This is because your firewall machine is doing NAT, which is translating
addresses going out. If anything is coming inbound (from the DMZ or the
internet), it will not pass through unless there was a previous matching
outbound request. I will use a web server implementation to help aid you
in picturing this.
There is a way to run things like a server behind the NAT, but you must
have a dedicated port on the firewall machine available. For example:
Your firewall machine: 111.222.333.444
A webserver inside the NAT: 192.168.0.100
For someone in the dmz or internet to reach the webserver (since
192.168.xx.xx addresses are non-routable), you must setup a port
translation and direct web visitors to the 111.222.333.444 box, in the
firewall, you tell it if it receives a conn on port 80 (www) then pass it
through to 192.168.0.100. If you run a 2nd webserver, then it has to be on
a different port (since 80 is already translated to 192.168.0.100).
You will have a similar problem with your samba implementation. Since NAT
connections must first be outbound, you can't initiate an inbound
connection first since the NAT box does not know where to send it. NAT is
not generally designed to go 2-way (inbound connections first). If it
did, there is no point to a firewall.
Possible solution (theory--I have not tried this first): you could setup a
port translation to hit your firewall box at port 139. Translate that to a
system inside the NAT side, but you will only be able to browse that box
only. A reason you can see the systems is that your firewall box is
broadcasting the netbios names to your dmz, but the dmz has to initiate a
connection INBOUND to the NAT to browse a box, which can't be done, unless
you setup a port translation. You will need to allow connections to port
139 allowed from your DMZ subnet only, otherwise you expose your network.
I hope this helps and was not too confusing. The IPChains-HOWTO explains
this, in Section 5 or 7 I think.
-=>Jim Roland
"Never settle with words what you can settle with a flamethrower."
--Anonymous
On Fri, 31 Mar 2000, Oommen Thomas wrote:
> Date: Fri, 31 Mar 2000 12:24:19 -0500 (EST)
> From: Oommen Thomas <[EMAIL PROTECTED]>
> To: LENGARD Pascal OCISI <[EMAIL PROTECTED]>
> Cc: 'Linux Admin List' <[EMAIL PROTECTED]>,
'Linux Net List' <[EMAIL PROTECTED]>
> Subject: RE: SAMBA & Cross-subnet browsing
>
>
> Tried that too.
> Doest work even after allowing all tcp/udp ports between DMZ and LAN.
> I can access everything from inside.
> But from from DMZ, the browse list shows up but LAN machines not
> accessible (all in Win).
>
> Thanks
> Oommen
>
> On Fri, 31 Mar 2000, LENGARD Pascal OCISI wrote:
>
> <pascal.lengard>open wide your firewall and test again. if it still does not work
>then you
> <pascal.lengard>have a SAMBA problem, else you have a firewall-rule problem.
> <pascal.lengard>
> <pascal.lengard>pascal
> <pascal.lengard>
> <pascal.lengard>> -----Original Message-----
> <pascal.lengard>> From: [EMAIL PROTECTED]
> <pascal.lengard>> [mailto:[EMAIL PROTECTED]]On Behalf Of Oommen
>Thomas
> <pascal.lengard>> Sent: Friday, March 31, 2000 5:44 PM
> <pascal.lengard>> To: Linux Admin List; Linux Net List
> <pascal.lengard>> Subject: SAMBA & Cross-subnet browsing
> <pascal.lengard>>
> <pascal.lengard>>
> <pascal.lengard>>
> <pascal.lengard>> Hi all,
> <pascal.lengard>>
> <pascal.lengard>> We have a Linux firewall bridging a LAN and the Internet (most
>clients
> <pascal.lengard>> being win9x and NT).
> <pascal.lengard>> There are some machines in the DMZ too.
> <pascal.lengard>> A Linux/SAMBA server is used as the WINS server for both subnets.
> <pascal.lengard>>
> <pascal.lengard>> Each machine within the LAN can see/browse all other machines.
> <pascal.lengard>> But not the other way round.
> <pascal.lengard>> ie the machines in the DMZ can see but not browse the LAN machines.
> <pascal.lengard>>
> <pascal.lengard>> I have allowed traffic of udp/tcp ports 137-139 between DMZ
> <pascal.lengard>> and LAN, with
> <pascal.lengard>> masquearding. Isn't that enough, or do I have to do anything
> <pascal.lengard>> more on the
> <pascal.lengard>> firewall?
> <pascal.lengard>>
> <pascal.lengard>> TIA
> <pascal.lengard>> -
> <pascal.lengard>> Oommen
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to [EMAIL PROTECTED]
>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
