Re: [Leaf-user] Help with a webserver on a DMZ network.
It seems I got things working now I can connect to the webserver using my puplic IP I cant use the public IP from the LAN. I have to use the private IP of the box on the DMZ. I can live with that. This is how it's supposed to work... With a private port-forwarded DMZ, there's no way to get DMZ systems to use public IP's to talk to other DMZ systems without bizzare routing tricks. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Help with a webserver on a DMZ network.
I am trying to setup DMZ for my webserver. I have 3 NICs 1 External PUBLIC_IP 1 Internal LAN 192.X.X.x 1 DMZ 10.0.1.1 I am using leaf 2.2.19 Dachstein. I wondering does anyone have any DMZ config files to share to setup the webserver on DMZ so that it is not seen on the network. I was able to connect to the webserverusing the private address(10.X.X.X) from the internal LAN. I was told if the webserver is setup right that I could use the static IP address and be able to connect to the server. I have not been able to do that. # DMZ setup # Whether you want a DMZ or not (YES, PROXY, NO) DMZ_SWITCH=YES DMZ_IF=eth2 # DMZ Interface DMZ_NET=10.0.1.0/24 # DMZ Network Hmm...make sure you're really using the Dachstein firewall scripts. The above should look like: ### # DMZ setup (optional) ### # Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO) You want to set DMZ=PRIVATE...none of the other settings work unless you have more than one public IP. snip # Inbound services to allow to the DMZ # __ DMZ_OPEN_DEST= udp_${DMZ_NET}_domain tcp_${DMZ_NET}_ssh tcp_10.0.1.2_www It looks like you want to setup dns, ssh, and www services on your DMZ system. To do this with a private DMZ, use the following: DMZ_SERVER0=udp $EXTERN_IP domain 10.0.1.2 domain DMZ_SERVER1=tcp $EXTERN_IP domain 10.0.1.2 domain DMZ_SERVER2=tcp $EXTERN_IP ssh 10.0.1.2 ssh DMZ_SERVER3=tcp $EXTERN_IP www 10.0.1.2 www NOTE that you can change the source (or destination) port, if desired...you may want/need to do this if you also want to ssh into your firewall from the internet. You can port-forward a different port (like 221) to the web-server by using the following instead: DMZ_SERVER2=tcp $EXTERN_IP 221 10.0.1.2 ssh You probably also want: DMZ_OUTBOUND_ALL=YES To allow your DMZ system generall masqueraded access to the internet, otherwise it can only respond to the services you've configured (ie no web-browsing or ftp downloading software updates). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Help with a webserver on a DMZ network.
I have tried these settings before, I can connect to the webbserver from the private LAN with the 192.X.X.X address, but I can not use my public address to connect. Thanks for the help. This is my setup ### # Interfaces ### IF_AUTO=eth0 eth1 eth2 ##eth0 eth1 is fine. Just having problems with DMZ eth2_IPADDR=192.168.2.254 eth2_MASKLEN=24 eth2_BROADCAST=+ eth2_IP_SPOOF=YES eth2_IP_KRNL_LOGMARTIANS=YES eth2_IP_SHARED_MEDIA=NO eth2_BRIDGE=NO eth2_PROXY_ARP=NO eth2_FAIRQ=NO EXTERN_IF=eth0# External Interface # Added for DHCP support # Setting this to YES causes the dhcp client to try to configure the # interfaces listed in IF_DHCP, and causes EXTERN_IP to be read directly # from the interfaceB EXTERN_DHCP=NO # YES/NO # The interface(s) to configure via dhcp IF_DHCP=$EXTERN_IF # If YES, your firewall filters use 0/0 for your IP address, instead of your # actual IP address. Set this to NO for typical ethernet setups, even if you # are using DHCP EXTERN_DYNADDR=NO # YES/NO # - or - # External Interface IP number...the default should be fine for most folks #eval EXTERN_IP=\\${$EXTERN_IF_IPADDR:-}\ # Set EXTERN_IP to DYNAMIC if you need the rules to read the IP from the # interface, but you arn't using DHCP (ie PPPoE and dialup users) EXTERN_IP=PUBLIC IP # Traffic to completely ignore...define here to prevent filling your logs # Space seperated list: protocol_srcip[/mask][_dstport] #SILENT_DENY=udp_207.235.84.1_route udp_207.235.84.0/24_37 # Extra rule scripts added by Charles Steinkuehler to more easily support # non-standard extentions of the pre-configured ipchains rules IPCH_IN=/etc/ipchains.input IPCH_FWD=/etc/ipchains.forward IPCH_OUT=/etc/ipchains.output # ICMP types to open # Indexed list: SrcAddr/Mask type [ DestAddr[/DestMask] ] #EXTERN_ICMP_PORT0=0/0 : 1.1.1.12 ## UDP Services open to outside world # Space seperated list: srcip/mask_dstport # NOTE: bootpc port is used for dhcp client EXTERN_UDP_PORTS=0/0_80 # -or- # Indexed list: SrcAddr/Mask port [ DestAddr[/DestMask] ] #EXTERN_UDP_PORT0=0/0 domain #EXTERN_UDP_PORT1=5.6.7.8 500 1.1.1.12 # TCP services open to outside world # Space seperated list: srcip/mask_dstport EXTERN_TCP_PORTS=0/0_80 # -or- # Indexed list: SrcAddr/Mask port [ DestAddr[/DestMask] ] #EXTERN_TCP_PORT0=5.6.7.8 domain 1.1.1.12 #EXTERN_TCP_PORT1=0/0 www # Generic Services open to outside world # Space seperated list: protocol_srcip/mask_dstport #EXTERN_PORTS=50_5.6.7.8 51_5.6.7.8 # -or- # Indexed list: Protocol SrcAddr/Mask [ DestAddr[/DestMask] ] #EXTERN_PROTO0=50 5.6.7.8/32 #EXTERN_PROTO1=51 5.6.7.8/32 ### # Internal Interface ### # Comment 3 settings below for no internal network (DMZ only configuration) INTERN_IF=eth1# Internal Interface INTERN_NET=192.168.1.0/24 # One (or more) Internal network(s) INTERN_IP=192.168.1.254 # IP number of Internal Interface # (to allow forwarding to external IP) MASQ_SWITCH=YES # Masquerade internal network to outside # world - YES/NO # These services are not masqueraded from int to ext/DMZ, preventing access # Space seperated list: proto_destIP/mask_port #NOMASQ_DEST=tcp_0/0_ssh # Override for above...only the listed dest IP's can be accessed # Space seperated list: proto_destIP/mask_port #NOMASQ_DEST_BYPASS=tcp_10.0.0.1_ssh ### # Port Forwarding ### # Remember to open appropriate holes in the firewall rules, above # Uncomment following for port-forwarded internal services. # The following is an example of what should be put here. # Tuples are as follows: # protocol_local-ip_local-port_remote-ip_remote-port #INTERN_SERVERS=tcp_${EXTERN_IP}_www_192.168.2.12_www tcp_${EXTERN_IP}_smtp_192.168.1.14_smtp # These lines use the primary external IP address...if you need to port-forward # an aliased IP address, use the INTERN_SERVERS setting above #INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make available INTERN_WWW_SERVER=192.168.2.12 # Internal WWW server to make available #INTERN_SMTP_SERVER=192.168.1.1 # Internal SMTP server to make available #INTERN_POP3_SERVER=192.168.1.1 # Internal POP3 server to make available #INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available #INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available #EXTERN_SSH_PORT=24 # External port to use for internal SSH access
RE: [Leaf-user] Help with a webserver on a DMZ network.
I am just starting to setup a DMZ, but I have a few questions on your setup, the are noted below # Set EXTERN_IP to DYNAMIC if you need the rules to read the IP from the # interface, but you arn't using DHCP (ie PPPoE and dialup users) EXTERN_IP=PUBLIC IP ^^ What's the purpose of this entry? From what I see in the network.conf file, the line above should take care of business: # External Interface IP number...the default should be fine for most folks #eval EXTERN_IP=\\${$EXTERN_IF_IPADDR:-}\ [snip] ## UDP Services open to outside world # Space seperated list: srcip/mask_dstport # NOTE: bootpc port is used for dhcp client EXTERN_UDP_PORTS=0/0_80 And why do you have udp 80 open? Webservers use tcp. # TCP services open to outside world # Space seperated list: srcip/mask_dstport EXTERN_TCP_PORTS=0/0_80 Good I don't know that much about setting up a DMZ (yet) but this is what jumps out at me as strange in the setup. I hope this is somewhat helpful. Later Tony ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Help with a webserver on a DMZ network.
It seems I got things working now I can connect to the webserver using my puplic IP I cant use the public IP from the LAN. I have to use the private IP of the box on the DMZ. I can live with that. From: Tony [EMAIL PROTECTED] To: djoutlaw outlaw [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: [Leaf-user] Help with a webserver on a DMZ network. Date: Mon, 31 Dec 2001 19:47:03 -0500 I am just starting to setup a DMZ, but I have a few questions on your setup, the are noted below # Set EXTERN_IP to DYNAMIC if you need the rules to read the IP from the # interface, but you arn't using DHCP (ie PPPoE and dialup users) EXTERN_IP=PUBLIC IP ^^ What's the purpose of this entry? From what I see in the network.conf file, the line above should take care of business: # External Interface IP number...the default should be fine for most folks #eval EXTERN_IP=\\${$EXTERN_IF_IPADDR:-}\ [snip] ## UDP Services open to outside world # Space seperated list: srcip/mask_dstport # NOTE: bootpc port is used for dhcp client EXTERN_UDP_PORTS=0/0_80 And why do you have udp 80 open? Webservers use tcp. # TCP services open to outside world # Space seperated list: srcip/mask_dstport EXTERN_TCP_PORTS=0/0_80 Good I don't know that much about setting up a DMZ (yet) but this is what jumps out at me as strange in the setup. I hope this is somewhat helpful. Later Tony _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Help with a webserver on a DMZ network.
I am sorry for the EXTERN_IP=PUBLIC IP, I was just hiding my own IP please everyone disregard. I thought settting up LEAF would be hard but it seems to be very easy. Thanks to Charles Steinkuehler and this board I have gotten plenty of help! From: guitarlynn [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: djoutlaw outlaw [EMAIL PROTECTED] Subject: Re: [Leaf-user] Help with a webserver on a DMZ network. Date: Mon, 31 Dec 2001 21:50:14 -0600 On Mon, 31 Dec 2001, you wrote: It seems I got things working now I can connect to the webserver using my puplic IP I cant use the public IP from the LAN. I have to use the private IP of the box on the DMZ. I can live with that. Ip spoofing rules you really want those. I thought someone had mentioned it. # interface, but you arn't using DHCP (ie PPPoE and dialup users) EXTERN_IP=PUBLIC IP ^^ What's the purpose of this entry? ppp (dial-up) and pppoe (some xDSL) require a script and adapter to get an ip as opposed to the network/modem device itself. The line is to distinquish between an adapter and a device for the ip addy. ~Lynn Avants -- If linux isn't the solution, you've got the wrong problem. _ Chat with friends online, try MSN Messenger: http://messenger.msn.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Help with a webserver on a DMZ network.
On 1/1/02 at 3:58 AM, djoutlaw outlaw [EMAIL PROTECTED] wrote: I thought settting up LEAF would be hard but it seems to be very easy. Thanks to Charles Steinkuehler and this board I have gotten plenty of help! Just a nit: LEAF is a superproject of LRP variants, not a specific LRP type system; currently Dachstein and Oxygen are the two main LEAF variants. The system you set up sounds like it was likely Eigerstein or Dachstein; however, Oxygen is very powerful and capable also... -- David Douthitt UNIX Systems Administrator HP-UX, Unixware, Linux [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user