[ previous ] [ next ] [ threads ]
 From:  "David Kitchens" <spider at webweaver dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Can't ping DMZ
 Date:  Tue, 13 Apr 2004 14:27:11 -0400
Doh! I wondered about the static route, SW uses it so I recreated it in
m0n0. The DMZ does not need to access the LAN in this situation but with SW
it could ping it. I changed the rule as you suggested and plugged my laptop
into DMZ and it pings 100.10 now! Thanks Manuel, you rock! Now to take it to
client and replace that clunker SW! hehe.  

-----Original Message-----
From: Manuel Kasper [mailto:mk at neon1 dot net] 
Sent: Tuesday, April 13, 2004 1:47 PM
To: David Kitchens
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Can't ping DMZ

On 13.04.2004 13:24 -0400, David Kitchens wrote:

> Now the problem, the mail server in DMZ cannot be 
> pinged from LAN, it will not ping anything in the LAN or on the web. 
> It cannot get out and nothing can get in to it. I tried

Don't forget that (ideally) DMZ hosts should not be able to access anything
in the LAN subnet.

> <rule>
> <type>pass</type>
> <interface>opt1</interface>
> <source>
> <network>lan</network>
> </source>
> <destination>
> <any/>
> </destination>
> <descr>Default LAN -&gt; any</descr>
> </rule>

Hmm, a pass rule on interface OPT1, but with source "LAN subnet"?
That doesn't make sense - you'll probably want this rule to be "source = DMZ
subnet" and "destination = not LAN subnet".

Also, that static route for doesn't make sense either if
that subnet is on the OPT1 interface. You don't need it.

- Manuel