Hi,
Since many days now i try to configure ASL with :
- a lan "local" on eth0 192.168.1.0/24, no gateway - fw_ip_local is 192.168.1.140
- a dsl 512/128 "internet" on eth1 with static IP X.X.X.X, no gateway
- a dmz "dmz" on eth2 192.168.0.0/24, no gateway, fw_ip_dmz is 192.168.0.140
I've configure this in definition :
client_dmz : with services : http, https, ftp, dns, imap, pop3, smtp, ssh;
serveur_dmz : with the reverse services with all the same config : name (ie serveur_http), protocol (ie tcp), port S (ie 80),
port D (ie 1024:65535);
I do not change the default routing table.
I've masquerade local_network>internet and dmz_network>internet and create some DNAT for all services ( http, https, ftp, dns, imap, pop3, smtp, ssh) with this config :
ANY, satic_internet_adress, service, source (no change), destination ip_dmz_server, no d-port change.
I've create this rules of filtering :
1 - local_network, {netbios}, any, drop
2 - local_network, any, any, allow
3 - dmz_network, any, any, allow
4 - any, { client_dmz }, ip_dmz_server, allow
5 - ip_dmz_server, {serveur_dmz}, any, allow
6 - ip_dmz_server, {ping}, any, allow
7 - ip_dmz_server, {traceroute}, any, allow
I've activate ICMP forward and ICMP for firewall.
My problems are :
- the eth1, "internet", have some trouble to be UP all time without any reason (i do not have this problem with my router),
- i cannot access to Internet from lan without configuring a standard proxy (stations are configured with a good ip and fw_ip_local for gateway), make a ping or traceroute from any station;
- i cannot access to Internet from dmz (i've configure my servers with a good IP, and the fw_ip_dmz adress for gateway) route and irconfig are well;
- i can access to web, imap & ssh servers in dmz, but i cannot send mail (POP and SMTP won't work), syncronise DNS servers, make a ping or a traceroute from the server,...
What's wrong in my ASL configuration ? Perhaps I do not understand well the rules ?
Thanks in advance,
Loic
This thread was automatically locked due to age.
