Am Sonntag, 13. Oktober 2002 14:24 schrieb Michael Boettjer:
> Hi there,
>
> i use SuSEfirewall2 on a SuSE 7.2-Gateway.
> The Firewall has 3 Interfaces - one in direction of the internet (official
> IP), one to the inner-LAN (192.168.20.x) and one to the DMZ (192.168.70.x).
> The Computer in the DMZ (Webserver) has an internal IP-Adress
> (192.168.70.y), so i have to port-masquerade.
> The inner-LAN-Clients can reach the Webserver because i'm using the
> "FW_FORWARD"-Parameter in SuSEfirewall-Config-File. One of the entries is
> "192.168.20.0/24,192.168.70.10,tcp,80".
>
> All works fine.
> But now i want to add a second Server (Mail) to the DMZ. I added the
> appropriate entry to the FW-FORWARD-Parameter. I can ping the two Servers
> from the firewall succesful.
This means, you can the both IPs on 192.168.70.0
> But from an inner-LAN-Client i can only reach the Webserver, but not the
> Mailserver. Neither a ping works still a telnet to the SMTP-Port. The
> Firewall-Logs relative to DENYs or so what is empty.
If I understand it correct: You allow ping. So you can ping your Webserver
192.168.70.10, but not your mail-Server 192.168.70.1?.

>
> But why?
> When i add the Mailserver to the "FW_FORWARD_MASQ"-Parameter, i can reach
> the Box from the internet without problems.
If you can reach your mail server if it's MASQ, your will masq the IP and the
firewall
May be, your default router is wrong. It must be the IP of NIC of firewall
which belongs to DMZ.
Try a traceroute from your mail server into your internal network to prove
this.

Greetings
Harald

-- 
Dr. Harald Wallus
 netlike-gmbh
 Am Listholze 78, D-30177 Hannover 
Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 95  1-90
 Email: wallusnetlike-gmbh.de  Internet: http://netlike-gmbh.de 
-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]