Astaro User Bulletin Board
Go Back   Astaro User Bulletin Board > Astaro Gateway Products > Network Security: Firewall, NAT, QoS, IPS and more
Reload this Page Question about DMZ
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Welcome to the Astaro User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Page 1 of 2 1 2
Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 02-15-2004, 07:36 PM
Senior Member
  
Join Date: Mar 2002
Posts: 108
Default Question about DMZ
Hi!

I recently managed to setup a DMZ with help from this forum. I have a ftpserver running on the DMZ. The FTP is working as a charm from external and from the lan.

I only have one external ip from ISP.

The problem now is that i don't know how to set the correct rules to let the server access HTTP etc.

eth0: 192.168.0.X (LAN)
eth1: 217.***.***.*** (ISP)
eth2: 192.168.4.X (DMZ)

I don't know if the lan-settings are correct on the server.
IP: 192.168.4.1
Gateway: 192.168.0.254 (ASTARO) <<-- Is this correct?
DNS: Same as above <<-- is this correct?

I can't seem to get the server to access internet even though i've setup rules to allow it to.

Thanks in advance
Reply With Quote
  #2 (permalink)  
Old 02-15-2004, 08:14 PM
AJo AJo is offline
Senior Member
  
Join Date: Mar 2002
Location: sweden
Posts: 140
Default Re: Question about DMZ
Gateway on your server should be the ASL DMZ NIC address (if the server is located on that subnet as I assume)

DNS should be the DNS server you use, either the ASL DMZ NIC address if DNS proxy is enabled or the ISP provided address. If you provide your own DNS service then point the server to that address.
Reply With Quote
  #3 (permalink)  
Old 02-15-2004, 08:26 PM
Senior Member
  
Join Date: Mar 2002
Posts: 108
Default Re: Question about DMZ
Thank you!

That seems to be correct settings, but i still can't get the server to access anything on the outside?
Reply With Quote
  #4 (permalink)  
Old 02-15-2004, 08:32 PM
AJo AJo is offline
Senior Member
  
Join Date: Mar 2002
Location: sweden
Posts: 140
Default Re: Question about DMZ
1. Are you MASQ or SNAT all traffic from the server? Or do you just SNAT specific services (ie. ports)
2. Check you filter rules. Do you allow the server to http and dns?
3. Check the filter log to analyze the traffic.
Reply With Quote
  #5 (permalink)  
Old 02-15-2004, 08:46 PM
Senior Member
  
Join Date: Mar 2002
Posts: 108
Default Re: Question about DMZ
Actually i didn't MASQ or SNAT anything. I've just added rules for letting the server access different services.

Maybe that's the problem?
Reply With Quote
  #6 (permalink)  
Old 02-15-2004, 08:49 PM
AJo AJo is offline
Senior Member
  
Join Date: Mar 2002
Location: sweden
Posts: 140
Default Re: Question about DMZ
yup... since no other host outside your ASL protected environment will find the route to the server using a private address.
Reply With Quote
  #7 (permalink)  
Old 02-15-2004, 08:52 PM
Senior Member
  
Join Date: Mar 2002
Posts: 108
Default Re: Question about DMZ
I see,

Can you point me in the right direction how the NAT/MASQ should look like?
Reply With Quote
  #8 (permalink)  
Old 02-15-2004, 08:56 PM
AJo AJo is offline
Senior Member
  
Join Date: Mar 2002
Location: sweden
Posts: 140
Default Re: Question about DMZ
Choose either to MASQ or SNAT. Check the provided link below and read either the MASQ for clients part or the FTP SNAT part.

portfw

Reply With Quote
  #9 (permalink)  
Old 02-15-2004, 09:01 PM
Senior Member
  
Join Date: Mar 2002
Posts: 108
Default Re: Question about DMZ
Thanks,

I've read that article for setting up the MASQ/NAT for inbound access to the FTPServer on the DMZ, and that works, but now the problem is the other way around. Letting traffic from the server on the DMZ out.

Or am i misunderstanding your point? [img]/images/graemlins/smile.gif[/img]
Reply With Quote
  #10 (permalink)  
Old 02-15-2004, 09:09 PM
AJo AJo is offline
Senior Member
  
Join Date: Mar 2002
Location: sweden
Posts: 140
Default Re: Question about DMZ
yes you are misunderstanding, there is no use of letting traffic in (inbound) unless you let the internal destination to respond(ie. outbound). So both parts are described there.

1. MASQ webserver ==> ASL_external_interface

or

2. SNAT webserver ===> ASL_external_interface

some other useful links:
Initial_Setup.pdf

A_NAT_Primer.pdf
Reply With Quote
Reply
Page 1 of 2 1 2

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


All times are GMT. The time now is 04:53 AM.

 
Contact Us - Astaro User Bulletin Board - Archive - Top

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.


These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases. issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.