[Firewall] DMZ setup issue

Dave Dewey ddewey at cyberthugs.com
Sun Feb 24 21:10:57 CET 2013


Hello;

First time I've tried configuring a DMZ interface with AIF (although
I've used the firewall for years).

I'm not having any success so far and would really appreciate some
help. Here's my setup:

DMZ interface:
eth0: 10.9.10.1 GW
DMZ network: 10.9.10.0/24

Internal IF:
eth1
192.168.1.1
internal network: 192.168.1.0/24

External IF:
eth2: statically assigned public IP

The local network works perfectly well, as before, after adding in
the dmz interface. However, while I am able to ping both the DMZ
gateway (10.9.10.1) and the internal network (192.168.1.1,
192.168.1.X) from the DMZ, I'm unable to connect to the Internet
from the DMZ, either by pinging or through other protocols (ssh,
http).

Have tried many, many different permutations, but here's the current
configuration - essentially dead stock at this point with only a
couple of the ICMP settings enabled and the policy drop set to ACCEPT:

DMZ_IF="eth0"
DMZ_NET="10.9.10.0/24"
DMZ_NET_ANTISPOOF=1

# Firewall policies for the DMZ (EXPERT SETTINGS!)
DMZ_OPEN_ICMP=1
DMZ_OPEN_TCP=""                 
DMZ_OPEN_UDP=""                 
DMZ_OPEN_IP="" 
DMZ_HOST_OPEN_TCP=""                                
DMZ_HOST_OPEN_UDP=""                                
DMZ_HOST_OPEN_IP="" 

# INET_DMZ_xxx = Internet->DMZ access rules (forward)   
INET_DMZ_OPEN_ICMP=""  
INET_DMZ_DENY_TCP=""                                
INET_DMZ_DENY_UDP=""                                
INET_DMZ_DENY_IP="" 
INET_DMZ_HOST_OPEN_TCP="" 
INET_DMZ_HOST_OPEN_UDP="" 
INET_DMZ_HOST_OPEN_IP=""

INET_DMZ_HOST_DENY_TCP="" 
INET_DMZ_HOST_DENY_UDP="" 
INET_DMZ_HOST_DENY_IP=""  

# DMZ_INET_xxx = DMZ->internet access rules (forward) 
DMZ_INET_DEFAULT_POLICY_DROP="0" 
DMZ_INET_OPEN_ICMP="1" 

DMZ_INET_OPEN_TCP=""                                
DMZ_INET_OPEN_UDP=""                                
DMZ_INET_OPEN_IP=""
DMZ_INET_DENY_TCP=""                                
DMZ_INET_DENY_UDP=""                                
DMZ_INET_DENY_IP=""

DMZ_INET_HOST_OPEN_TCP="" 
DMZ_INET_HOST_OPEN_UDP="" 
DMZ_INET_HOST_OPEN_IP=""
DMZ_INET_HOST_DENY_TCP="" 
DMZ_INET_HOST_DENY_UDP="" 
DMZ_INET_HOST_DENY_IP="" 


# DMZ_LAN_xxx  = DMZ->LAN access rules (forward) 
DMZ_LAN_OPEN_ICMP=1

DMZ_LAN_HOST_OPEN_TCP=""                                            
DMZ_LAN_HOST_OPEN_UDP=""                                            
DMZ_LAN_HOST_OPEN_IP=""


Errors I'm continuing to receive simply trying to ping Google's
nameserver (8.8.8.8) are as follows. The DMZ host is 10.9.10.12:

Feb 24 15:06:52 scooter kernel: AIF:DMZ-INPUT denied: IN=eth0 OUT=
MAC=00:21:9b:13:b1:11:3c:07:54:4b:d8:7b:08:00 SRC=10.9.10.12
DST=10.9.10.1 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=41969 PROTO=UDP
SPT=5353 DPT=5351 LEN=20 

Feb 24 15:06:52 scooter kernel: AIF:DMZ-INPUT denied: IN=eth0 OUT=
MAC=00:21:9b:13:b1:11:3c:07:54:4b:d8:7b:08:00 SRC=10.9.10.12
DST=10.9.10.1 LEN=157 TOS=0x00 PREC=0x00 TTL=255 ID=6291 PROTO=UDP
SPT=53144 DPT=1900 LEN=137 

Feb 24 15:06:52 scooter kernel: AIF:DMZ-INPUT denied: IN=eth0 OUT=
MAC=00:21:9b:13:b1:11:3c:07:54:4b:d8:7b:08:00 SRC=10.9.10.12
DST=10.9.10.1 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=45259 PROTO=UDP
SPT=5353 DPT=5351 LEN=20 

Feb 24 15:06:52 scooter kernel: AIF:DMZ-INPUT denied: IN=eth0 OUT=
MAC=00:21:9b:13:b1:11:3c:07:54:4b:d8:7b:08:00 SRC=10.9.10.12
DST=10.9.10.1 LEN=156 TOS=0x00 PREC=0x00 TTL=255 ID=59578 PROTO=UDP
SPT=53144 DPT=1900 LEN=136 


Any help greatly appreciated!

dave


More information about the Firewall mailing list