LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-13-2006, 09:02 PM   #1
rcrreyes
LQ Newbie
 
Registered: Jun 2006
Posts: 3

Rep: Reputation: 0
green pc's can't access name-based web/mail virtual hosts on ipcop orange zone (dmz)


Hi guys. Just got on board.

I am setting up ipcop 1.4.10 for a small office. Configured ipcop with green, orange and red zones. A web (apache) cum mail server (dovecot/squirrelmail) (i.e., consolidated on one server) is placed on the orange zone, for access from the Internet (red zone) and by internal users (green zone). The web and squirrelmail servers are name-based virtual hosts on the Apache httpd server.

Tried to follow Apache docs re virtual host examples but still not successful when accessing the web and mail server by name (e.g. 'http: //websvr' and 'http: //mailsvr', respectively) from the inside... 'http: //websvr cannot be resolved' or something error. Either site, however, can be accessed using the DMZ IPaddress ('http: //10.0.0.2' and 'http: //10.0.0.2/webmail)'. DNS servers for ipcop are external.
-Note: intentionally place space between : and // in the URL; LQ is blocking my post with URL. -

Tried to use:
1. an internal DNS server as primary DNS server of ipcop to resolve internal servers
2. the hosts file
3. 'bypass proxy server for local addresses' on the browser
to no avail.

In fact, using internal DNS server as primary DNS of ipcop presents problems as Internet URLs cannot be resolved (even from ipcop).

Would appreciate assistance on this.

I also plan to later install later copfilter (for anti-spam, url filtering, etc.) and blockOutTraffic to further control egress.

Any suggestions / alternatives for this requirement (firewall/proxy/etc)?

Tks.
 
Old 06-14-2006, 04:21 PM   #2
charon79m
Member
 
Registered: Oct 2003
Distribution: Just about anything... so long as it is Debain based.
Posts: 297

Rep: Reputation: 30
This looks very simular to my setup, only I'm using Endian which is based on IPCop.

When you ping by name your server, do you get the right IP resolved? Also, try turning off your IPCop's proxy. I'm thinking that the issue exists there. I bet IPCop is getting the wrong DNS info and is causing your issue. Simply putting in the "bypass proxy server for local address" won't work, because it's not a local address. It, by nature of being in orange, is in a different address space than your green.

Michael Knisely
 
Old 06-14-2006, 07:06 PM   #3
rcrreyes
LQ Newbie
 
Registered: Jun 2006
Posts: 3

Original Poster
Rep: Reputation: 0
Hi Michael.

Yes, ping by server name (from the green zone) is able to resolve to the correct (orange zone) IP address.

Will try disabling the IPCop proxy. But how would internal users be able to access the Internet? What would be the proxy settings of the browsers?

Re the "bypass proxy...", I included in the Exceptions "Do not use proxy server for addresses beginning with" the green IPs, orange IPs, the server names and the local domain (.inet)
192.168.*;10.0.*;*.inet;mailsvr;websvr;

Hmm... Will check out on Endian. What are the added features in it?

Tks.

- Bobby -
 
Old 06-21-2006, 07:30 PM   #4
rcrreyes
LQ Newbie
 
Registered: Jun 2006
Posts: 3

Original Poster
Rep: Reputation: 0
Hi Michael.

I installed Endian. It has the features I was looking for all rolled into the distro.

The basic problem of greens unable to access the orange web or mail server by name is still there, when the web proxy is enabled. As per your suggestion, I disabled Endian's web proxy and now greens are able to access the web/mail server. The browser is set to not use a proxy server.

Am a bit puzzled by the disable proxy setup...
1. How is the browser able to access the Internet without the proxy? My internal IPs are private (192.168.*) and I did not configure port forwarding to green.
2. I have always thought that the proxy server access the Internet in behalf of the user (and hides the internal IPs). But with the proxy disable, what goes?
3. What are the security risks when connected to the Internet and the proxy server is disabled?

At the moment, am using Endian with the default options only, plus port forwarding to the web/mail server on orange. Will try out the other options. What other options are you using? Which ones would you suggest?

Would appreciate your reply to this query.

Thanks a lot.
- Bobby -
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPcop Orange and Green problem Es-web Linux - Security 1 09-17-2005 01:37 PM
Apache - name based virtual hosts? Moses420ca Linux - Software 7 01-26-2005 11:04 AM
Mail Server With web-based access kp_cincy Linux - Software 3 05-19-2004 01:27 PM
IP based virtual hosts problem adm1329 Linux - Networking 4 03-11-2004 10:40 AM
linux firewall with internet zone, dmz and trusted zone ikhwan98 Linux - Security 1 11-27-2001 04:45 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration