Re: [Leaf-user] Help with a webserver on a DMZ network.
> It seems I got things working now > I can connect to the webserver using my puplic IP > I cant use the public IP from the LAN. I have to use the private IP of the > box on the DMZ. I can live with that. This is how it's supposed to work... With a "private" port-forwarded DMZ, there's no way to get DMZ systems to use public IP's to talk to other DMZ systems without bizzare routing tricks. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Help with a webserver on a DMZ network.
On 1/1/02 at 3:58 AM, djoutlaw outlaw <[EMAIL PROTECTED]> wrote: > I thought settting up LEAF would be hard but it seems to > be very easy. > > Thanks to Charles Steinkuehler and this board I have > gotten plenty of help! Just a nit: LEAF is a superproject of LRP variants, not a specific LRP type system; currently Dachstein and Oxygen are the two main LEAF variants. The system you set up sounds like it was likely Eigerstein or Dachstein; however, Oxygen is very powerful and capable also... -- David Douthitt UNIX Systems Administrator HP-UX, Unixware, Linux [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Help with a webserver on a DMZ network.
I am sorry for the EXTERN_IP=PUBLIC IP, I was just hiding my own IP please everyone disregard. I thought settting up LEAF would be hard but it seems to be very easy. Thanks to Charles Steinkuehler and this board I have gotten plenty of help! >From: guitarlynn <[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: "djoutlaw outlaw" <[EMAIL PROTECTED]> >Subject: Re: [Leaf-user] Help with a webserver on a DMZ network. >Date: Mon, 31 Dec 2001 21:50:14 -0600 > >On Mon, 31 Dec 2001, you wrote: > > It seems I got things working now > > I can connect to the webserver using my puplic IP > > I cant use the public IP from the LAN. I have to use the private IP of >the > > box on the DMZ. I can live with that. > >Ip spoofing rules you really want those. I thought someone had >mentioned >it. > > > > > # interface, but you arn't using DHCP (ie PPPoE and dialup users) > > > > EXTERN_IP=PUBLIC IP > > > > ^^ > > > > > >What's the purpose of this entry? > >ppp (dial-up) and pppoe (some xDSL) require a script and "adapter" to >get an ip as opposed to the network/modem device itself. The line is >to distinquish between an adapter and a device for the ip addy. > >~Lynn Avants > > >-- >If linux isn't the solution, you've got the wrong problem. _ Chat with friends online, try MSN Messenger: http://messenger.msn.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Help with a webserver on a DMZ network.
It seems I got things working now
I can connect to the webserver using my puplic IP
I cant use the public IP from the LAN. I have to use the private IP of the
box on the DMZ. I can live with that.
>From: "Tony" <[EMAIL PROTECTED]>
>To: "djoutlaw outlaw" <[EMAIL PROTECTED]>,
><[EMAIL PROTECTED]>
>Subject: RE: [Leaf-user] Help with a webserver on a DMZ network.
>Date: Mon, 31 Dec 2001 19:47:03 -0500
>
>I am just starting to setup a DMZ, but I have a few questions on your
>setup,
>the are noted below
>
> >
> >
> > # Set EXTERN_IP to "DYNAMIC" if you need the rules to read the IP from
>the
> > # interface, but you arn't using DHCP (ie PPPoE and dialup users)
> > EXTERN_IP=PUBLIC IP
> > ^^
>
>What's the purpose of this entry? From what I see in the network.conf
>file,
>the line above
>should take care of business:
># External Interface IP number...the default should be fine for most folks
>#eval EXTERN_IP=\"\${"$EXTERN_IF"_IPADDR:-""}\"
>
>
>[snip]
> >
> > ## UDP Services open to outside world
> > # Space seperated list: srcip/mask_dstport
> > # NOTE: bootpc port is used for dhcp client
> > EXTERN_UDP_PORTS="0/0_80"
> >
>
>And why do you have udp 80 open? Webservers use tcp.
>
> >
> > # TCP services open to outside world
> > # Space seperated list: srcip/mask_dstport
> > EXTERN_TCP_PORTS="0/0_80"
> >
>
>Good
>
>
>I don't know that much about setting up a DMZ (yet) but this is what jumps
>out at me as strange in the setup. I hope this is somewhat helpful.
>
>Later
>
>Tony
>
>
_
Join the worlds largest e-mail service with MSN Hotmail.
http://www.hotmail.com
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Help with a webserver on a DMZ network.
I really dont have any use for UDP I just left it open just playing around
with it. I worked on it ALL day yesterday and got nothing.
STUPID ME never thought to change the DMZ system gateway to the IP of eth2!!
Saw this in one of the other threads, change to the right default gateway
and the DMZ system can now see the internet.
This is halfway there. I am still having trouble with the webserver that is
on the DMZ system.
>From: "Tony" <[EMAIL PROTECTED]>
>To: "djoutlaw outlaw" <[EMAIL PROTECTED]>,
><[EMAIL PROTECTED]>
>Subject: RE: [Leaf-user] Help with a webserver on a DMZ network.
>Date: Mon, 31 Dec 2001 19:47:03 -0500
>
>I am just starting to setup a DMZ, but I have a few questions on your
>setup,
>the are noted below
>
> >
> >
> > # Set EXTERN_IP to "DYNAMIC" if you need the rules to read the IP from
>the
> > # interface, but you arn't using DHCP (ie PPPoE and dialup users)
> > EXTERN_IP=PUBLIC IP
> > ^^
>
>What's the purpose of this entry? From what I see in the network.conf
>file,
>the line above
>should take care of business:
># External Interface IP number...the default should be fine for most folks
>#eval EXTERN_IP=\"\${"$EXTERN_IF"_IPADDR:-""}\"
>
>
>[snip]
> >
> > ## UDP Services open to outside world
> > # Space seperated list: srcip/mask_dstport
> > # NOTE: bootpc port is used for dhcp client
> > EXTERN_UDP_PORTS="0/0_80"
> >
>
>And why do you have udp 80 open? Webservers use tcp.
>
> >
> > # TCP services open to outside world
> > # Space seperated list: srcip/mask_dstport
> > EXTERN_TCP_PORTS="0/0_80"
> >
>
>Good
>
>
>I don't know that much about setting up a DMZ (yet) but this is what jumps
>out at me as strange in the setup. I hope this is somewhat helpful.
>
>Later
>
>Tony
>
>
_
Join the worlds largest e-mail service with MSN Hotmail.
http://www.hotmail.com
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Help with a webserver on a DMZ network.
I am just starting to setup a DMZ, but I have a few questions on your setup,
the are noted below
>
>
> # Set EXTERN_IP to "DYNAMIC" if you need the rules to read the IP from the
> # interface, but you arn't using DHCP (ie PPPoE and dialup users)
> EXTERN_IP=PUBLIC IP
> ^^
What's the purpose of this entry? From what I see in the network.conf file,
the line above
should take care of business:
# External Interface IP number...the default should be fine for most folks
#eval EXTERN_IP=\"\${"$EXTERN_IF"_IPADDR:-""}\"
[snip]
>
> ## UDP Services open to outside world
> # Space seperated list: srcip/mask_dstport
> # NOTE: bootpc port is used for dhcp client
> EXTERN_UDP_PORTS="0/0_80"
>
And why do you have udp 80 open? Webservers use tcp.
>
> # TCP services open to outside world
> # Space seperated list: srcip/mask_dstport
> EXTERN_TCP_PORTS="0/0_80"
>
Good
I don't know that much about setting up a DMZ (yet) but this is what jumps
out at me as strange in the setup. I hope this is somewhat helpful.
Later
Tony
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Help with a webserver on a DMZ network.
ternal POP3 server to make available
#INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available
#INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available
#EXTERN_SSH_PORT=24 # External port to use for internal SSH access
###
# DMZ setup (optional)
###
# Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO)
DMZ_SWITCH=PRIVATE
DMZ_IF="eth2"
DMZ_NET=192.168.2.0/24
# Inbound services to allow to the DMZ
# __
DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain
tcp_${DMZ_NET}_domain
icmp_${DMZ_NET}_:
udp_192.168.2.12_www
tcp_${DMZ_NET}_www
tcp_192.168.2.12_www"
# PRIVATE DMZ switches
###
# Services port-forwarded to the DMZ network
# Indexed list: "Protocol LocalIP LocalPort RemoteIP [ RemotePort ]"
DMZ_SERVER0="udp ${EXTERN_IP} domain 192.168.2.12 domain"
DMZ_SERVER1="tcp ${EXTERN_IP} domain 192.168.2.12 domain"
DMZ_SERVER1="tcp ${EXTERN_IP} 80 192.168.2.12 80"
#DMZ_SERVER3="tcp 1.2.3.13 smtp 192.168.2.1 smtp"
DMZ_SERVER4="tcp ${EXTERN_IP} www 192.168.2.12 www"
# Allow all outbound traffic from DMZ (YES)
# or just traffic from port-forwarded servers (NO)
DMZ_OUTBOUND_ALL=YES
>From: "Charles Steinkuehler" <[EMAIL PROTECTED]>
>To: "djoutlaw outlaw" <[EMAIL PROTECTED]>,
><[EMAIL PROTECTED]>
>Subject: Re: [Leaf-user] Help with a webserver on a DMZ network.
>Date: Mon, 31 Dec 2001 10:24:20 -0600
>
> > I am trying to setup DMZ for my webserver.
> >
> > I have 3 NICs 1 External PUBLIC_IP
> > 1 Internal LAN 192.X.X.x
> > 1 DMZ 10.0.1.1
> >
> >
> > I am using leaf 2.2.19 Dachstein. I wondering does anyone have any DMZ
> > config files to share to setup the webserver on DMZ so that it is not
>seen
> > on the network.
> >
> > I was able to connect to the webserverusing the private
>address(10.X.X.X)
> > from the internal LAN. I was told if the webserver is setup right that
>I
> > could use the static IP address and be able to connect to the server. I
> > have not been able to do that.
> >
> >
> > # DMZ setup
> > # Whether you want a DMZ or not (YES, PROXY, NO)
> > DMZ_SWITCH=YES
> > DMZ_IF="eth2" # DMZ Interface
> > DMZ_NET=10.0.1.0/24 # DMZ Network
>
>Hmm...make sure you're really using the Dachstein firewall scripts. The
>above should look like:
>
>
>###
># DMZ setup (optional)
>
>###
># Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO)
>
>You want to set DMZ=PRIVATE...none of the other settings work unless you
>have more than one public IP.
>
>
>
> > # Inbound services to allow to the DMZ
> > # __
> > DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain
> > tcp_${DMZ_NET}_ssh
> > tcp_10.0.1.2_www
>
>It looks like you want to setup dns, ssh, and www services on your DMZ
>system. To do this with a private DMZ, use the following:
>
>DMZ_SERVER0="udp $EXTERN_IP domain 10.0.1.2 domain"
>DMZ_SERVER1="tcp $EXTERN_IP domain 10.0.1.2 domain"
>DMZ_SERVER2="tcp $EXTERN_IP ssh 10.0.1.2 ssh"
>DMZ_SERVER3="tcp $EXTERN_IP www 10.0.1.2 www"
>
>NOTE that you can change the source (or destination) port, if desired...you
>may want/need to do this if you also want to ssh into your firewall from
>the
>internet. You can port-forward a different port (like 221) to the
>web-server by using the following instead:
>DMZ_SERVER2="tcp $EXTERN_IP 221 10.0.1.2 ssh"
>
>You probably also want:
>DMZ_OUTBOUND_ALL=YES
>
>To allow your DMZ system generall masqueraded access to the internet,
>otherwise it can only respond to the services you've configured (ie no
>web-browsing or ftp downloading software updates).
>
>Charles Steinkuehler
>http://lrp.steinkuehler.net
>http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
>
>
_
Send and receive Hotmail on your mobile device: http://mobile.msn.com
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Help with a webserver on a DMZ network.
> I am trying to setup DMZ for my webserver.
>
> I have 3 NICs 1 External PUBLIC_IP
> 1 Internal LAN 192.X.X.x
> 1 DMZ 10.0.1.1
>
>
> I am using leaf 2.2.19 Dachstein. I wondering does anyone have any DMZ
> config files to share to setup the webserver on DMZ so that it is not seen
> on the network.
>
> I was able to connect to the webserverusing the private address(10.X.X.X)
> from the internal LAN. I was told if the webserver is setup right that I
> could use the static IP address and be able to connect to the server. I
> have not been able to do that.
>
>
> # DMZ setup
> # Whether you want a DMZ or not (YES, PROXY, NO)
> DMZ_SWITCH=YES
> DMZ_IF="eth2" # DMZ Interface
> DMZ_NET=10.0.1.0/24 # DMZ Network
Hmm...make sure you're really using the Dachstein firewall scripts. The
above should look like:
###
# DMZ setup (optional)
###
# Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO)
You want to set DMZ=PRIVATE...none of the other settings work unless you
have more than one public IP.
> # Inbound services to allow to the DMZ
> # __
> DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain
> tcp_${DMZ_NET}_ssh
> tcp_10.0.1.2_www
It looks like you want to setup dns, ssh, and www services on your DMZ
system. To do this with a private DMZ, use the following:
DMZ_SERVER0="udp $EXTERN_IP domain 10.0.1.2 domain"
DMZ_SERVER1="tcp $EXTERN_IP domain 10.0.1.2 domain"
DMZ_SERVER2="tcp $EXTERN_IP ssh 10.0.1.2 ssh"
DMZ_SERVER3="tcp $EXTERN_IP www 10.0.1.2 www"
NOTE that you can change the source (or destination) port, if desired...you
may want/need to do this if you also want to ssh into your firewall from the
internet. You can port-forward a different port (like 221) to the
web-server by using the following instead:
DMZ_SERVER2="tcp $EXTERN_IP 221 10.0.1.2 ssh"
You probably also want:
DMZ_OUTBOUND_ALL=YES
To allow your DMZ system generall masqueraded access to the internet,
otherwise it can only respond to the services you've configured (ie no
web-browsing or ftp downloading software updates).
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Help with a webserver on a DMZ network.
I am trying to setup DMZ for my webserver.
I have 3 NICs 1 External PUBLIC_IP
1 Internal LAN 192.X.X.x
1 DMZ 10.0.1.1
I am using leaf 2.2.19 Dachstein. I wondering does anyone have any DMZ
config files to share to setup the webserver on DMZ so that it is not seen
on the network.
I was able to connect to the webserverusing the private address(10.X.X.X)
from the internal LAN. I was told if the webserver is setup right that I
could use the static IP address and be able to connect to the server. I
have not been able to do that.
# DMZ setup
# Whether you want a DMZ or not (YES, PROXY, NO)
DMZ_SWITCH=YES
DMZ_IF="eth2" # DMZ Interface
DMZ_NET=10.0.1.0/24 # DMZ Network
# For Proxy-Arp DMZ's only:
# These IP's are on the external net...all others in the network are assumed
# to be DMZ addresses
DMZ_EXT_ADDRS="$eth0_DEFAULT_GW $eth0_IPADDR"
DMZ_SRC=PUBLIC_IP
# Inbound services to allow to the DMZ
# __
DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain
tcp_${DMZ_NET}_ssh
tcp_10.0.1.2_www
Thanks to all!
_
Join the worlds largest e-mail service with MSN Hotmail.
http://www.hotmail.com
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
