I have just installed ASL 3.216 on my firewall server. Before ASL i used Smoothwall. After reading the manual and this forum several times, I'm still confused. No packets are allowed to my DMZ net ( With my servers.) :-\ Furthermore I want to drop traffic from the DMZ_net to my LAN_net ( Ain't this how at DMZ connection works? )
My router redirects all trafic to the firewall server - It worked just fine with Smoothwall.
What do I do wrong???
I'm using the DHCP server on my LAN_net - the net with my workstations. Everything works, except NAT ( right name? )
Dunno if you know this but rules are processed in order and stops processing once a rule is matched... So this:
DMZ_net Any Any Allow DMZ_net Any LAN_net Drop
will allow ALL traffic from your DMZ net... Even to your LAN. (First rule allways allows so no furthe rules are processed). Likewise these:
Any Any Any Drop Any Any DMZ_net Allow
will drop everything else (including traffic to the DMZ)
Anyways... The default action is nothing else is specified is to drop packets (So you don't really need the "Any Any Any Drop" unless you don't want to log dropped packets). And also I would definatly consider making "Any Any DMZ_net Allow" to "Any HTTP DMZ_Host Allow" (and then creating the rules for the other services you require). I know that when you use NAT it's not required but it is definatly safer [:)]
Dunno if you know this but rules are processed in order and stops processing once a rule is matched... So this:
DMZ_net Any Any Allow DMZ_net Any LAN_net Drop
will allow ALL traffic from your DMZ net... Even to your LAN. (First rule allways allows so no furthe rules are processed). Likewise these:
Any Any Any Drop Any Any DMZ_net Allow
will drop everything else (including traffic to the DMZ)
Anyways... The default action is nothing else is specified is to drop packets (So you don't really need the "Any Any Any Drop" unless you don't want to log dropped packets). And also I would definatly consider making "Any Any DMZ_net Allow" to "Any HTTP DMZ_Host Allow" (and then creating the rules for the other services you require). I know that when you use NAT it's not required but it is definatly safer [:)]
1... No. From (Client) Service To (Server) Action Command 1 LAN_net Any Any Allow edit del move 2 DMZ_net Any LAN_net Drop edit del move 3 DMZ_net Any Any Allow edit del move 4 Any Any DMZ_net Allow edit del move 5 Any Any Any Drop edit del move
Theres still no access from the outside to my DMZ-net
How do I set this up ? I know I will have to create a new DNAT/SNAT rule, but then what ?
How do I allow traffic to my webserver ( RH-Server ) with these definitions ? Definitons : IP Subnet mask DMZ_net 10.0.2.0 255.255.255.0 DMZ_nic(eth2) 10.0.2.1 255.255.255.255 Extern_nic(eth1)10.0.0.2 255.255.255.255 LAN_net 10.0.1.0 255.255.255.0 LAN_nic(eth0) 10.0.1.1 255.255.255.255 RH-Server 10.0.2.10 255.255.255.255 Win2k-Server 10.0.2.20 255.255.255.255
Can you please tell me which services you would like to access on those 2 servers? Do you have separate external IPs from which your servers will be accessible from Internet?
Did you configure NAT on your router which is before Astaro?
any to ExternalIP service WhatYouWish change destination to 10.0.x.y
Then you should also take care, that all what goes out has a valid IP, ex. your outgoing pacets should have IP of destination in your NAT at router box, that your router can translate IP back.
So in some steps how would look address of IP packet in steps:
- at client on web: dest: 1.2.3.4 port 80, src:5.6.7.8 port 1234 - when your router makes NAT: dest: 10.0.0.2 port 80, src:5.6.7.8 port 1234 - when Astaro makes NAT: dest: 10.0.2.10 port 80, src:5.6.7.8 port 1234 - when server replies: dest: 5.6.7.8 port 1234, src:10.0.2.10 port 80 - after astaro translates it back: dest: 5.6.7.8 port 1234, src:10.0.0.2 port 80 - after router translates it: dest: 5.6.7.8 port 1234, src:1.2.3.4 port 80
I hope this can help you understanding what should happen and so you can take care that this really happens.
Matjaz
P.S. Was your SmothWall working on the same comfiguration of router? If then you only need to add one more NAT translation which translates src Ip of your server in your DMZ.
