Re: [Shorewall-users] Problem accesing from outside

Mon, 30 Oct 2017 14:05:06 -0700



El oct. 30, 2017 2:58 PM, Simon Hobson <li...@thehobsons.co.uk> escribió:

Rommel Rodriguez Toirac <romme...@nauta.cu> wrote:

>  I know is hard to belive, but I have not access from Internet or to Internet from my job. All my network is in a Private range of 172.16.x.x IPs
>  Any computer out of this range will access to my network. For example the municipal network of X is in subnetwork 172.16.123.0/26 the municipal network for Y is in subnetwork 172.16.123.64/26 and so on.
>   Is posible to use shorewall firewall with this, just with Private IPs? No access from  or to Public IPs.

Yes, Shorewall doesn't care - it just follows the rules you set.

>  My network are in 192.168.41.0/24, the DMZ are in 192.168.14.0/24, the IP of the outside interface is 172.16.120.1, the router IP is 172.6.120.254 and all the network that going to access to my services are between of 172.16.121.0/26 and 172.16.123.64/26 subnetworks.
>  I configure a DMZ using Shorewall and will serve just to PCs that are using Private IPs but in different subnetworks. I have  bind with views for DNS. When  PCs that  are out of my network (192.164.41.0/24) try to access some services using name or alias is unsuccessfull the comunication, but if they try using IP the communication is successfull.

OK, so it works by IP, but not by name ? Almost certainly a DNS issue.

This comes back to: How do devices outside of your network get to resolve your DNS entries ? Put simply, without the right delegations this will NOT work.

For any device in the municipal network to be able to reach your servers by name, whatever DNS resolver they are using must know how to resolve your names. That means that there must be the right delegations in place such that each resolver involved can learn that to resolve names in gtm.onat.gob.cu they must contact your DNS server.
Unless all devices (across the whole network) are restricted to using some ISP provided DNS resolver, then there must be delegation down from the root servers (which there isn't). If everything is restricted to "internal" resolvers, then it's sufficient for there to be a delegation from there - but there's no way I can test if this is the case.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Of course that the DNS servers (Windows 2008) of my municipals networks have the way to know how to comunicate with my DNS server (bind9) in that servers I configure the Forwarder option pointing to 172.16.120.1 the IP of the Shorewall external interface.
 I made a test.
 I configure all access from my municipal networks to services in my network using the Shorewall external IP and it work, including the ones that could be a problem like web access for the virtuals domains and jabbers for the SRV records. I mean, usually to access to the jabber server I used jabber.gtm.onat.gob.cu like server  in the client and for the JID rom...@jabber.gtm.onat.gob.cu Now I use 172.16.120.1 like server and rommel@172.16.120.1 and it work.
 I the case of web access I use proxy to do it. I use proxy.gtm.onat.gob.cu in web browser to access to the national web, now I use like proxy 172.16.120.1 and it work, I mean when browse to www.gtm.onat.gob.cu the access is successfull and when browse to antivirus.gtm.onat.gob.cu is successfull too.
 In spise of now using 172.16.120.1 (the external IP of the shorewall system) to access to the services in my network from others subnetworks is working, I wish to know how I can use names or aliases and not IPs numbers.



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to