Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
06-13-2006, 09:02 PM
|
#1
|
LQ Newbie
Registered: Jun 2006
Posts: 3
Rep:
|
green pc's can't access name-based web/mail virtual hosts on ipcop orange zone (dmz)
Hi guys. Just got on board.
I am setting up ipcop 1.4.10 for a small office. Configured ipcop with green, orange and red zones. A web (apache) cum mail server (dovecot/squirrelmail) (i.e., consolidated on one server) is placed on the orange zone, for access from the Internet (red zone) and by internal users (green zone). The web and squirrelmail servers are name-based virtual hosts on the Apache httpd server.
Tried to follow Apache docs re virtual host examples but still not successful when accessing the web and mail server by name (e.g. 'http: //websvr' and 'http: //mailsvr', respectively) from the inside... 'http: //websvr cannot be resolved' or something error. Either site, however, can be accessed using the DMZ IPaddress ('http: //10.0.0.2' and 'http: //10.0.0.2/webmail)'. DNS servers for ipcop are external.
-Note: intentionally place space between : and // in the URL; LQ is blocking my post with URL. -
Tried to use:
1. an internal DNS server as primary DNS server of ipcop to resolve internal servers
2. the hosts file
3. 'bypass proxy server for local addresses' on the browser
to no avail.
In fact, using internal DNS server as primary DNS of ipcop presents problems as Internet URLs cannot be resolved (even from ipcop).
Would appreciate assistance on this.
I also plan to later install later copfilter (for anti-spam, url filtering, etc.) and blockOutTraffic to further control egress.
Any suggestions / alternatives for this requirement (firewall/proxy/etc)?
Tks.
|
|
|
06-14-2006, 04:21 PM
|
#2
|
Member
Registered: Oct 2003
Distribution: Just about anything... so long as it is Debain based.
Posts: 297
Rep:
|
This looks very simular to my setup, only I'm using Endian which is based on IPCop.
When you ping by name your server, do you get the right IP resolved? Also, try turning off your IPCop's proxy. I'm thinking that the issue exists there. I bet IPCop is getting the wrong DNS info and is causing your issue. Simply putting in the "bypass proxy server for local address" won't work, because it's not a local address. It, by nature of being in orange, is in a different address space than your green.
Michael Knisely
|
|
|
06-14-2006, 07:06 PM
|
#3
|
LQ Newbie
Registered: Jun 2006
Posts: 3
Original Poster
Rep:
|
Hi Michael.
Yes, ping by server name (from the green zone) is able to resolve to the correct (orange zone) IP address.
Will try disabling the IPCop proxy. But how would internal users be able to access the Internet? What would be the proxy settings of the browsers?
Re the "bypass proxy...", I included in the Exceptions "Do not use proxy server for addresses beginning with" the green IPs, orange IPs, the server names and the local domain (.inet)
192.168.*;10.0.*;*.inet;mailsvr;websvr;
Hmm... Will check out on Endian. What are the added features in it?
Tks.
- Bobby -
|
|
|
06-21-2006, 07:30 PM
|
#4
|
LQ Newbie
Registered: Jun 2006
Posts: 3
Original Poster
Rep:
|
Hi Michael.
I installed Endian. It has the features I was looking for all rolled into the distro.
The basic problem of greens unable to access the orange web or mail server by name is still there, when the web proxy is enabled. As per your suggestion, I disabled Endian's web proxy and now greens are able to access the web/mail server. The browser is set to not use a proxy server.
Am a bit puzzled by the disable proxy setup...
1. How is the browser able to access the Internet without the proxy? My internal IPs are private (192.168.*) and I did not configure port forwarding to green.
2. I have always thought that the proxy server access the Internet in behalf of the user (and hides the internal IPs). But with the proxy disable, what goes?
3. What are the security risks when connected to the Internet and the proxy server is disabled?
At the moment, am using Endian with the default options only, plus port forwarding to the web/mail server on orange. Will try out the other options. What other options are you using? Which ones would you suggest?
Would appreciate your reply to this query.
Thanks a lot.
- Bobby -
|
|
|
All times are GMT -5. The time now is 02:14 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|