[plug] DMZ with IPCop

Quintin Lette quintin at arach.net.au
Wed Feb 19 17:19:54 WST 2003


Have you pinholed port 53? Are you running a primary or secondary dns server 
with zones or just cacheing dns server? If you are only running cacheing then 
its probably better to put dns server on internal network (your webserver 
doesn't really need it)


Quintin


On Wednesday 19 February 2003 21:54, Daniel Pearson wrote:
> Nathan, I have seen that and read about it -- but i'm not sure if I need to
> use that? Its almost as if the DNS requests are just timing out.. even for
> just the internal requests its doing (e.g. doing ping gateway, from a
> workstation -- it'll look at the DMZ to resolve gateway to 192.168.100.1,
> but the request times out)
>
> Cheers,
> Daniel
>
> ----- Original Message -----
> From: "Nathan D" <natdan at pobox.com>
> To: "Plug List" <plug at plug.linux.org.au>
> Sent: Wednesday, February 19, 2003 9:40 PM
> Subject: Re: [plug] DMZ with IPCop
>
> > At 09:10 PM 19/02/2003 +0800, Daniel Pearson wrote:
> > >Has anyone had experience with running a DMZ with IPCop? I'm running
> > > into
>
> a
>
> > >few issues, and can't seem to put my finger on what exactly is wrong.
> > >
> > >The router has 3 interfaces, eth0 (internal lan, 192.168.100.0/24), eth1
> > >(dmz connected by crossover, 192.168.50.1 + .2), and eth2 is the
>
> external.
>
> > >Now, from the router, or any machine on the network I can ping
>
> 192.168.50.2,
>
> > >however from 50.2 I cannot ping anything on the 100 network, or even the
> > >router on the other end of the crossover cable. Also, when I edit
> > >/etc/resolv.conf on the router and put .50.2 as its nameserver, from the
> > >router I can then not ping anything.
> > >
> > >As a result of such.. my DNS isn't working, as that resides on the DMZ
> > >(debian woddy 3 default install, running bind 9, apache and postfix).
> > > Has anyone else come across this before?
> >
> > I have not used IpCop at all, but (politics aside), have been a long time
> > fan of SmoothWall.  Also, I have not setup a DMZ, but have read plenty
> > about it on the SmoothWall mailing list.
> > A little excerpt from the help file from the relevant config page of the
> > latest version of smoothwall  -
> >
> > "DMZ Pinhole Configuration
> > This page is for advanced users with DMZ setups.
> > With this page, the administrator can configure "holes" between the DMZ
>
> and
>
> > the local network. The standard configuration, without any holes setup,
> > blocks any host on the ORANGE network from connecting to a host on the
> > GREEN network. Often this is not totally desirable, however, and it can
> > be useful, if slightly risky security wise, to allow a host on the ORANGE
> > network to connect to a host on the GREEN side in a very limited fashion.
> > This page lets you do this.
> > The protocol can be set, although it is not recommended to use UDP for
> > pinholing. Source IP is a machine on the ORANGE network, Destination IP
> > is the host on GREEN, and Destination port is the port on the GREEN
> > machine that you want to allow the ORANGE machine to connect to.
> > Typically this would be used to allow a webserver on ORANGE to connect to
>
> a
>
> > mail server on GREEN for WebMail purposes."
> >
> >
> > regards,
> >    Nathan D.
> >
> > Linux Conference Au  Jan 22-25 2003
> > http://conf.linux.org.au/ <-- You missed it :(
>
> ---------------------------------------------------------------------------
>- ----
>
> > ---
> > This mail is certified Virus Free.  How about yours?
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.456 / Virus Database: 256 - Release Date: 18/02/2003



More information about the plug mailing list