Hi Craig, > Hi folks, > Yippee!!! That solved it!!! Thank you Eric, KP, and Brett. > Great.
> > One final question, if I may. Rather than having my wireless router > "hanging > out there as the proverbial low hanging fruit", I'd like to "protect" it > just like my internal LAN. > > Which shorewall config settings of the LAN do I need to duplicate for the > DMZ to achieve this??? > By looking at the start of the mail the policy you set is: /etc/shorewall/policy - DMZ > NET > ACCEPT This means that all other traffic is blocked, like firewall - dmz, dmz - firewall, net - dmz, lan - dmz, dmz -lan. But this says nothing about your wireless security. If you want to secure you wireless connection, you need to run WPA(2) on your wireless router. > > Thank you all for your continued help! :-) > > > Craig > Eric > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Eric Spakman > Sent: Saturday, December 23, 2006 1:02 PM > To: Craig Caughlin > Cc: leaf-user@lists.sourceforge.net > Subject: Re: [leaf-user] No DHCP address to the DMZ :-( > > > Hi Craig, > > >> >> Wow, thanks everyone. :-) >> >> >> >> I like kp's idea of creating a separate subnet for the DMZ (e.g: >> 192.168.2.0). >> >> >> >> Do I do that all through dnsmasq.conf?...or are there changes I need to >> make to shorewall as well? >> > You have to make them in /etc/network/interfaces: > auto eth1 iface eth1 inet static address 192.168.1.254 netmask 255.255.255.0 > broadcast 192.168.1.255 > > auto eth2 iface eth2 inet static address 192.168.2.254 netmask 255.255.255.0 > broadcast 192.168.2.255 > > > And if you want to have dhcp on both networks you have to do something > like this in dnsmasq.conf: dhcp-range=192.168.1.1,192.168.1.199,12h > dhcp-range=192.168.2.1,192.168.2.199,12h > > In shorewall it's important in above case to have both > loc eth1 detect dhcp and dmz eth2 detect dhcp > > in the shorewall/interfaces file. > > Eric > > >> Thank you, >> Craig >> >> >> >> -----Original Message----- >> From: Eric Spakman [mailto:[EMAIL PROTECTED] >> Sent: Saturday, December 23, 2006 11:24 AM >> To: Craig Caughlin >> Subject: Re: [leaf-user] No DHCP address to the DMZ :-( >> >> >> >> Hi Craig, >> >> >> >>> Unfortunately, no. :-( >>> >>> >>> >>> I've even tried changing cables to be sure it wasn't a simple problem >>> like that (even though they're brand new cables). >>> >>> Suggestions? >>> >>> >>> >> A few things to check: >> Do you have an ip connection at all? Try to give the system a fixed >> ip address and run ping. If that works, enable dhcp on that system again >> and look if dhcp traffic isn't blocked. This can be done with >> 'shorewall >> hits', but it's better to use tcpdump to 'snif' the traffic. >> >>> Thank you, >>> Craig >>> >>> >>> >> Eric >> >> >> >>> -----Original Message----- >>> From: Eric Spakman [mailto:[EMAIL PROTECTED] >>> Sent: Saturday, December 23, 2006 11:07 AM >>> To: Craig Caughlin >>> Cc: leaf-user@lists.sourceforge.net >>> Subject: Re: [leaf-user] No DHCP address to the DMZ :-( >>> >>> >>> >>> Hi Craig, >>> >>> >>> >>>> Hi Eric, >>>> The only thing I have done to get things up and running is: >>>> >>>> >>>> >>>> I've uncommented "dhcp-range=192.168.1.1,192.168.1.199,12h" in the >>>> /etc/dnsmasq.conf file. Do I need to do something different? >>>> >>>> >>>> >>> No, that's enough to serve dhcp addresses. >>> >>> >>> >>>> Also, should I add another interface in /etc/dhcpc/config ? I see >>>> at the bottom it says, # Add other interfaces here *) ;; >>>> >>>> >>>> >>>> Should I add eth2? What does the syntax look like?: >>>> >>>> >>>> >>>> # Add other interfaces here >>>> *) >>>> eth2 ;; >>>> >>>> >>>> Is that right (and/or do I even need to worry about it?)? >>>> >>>> >>>> >>> This is the configuration of dhcpcd, the dhcp client. You don't need >>> to worry about that. >>> >>>> Thank you! :-) >>>> >>>> >>>> >>> Is it working now in the dmz? >>> >>> >>> >>>> Craig >>>> >>>> >>>> >>> Eric >>> >>> >>> >>>> -----Original Message----- >>>> From: Eric Spakman [mailto:[EMAIL PROTECTED] >>>> Sent: Saturday, December 23, 2006 10:35 AM >>>> To: Craig Caughlin >>>> Cc: leaf-user@lists.sourceforge.net >>>> Subject: Re: [leaf-user] No DHCP address to the DMZ :-( >>>> >>>> >>>> >>>> Hi Craig, >>>> >>>> >>>> >>>>> Hi folks, >>>>> Happy Holidays. :-) >>>>> >>>>> >>>>> >>>> Happy Holidays to you ;-) >>>> >>>> >>>> >>>>> I'm using the new, Bering uClibc 3.0, and my LAN connections >>>>> to/from the web, etc. work great. >>>>> >>>>> Now, I'm trying to set up a wireless router in my DMZ, and it's >>>>> not >>>>> >>> getting >>>>> a dynamic IP address (I have confirmed this by connecting a >>>>> laptop via crossover cable directly to the DMZ NIC). Here's my >>>>> scenario: >>>>> >>>>> >>>>> 1. I'm using the new, Bering uClibc 3.0 >>>>> 2. ip addr show displays: >>>>> >>>>> >>>>> >>>>> eth0: mtu 1500 qdisc pfifo_fast qlen 1000 >>>>> link/ether 00:02:e3:1d:e2:a5 brd ff:ff:ff:ff:ff:ff inet >>>>> 67.164.217.61/23 brd 255.255.255.255 scope global eth0 >>>>> >>>>> >>>>> >>>>> eth1: mtu 1500 qdisc pfifo_fast qlen 1000 >>>>> link/ether 00:02:e3:23:c1:1f brd ff:ff:ff:ff:ff:ff inet >>>>> 192.168.1.254/24 brd 192.168.1.255 scope global eth1 >>>>> >>>>> >>>>> >>>>> eth2: mtu 1500 qdisc pfifo_fast qlen 1000 >>>>> link/ether 00:02:e3:22:a0:51 brd ff:ff:ff:ff:ff:ff inet >>>>> 192.168.1.100/24 brd 192.168.1.255 scope global eth2 >>>>> >>>>> >>>>> >>>>> 3. I uncommented the DMZ section of /etc/network/interfaces >>>>> 4. I have the following changes to Shorewall: >>>>> >>>>> >>>>> >>>>> /etc/shorewall/zones - Uncommented the DMZ line >>>>> /etc/shorewall/policy - DMZ > NET > ACCEPT >>>>> /etc/shorewall/rules - DNS/ACCEPT dmz > fw, Ping/ACCEPT dmz > fw, >>>>> and >>>> ACCEPT >>>> >>>> >>>>> fw dmz > icmp /etc/shorewall/interfaces - dmz eth2 detect dhcp >>>>> /etc/shorewall/masq - Unchanged >>>>> /etc/shorewall/routestopped - Unchanged >>>>> >>>>> >> >> >> ----------------------------------------------------------------------- >> -- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to share >> your opinions on IT & business topics through brief surveys - and earn >> cash >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVD >> EV >> ------------------------------------------------------------------------ >> leaf-user mailing list: leaf-user@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/leaf-user >> Support Request -- http://leaf-project.org/ >> >> >> > > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your opinions on IT & business topics through brief surveys - and earn > cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > ------------------------------------------------------------------------ > leaf-user mailing list: leaf-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/leaf-user > Support Request -- http://leaf-project.org/ > > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your opinions on IT & business topics through brief surveys - and earn > cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > ------------------------------------------------------------------------ > leaf-user mailing list: leaf-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/leaf-user > Support Request -- http://leaf-project.org/ > > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
