.194 netmask 255.255.255.248 broadcast 24.227.166.255 gateway 24.227.166.193 up ip addr add 24.227.166.195/29 brd 24.227.166.255 dev eth0 label eth0:1 up ip addr add 24.227.166.196/29 brd 24.227.166.255 dev eth0 label eth0:2 #up ip addr add 24.227.166.197/29 brd 24.227.166.255 dev eth0 label eth0:3 #up ip addr add 24.227.166.198/29 brd 24.227.166.255 dev eth0 label eth0:4 If you notice here, I wasn't completely sure what to do, but this is how it reads right now. Like I said before these are my 5 static IP's. I am not trying to use *.195 and *.196. I just added them to this file in case I need them later (maybe DNAT, port forwarding) and it is interesting to watch their activity on the weblet log. I want to use *.197 and *.198 as my two DMZ addresses. After reading Tom Eastep's Shorewall setup guide ( for multiple ip addresses) I remarked the lines because he said not to add them (ProxyARP addresses) to my interfaces file. I guess this is what he meant, howver I am not sure if it was or not. Then further down on Step 2 (Configure internal interface) I have: auto eth1 iface eth1 inet static address 192.168.1.254 netmask 255.255.255.0 broadcast 192.168.1.255 Then further down on Step 3 (Configure DMZ) I have: auto eth2 iface eth2 inet static address 192.168.2.254 netmask 255.255.255.0 broadcast 192.168.2.255 Then on Network configuration - Resolv.comf I have my dns nameservers entered (Given to me by my Cable Modem ISP). Nameserver 24.93.40.62 Nameserver 24.93.40.63 Then in Packages Configuration: Shorewall I have: I made no changes to PARAMS file I changed Zones file to read: #Zone Display Comments net Net Intenet loc Local Local Networks dmz DMZ Demilitarized zone #last Line In Interfaces file it reads: #zone Interface broadcast options net eth0 detect dhcp,routefilter,norfc1918 loc eth1 detect dmz eth2 detect #last Line I made no changes to Hosts file In Policy file it reads: #source det policy log limit:burst loc net accept net all drop ulog all all reject ulog #last line In Rules it reads: #Action source dest proto dest port souce port origanl dest accept net dmz tcp 80 accept loc dmz tcp 80 {[(Is this last setting safe for my LAN????????)]} accept fw net tcp 53 accept fw net udp 53 accept loc fw tcp 22 accept loc fw icmp 8 accept net fw icmp 8 accept fw loc icmp 8 accept fw net icmp 8 accept fw dmz icmp 8 accept loc fw udp 53 accept loc fw tcp 80 #last line I made no changes to MAC list file In Masq file I didn't make any changes but it reads: #interface subnet address eth0 eth1 #last line In ProxyARP file I have: #address interface external have route 24.227.166.197 eth2 eth0 no 24.227.166.198 eth2 eth0 no #last line I have made no changes in any other files from File 10 (Stopped) to File 28 (Template) On my dmz servers my network connections are : ip address: 24.227.166.197 or .198 subnet mask 255.255.255.248 default gateway 24.227.166.193 dns1 24.93.40.62 dns2 24.93.40.63 Here are my current outputs from Weblet: ::Interfaces:: (Copyclipped from Weblet) 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo 2: dummy0: mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff 3: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 52:54:05:c0:26:8f brd ff:ff:ff:ff:ff:ff inet 24.227.166.194/29 brd 24.227.166.255 scope global eth0 inet 24.227.166.195/29 brd 24.227.166.255 scope global secondary eth0:1 inet 24.227.166.196/29 brd 24.227.166.255 scope global secondary eth0:2 4: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:c0:26:62:82:20 brd ff:ff:ff:ff:ff:ff inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1 5: eth2: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:05:5d:4b:e3:6e brd ff:ff:ff:ff:ff:ff inet 192.168.2.254/24 brd 192.168.2.255 scope global eth2 ::Routes:: (Copyclipped from Weblet) 24.227.166.198 dev eth2 scope link 24.227.166.197 dev eth2 scope link 24.227.166.192/29 dev eth0 proto kernel scope link src 24.227.166.194 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.254 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 default via 24.227.166.193 dev eth0 Kernel:Linux firewall 2.4.24 #3 Sun Feb 22 19:25:40 CET 2004 i686 unknown Modules: softdog 1508 1 ip_nat_irc 2128 0 (unused) ip_nat_ftp 2736 0 (unused) ip_conntrack_irc 2864 1 ip_conntrack_ftp 3472 1 8139too 11624 2 mii 2108 0 [8139too] ne2k-pci 4044 1 8390 5784 0 [ne2k-pci] crc32 2648 0 [8139too 8390] ::Installed Packages:: (Copyclipped from Weblet) Name Version Description ===============-==============-============================================= = initrd V2.1.3 uClibc- LEAF Bering initial filesystem root V2.1.3 uClibc- Core LEAF Bering-uClibc package config 0.2 Core config and backup system package etc V2.1.3 uClibc- local V2.1.3 uClibc- LEAF Bering local package modules V2.1.3 uClibc- Define & contain your LEAF Bering modules iptables 1.2.9 IP packet filter administration tools for 2.4. dhcpcd 1.3.22pl4-7 Re dhcpcd is a RFC2131 and RFC1541 compliant DHCP keyboard 0.3 Define your keyboard settings shorwall 1.4.10e Shoreline Firewall (Shorewall) ulogd 1.02 The Netfilter Userspace Logging Daemon dnscache 1.05a A fast & secure proxy DNS server, patched for dropbear 0.42 Dropbear SSH 2 server and scp client weblet 1.2.4 Rev 2 LEAF status via a small web server ________________________________________________________________ The best thing to hit the Internet in years - Juno SpeedBand! Surf the Web up to FIVE TIMES FASTER! Only $14.95/ month - visit www.juno.com to sign up today! ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
