Re: [leaf-user] Shorewall confusions ???

Sat, 07 May 2005 09:56:52 -0700

Michael D Schleif wrote: 
Ongoing conversion of several Dachstein-CD installations have resulted
in several challenges.  Please, ask if I have left out pertinent
information.

What am I missing?  How can we setup the following scenarios with
Bering-uClibc/Shorewall?

Shorewall zones:
    fw
    loc
    dmz (proxyarp)

Sixty-four (64) public IP's

Typical DMZ hosts OK

We cannot figure out how to do the following, which we have been doing
quite simply with Dachstein-CD:

[1] Internet -> public_IP:80 -> private_IP:80

    In other words, a web server in loc appears to the Internet that
    it resides in dmz.

It appears to the world to reside on a public address (whiich you chose to proxy)


    We have not been able to accomplish this when there is no host at
    that address on dmz.  Should that address NOT be configured
    proxyarp?


Right, use DNAT in shorewall to accomplish this.


    Also, is this scenario possible if there IS a host at that address
    on dmz?  In other words, if we have a SMTP host at that address on
    dmz, can we have a web server at that address, that actually
    resides in loc?

I believe you can have different DNAT addresses depending on the incoming port.

DNAT    net     dmz:ww.xx.yy.zz tcp smtp - an:yo:ld:ip
DNAT    net     dmz:aa.bb.cc.dd tcp http - an:yo:ld:ip

remember, you should _not_ proxy arp those addresses


[2] Internet -> public_IP:55555 -> private_IP:555

Notice the port forwarding of one port to a different port. 

DNAT        net     dmz:aa.bb.cc.dd tcp 55555 555 an:yo:ld:ip

remember, you should _not_ proxy arp those addresses 

    There may or may NOT be an actual DMZ host on the public IP.  It
    could be a dmz address forwarded to a loc address.


HTH
Erich



-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to