[Firewall] DMZ setup issue

Lonnie Abelbeck lists at lonnie.abelbeck.com
Mon Feb 25 02:32:15 CET 2013


Hi Dave,

Your error log looks like your DMZ client is trying to access the DMZ gateway address (10.9.10.1) with UPnP.

How are your DMZ client's configured, usually I have to:

DMZ_HOST_OPEN_UDP="0/0~53,67,68"

To support DHCP and DNS from the local box if need be.

Also, be sure to add your DMZ_NET in your NAT_INTERNAL_NET so the DMZ is NAT'ed via the external interface.

Lonnie



On Feb 24, 2013, at 2:10 PM, Dave Dewey wrote:

> 
> Hello;
> 
> First time I've tried configuring a DMZ interface with AIF (although
> I've used the firewall for years).
> 
> I'm not having any success so far and would really appreciate some
> help. Here's my setup:
> 
> DMZ interface:
> eth0: 10.9.10.1 GW
> DMZ network: 10.9.10.0/24
> 
> Internal IF:
> eth1
> 192.168.1.1
> internal network: 192.168.1.0/24
> 
> External IF:
> eth2: statically assigned public IP
> 
> The local network works perfectly well, as before, after adding in
> the dmz interface. However, while I am able to ping both the DMZ
> gateway (10.9.10.1) and the internal network (192.168.1.1,
> 192.168.1.X) from the DMZ, I'm unable to connect to the Internet
> from the DMZ, either by pinging or through other protocols (ssh,
> http).
> 
> Have tried many, many different permutations, but here's the current
> configuration - essentially dead stock at this point with only a
> couple of the ICMP settings enabled and the policy drop set to ACCEPT:
> 
> DMZ_IF="eth0"
> DMZ_NET="10.9.10.0/24"
> DMZ_NET_ANTISPOOF=1
> 
> # Firewall policies for the DMZ (EXPERT SETTINGS!)
> DMZ_OPEN_ICMP=1
> DMZ_OPEN_TCP=""                 
> DMZ_OPEN_UDP=""                 
> DMZ_OPEN_IP="" 
> DMZ_HOST_OPEN_TCP=""                                
> DMZ_HOST_OPEN_UDP=""                                
> DMZ_HOST_OPEN_IP="" 
> 
> # INET_DMZ_xxx = Internet->DMZ access rules (forward)   
> INET_DMZ_OPEN_ICMP=""  
> INET_DMZ_DENY_TCP=""                                
> INET_DMZ_DENY_UDP=""                                
> INET_DMZ_DENY_IP="" 
> INET_DMZ_HOST_OPEN_TCP="" 
> INET_DMZ_HOST_OPEN_UDP="" 
> INET_DMZ_HOST_OPEN_IP=""
> 
> INET_DMZ_HOST_DENY_TCP="" 
> INET_DMZ_HOST_DENY_UDP="" 
> INET_DMZ_HOST_DENY_IP=""  
> 
> # DMZ_INET_xxx = DMZ->internet access rules (forward) 
> DMZ_INET_DEFAULT_POLICY_DROP="0" 
> DMZ_INET_OPEN_ICMP="1" 
> 
> DMZ_INET_OPEN_TCP=""                                
> DMZ_INET_OPEN_UDP=""                                
> DMZ_INET_OPEN_IP=""
> DMZ_INET_DENY_TCP=""                                
> DMZ_INET_DENY_UDP=""                                
> DMZ_INET_DENY_IP=""
> 
> DMZ_INET_HOST_OPEN_TCP="" 
> DMZ_INET_HOST_OPEN_UDP="" 
> DMZ_INET_HOST_OPEN_IP=""
> DMZ_INET_HOST_DENY_TCP="" 
> DMZ_INET_HOST_DENY_UDP="" 
> DMZ_INET_HOST_DENY_IP="" 
> 
> 
> # DMZ_LAN_xxx  = DMZ->LAN access rules (forward) 
> DMZ_LAN_OPEN_ICMP=1
> 
> DMZ_LAN_HOST_OPEN_TCP=""                                            
> DMZ_LAN_HOST_OPEN_UDP=""                                            
> DMZ_LAN_HOST_OPEN_IP=""
> 
> 
> Errors I'm continuing to receive simply trying to ping Google's
> nameserver (8.8.8.8) are as follows. The DMZ host is 10.9.10.12:
> 
> Feb 24 15:06:52 scooter kernel: AIF:DMZ-INPUT denied: IN=eth0 OUT=
> MAC=00:21:9b:13:b1:11:3c:07:54:4b:d8:7b:08:00 SRC=10.9.10.12
> DST=10.9.10.1 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=41969 PROTO=UDP
> SPT=5353 DPT=5351 LEN=20 
> 
> Feb 24 15:06:52 scooter kernel: AIF:DMZ-INPUT denied: IN=eth0 OUT=
> MAC=00:21:9b:13:b1:11:3c:07:54:4b:d8:7b:08:00 SRC=10.9.10.12
> DST=10.9.10.1 LEN=157 TOS=0x00 PREC=0x00 TTL=255 ID=6291 PROTO=UDP
> SPT=53144 DPT=1900 LEN=137 
> 
> Feb 24 15:06:52 scooter kernel: AIF:DMZ-INPUT denied: IN=eth0 OUT=
> MAC=00:21:9b:13:b1:11:3c:07:54:4b:d8:7b:08:00 SRC=10.9.10.12
> DST=10.9.10.1 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=45259 PROTO=UDP
> SPT=5353 DPT=5351 LEN=20 
> 
> Feb 24 15:06:52 scooter kernel: AIF:DMZ-INPUT denied: IN=eth0 OUT=
> MAC=00:21:9b:13:b1:11:3c:07:54:4b:d8:7b:08:00 SRC=10.9.10.12
> DST=10.9.10.1 LEN=156 TOS=0x00 PREC=0x00 TTL=255 ID=59578 PROTO=UDP
> SPT=53144 DPT=1900 LEN=136 
> 
> 
> Any help greatly appreciated!
> 
> dave
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 
> 



More information about the Firewall mailing list