Re: [Leaf-user] Help with a webserver on a DMZ network.
It seems I got things working now I can connect to the webserver using my puplic IP I cant use the public IP from the LAN. I have to use the private IP of the box on the DMZ. I can live with that. This is how it's supposed to work... With a private port-forwarded DMZ, there's no way to get DMZ systems to use public IP's to talk to other DMZ systems without bizzare routing tricks. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Help with a webserver on a DMZ network.
I am trying to setup DMZ for my webserver.
I have 3 NICs 1 External PUBLIC_IP
1 Internal LAN 192.X.X.x
1 DMZ 10.0.1.1
I am using leaf 2.2.19 Dachstein. I wondering does anyone have any DMZ
config files to share to setup the webserver on DMZ so that it is not seen
on the network.
I was able to connect to the webserverusing the private address(10.X.X.X)
from the internal LAN. I was told if the webserver is setup right that I
could use the static IP address and be able to connect to the server. I
have not been able to do that.
# DMZ setup
# Whether you want a DMZ or not (YES, PROXY, NO)
DMZ_SWITCH=YES
DMZ_IF=eth2 # DMZ Interface
DMZ_NET=10.0.1.0/24 # DMZ Network
Hmm...make sure you're really using the Dachstein firewall scripts. The
above should look like:
###
# DMZ setup (optional)
###
# Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO)
You want to set DMZ=PRIVATE...none of the other settings work unless you
have more than one public IP.
snip
# Inbound services to allow to the DMZ
# __
DMZ_OPEN_DEST= udp_${DMZ_NET}_domain
tcp_${DMZ_NET}_ssh
tcp_10.0.1.2_www
It looks like you want to setup dns, ssh, and www services on your DMZ
system. To do this with a private DMZ, use the following:
DMZ_SERVER0=udp $EXTERN_IP domain 10.0.1.2 domain
DMZ_SERVER1=tcp $EXTERN_IP domain 10.0.1.2 domain
DMZ_SERVER2=tcp $EXTERN_IP ssh 10.0.1.2 ssh
DMZ_SERVER3=tcp $EXTERN_IP www 10.0.1.2 www
NOTE that you can change the source (or destination) port, if desired...you
may want/need to do this if you also want to ssh into your firewall from the
internet. You can port-forward a different port (like 221) to the
web-server by using the following instead:
DMZ_SERVER2=tcp $EXTERN_IP 221 10.0.1.2 ssh
You probably also want:
DMZ_OUTBOUND_ALL=YES
To allow your DMZ system generall masqueraded access to the internet,
otherwise it can only respond to the services you've configured (ie no
web-browsing or ftp downloading software updates).
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Help with a webserver on a DMZ network.
I have tried these settings before, I can connect to the webbserver from the
private LAN with the 192.X.X.X address, but I can not use my public address
to connect.
Thanks for the help.
This is my setup
###
# Interfaces
###
IF_AUTO=eth0 eth1 eth2
##eth0 eth1 is fine. Just having problems with DMZ
eth2_IPADDR=192.168.2.254
eth2_MASKLEN=24
eth2_BROADCAST=+
eth2_IP_SPOOF=YES
eth2_IP_KRNL_LOGMARTIANS=YES
eth2_IP_SHARED_MEDIA=NO
eth2_BRIDGE=NO
eth2_PROXY_ARP=NO
eth2_FAIRQ=NO
EXTERN_IF=eth0# External Interface
# Added for DHCP support
# Setting this to YES causes the dhcp client to try to configure the
# interfaces listed in IF_DHCP, and causes EXTERN_IP to be read directly
# from the interfaceB
EXTERN_DHCP=NO # YES/NO
# The interface(s) to configure via dhcp
IF_DHCP=$EXTERN_IF
# If YES, your firewall filters use 0/0 for your IP address, instead of your
# actual IP address. Set this to NO for typical ethernet setups, even if
you
# are using DHCP
EXTERN_DYNADDR=NO # YES/NO
# - or -
# External Interface IP number...the default should be fine for most folks
#eval EXTERN_IP=\\${$EXTERN_IF_IPADDR:-}\
# Set EXTERN_IP to DYNAMIC if you need the rules to read the IP from the
# interface, but you arn't using DHCP (ie PPPoE and dialup users)
EXTERN_IP=PUBLIC IP
# Traffic to completely ignore...define here to prevent filling your logs
# Space seperated list: protocol_srcip[/mask][_dstport]
#SILENT_DENY=udp_207.235.84.1_route udp_207.235.84.0/24_37
# Extra rule scripts added by Charles Steinkuehler to more easily support
# non-standard extentions of the pre-configured ipchains rules
IPCH_IN=/etc/ipchains.input
IPCH_FWD=/etc/ipchains.forward
IPCH_OUT=/etc/ipchains.output
# ICMP types to open
# Indexed list: SrcAddr/Mask type [ DestAddr[/DestMask] ]
#EXTERN_ICMP_PORT0=0/0 : 1.1.1.12
## UDP Services open to outside world
# Space seperated list: srcip/mask_dstport
# NOTE: bootpc port is used for dhcp client
EXTERN_UDP_PORTS=0/0_80
# -or-
# Indexed list: SrcAddr/Mask port [ DestAddr[/DestMask] ]
#EXTERN_UDP_PORT0=0/0 domain
#EXTERN_UDP_PORT1=5.6.7.8 500 1.1.1.12
# TCP services open to outside world
# Space seperated list: srcip/mask_dstport
EXTERN_TCP_PORTS=0/0_80
# -or-
# Indexed list: SrcAddr/Mask port [ DestAddr[/DestMask] ]
#EXTERN_TCP_PORT0=5.6.7.8 domain 1.1.1.12
#EXTERN_TCP_PORT1=0/0 www
# Generic Services open to outside world
# Space seperated list: protocol_srcip/mask_dstport
#EXTERN_PORTS=50_5.6.7.8 51_5.6.7.8
# -or-
# Indexed list: Protocol SrcAddr/Mask [ DestAddr[/DestMask] ]
#EXTERN_PROTO0=50 5.6.7.8/32
#EXTERN_PROTO1=51 5.6.7.8/32
###
# Internal Interface
###
# Comment 3 settings below for no internal network (DMZ only configuration)
INTERN_IF=eth1# Internal Interface
INTERN_NET=192.168.1.0/24 # One (or more) Internal network(s)
INTERN_IP=192.168.1.254 # IP number of Internal Interface
# (to allow forwarding to external IP)
MASQ_SWITCH=YES # Masquerade internal network to outside
# world - YES/NO
# These services are not masqueraded from int to ext/DMZ, preventing access
# Space seperated list: proto_destIP/mask_port
#NOMASQ_DEST=tcp_0/0_ssh
# Override for above...only the listed dest IP's can be accessed
# Space seperated list: proto_destIP/mask_port
#NOMASQ_DEST_BYPASS=tcp_10.0.0.1_ssh
###
# Port Forwarding
###
# Remember to open appropriate holes in the firewall rules, above
# Uncomment following for port-forwarded internal services.
# The following is an example of what should be put here.
# Tuples are as follows:
# protocol_local-ip_local-port_remote-ip_remote-port
#INTERN_SERVERS=tcp_${EXTERN_IP}_www_192.168.2.12_www
tcp_${EXTERN_IP}_smtp_192.168.1.14_smtp
# These lines use the primary external IP address...if you need to
port-forward
# an aliased IP address, use the INTERN_SERVERS setting above
#INTERN_FTP_SERVER=192.168.1.1 # Internal FTP server to make available
INTERN_WWW_SERVER=192.168.2.12 # Internal WWW server to make available
#INTERN_SMTP_SERVER=192.168.1.1 # Internal SMTP server to make available
#INTERN_POP3_SERVER=192.168.1.1 # Internal POP3 server to make available
#INTERN_IMAP_SERVER=192.168.1.1 # Internal IMAP server to make available
#INTERN_SSH_SERVER=192.168.1.1 # Internal SSH server to make available
#EXTERN_SSH_PORT=24 # External port to use for internal SSH access
RE: [Leaf-user] Help with a webserver on a DMZ network.
I am just starting to setup a DMZ, but I have a few questions on your setup,
the are noted below
# Set EXTERN_IP to DYNAMIC if you need the rules to read the IP from the
# interface, but you arn't using DHCP (ie PPPoE and dialup users)
EXTERN_IP=PUBLIC IP
^^
What's the purpose of this entry? From what I see in the network.conf file,
the line above
should take care of business:
# External Interface IP number...the default should be fine for most folks
#eval EXTERN_IP=\\${$EXTERN_IF_IPADDR:-}\
[snip]
## UDP Services open to outside world
# Space seperated list: srcip/mask_dstport
# NOTE: bootpc port is used for dhcp client
EXTERN_UDP_PORTS=0/0_80
And why do you have udp 80 open? Webservers use tcp.
# TCP services open to outside world
# Space seperated list: srcip/mask_dstport
EXTERN_TCP_PORTS=0/0_80
Good
I don't know that much about setting up a DMZ (yet) but this is what jumps
out at me as strange in the setup. I hope this is somewhat helpful.
Later
Tony
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Help with a webserver on a DMZ network.
It seems I got things working now
I can connect to the webserver using my puplic IP
I cant use the public IP from the LAN. I have to use the private IP of the
box on the DMZ. I can live with that.
From: Tony [EMAIL PROTECTED]
To: djoutlaw outlaw [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: RE: [Leaf-user] Help with a webserver on a DMZ network.
Date: Mon, 31 Dec 2001 19:47:03 -0500
I am just starting to setup a DMZ, but I have a few questions on your
setup,
the are noted below
# Set EXTERN_IP to DYNAMIC if you need the rules to read the IP from
the
# interface, but you arn't using DHCP (ie PPPoE and dialup users)
EXTERN_IP=PUBLIC IP
^^
What's the purpose of this entry? From what I see in the network.conf
file,
the line above
should take care of business:
# External Interface IP number...the default should be fine for most folks
#eval EXTERN_IP=\\${$EXTERN_IF_IPADDR:-}\
[snip]
## UDP Services open to outside world
# Space seperated list: srcip/mask_dstport
# NOTE: bootpc port is used for dhcp client
EXTERN_UDP_PORTS=0/0_80
And why do you have udp 80 open? Webservers use tcp.
# TCP services open to outside world
# Space seperated list: srcip/mask_dstport
EXTERN_TCP_PORTS=0/0_80
Good
I don't know that much about setting up a DMZ (yet) but this is what jumps
out at me as strange in the setup. I hope this is somewhat helpful.
Later
Tony
_
Join the worlds largest e-mail service with MSN Hotmail.
http://www.hotmail.com
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Help with a webserver on a DMZ network.
I am sorry for the EXTERN_IP=PUBLIC IP, I was just hiding my own IP please everyone disregard. I thought settting up LEAF would be hard but it seems to be very easy. Thanks to Charles Steinkuehler and this board I have gotten plenty of help! From: guitarlynn [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: djoutlaw outlaw [EMAIL PROTECTED] Subject: Re: [Leaf-user] Help with a webserver on a DMZ network. Date: Mon, 31 Dec 2001 21:50:14 -0600 On Mon, 31 Dec 2001, you wrote: It seems I got things working now I can connect to the webserver using my puplic IP I cant use the public IP from the LAN. I have to use the private IP of the box on the DMZ. I can live with that. Ip spoofing rules you really want those. I thought someone had mentioned it. # interface, but you arn't using DHCP (ie PPPoE and dialup users) EXTERN_IP=PUBLIC IP ^^ What's the purpose of this entry? ppp (dial-up) and pppoe (some xDSL) require a script and adapter to get an ip as opposed to the network/modem device itself. The line is to distinquish between an adapter and a device for the ip addy. ~Lynn Avants -- If linux isn't the solution, you've got the wrong problem. _ Chat with friends online, try MSN Messenger: http://messenger.msn.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Help with a webserver on a DMZ network.
On 1/1/02 at 3:58 AM, djoutlaw outlaw [EMAIL PROTECTED] wrote: I thought settting up LEAF would be hard but it seems to be very easy. Thanks to Charles Steinkuehler and this board I have gotten plenty of help! Just a nit: LEAF is a superproject of LRP variants, not a specific LRP type system; currently Dachstein and Oxygen are the two main LEAF variants. The system you set up sounds like it was likely Eigerstein or Dachstein; however, Oxygen is very powerful and capable also... -- David Douthitt UNIX Systems Administrator HP-UX, Unixware, Linux [EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
