[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  David Kitchens <spider at webweaver dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Can't ping DMZ
 Date:  Tue, 13 Apr 2004 19:47:21 +0200
On 13.04.2004 13:24 -0400, David Kitchens wrote:

> Now the problem, the mail server in DMZ cannot be
> pinged from LAN, it will not ping anything in the LAN or on the
> web. It cannot get out and nothing can get in to it. I tried

Don't forget that (ideally) DMZ hosts should not be able to access
anything in the LAN subnet.

> <rule>
> <type>pass</type>
> <interface>opt1</interface>
> <source>
> <network>lan</network>
> </source>
> <destination>
> <any/>
> </destination>
> <descr>Default LAN -&gt; any</descr>
> </rule>

Hmm, a pass rule on interface OPT1, but with source "LAN subnet"?
That doesn't make sense - you'll probably want this rule to be
"source = DMZ subnet" and "destination = not LAN subnet".

Also, that static route for doesn't make sense
either if that subnet is on the OPT1 interface. You don't need it.

- Manuel