From: K <sho...@du...> - 2005-05-31 22:10:58
|
Hi again. Thanks very much. The explanation was understandable. I may try the old setup for curiosity. /K -----Original Message----- From: sho...@li... [mailto:sho...@li...] On Behalf Of Alexander Wilms Sent: 31. mai 2005 23:12 To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] ProxyARPworkingfromInternet butnotfromfwandloc On Tuesday 31 May 2005 22:21, K wrote: > Hi Alex. > > I didn't think of that. > Probably true about the no rfc1918 network. > The servers all run gShield firewall, and probably block these addresses. > (I'm not sure) I am :-) > > Does this mean that the old configuration should work even without masq > from loc to dmz? Yes. > > So if I remove the firewall on the servers, change the dmz interface back > to 10.0.10.0/24 and remove the masq option from loc to dmz it should work? You don't need to change it back. See http://www.shorewall.net/ProxyARP.htm As Tom wrote: Note: I've used an RFC1918 IP address for eth1 - that IP address is largely irrelevant (see below). -> First diagram Later he even suggests to use the same IP for the DMZ interface that the net interface has, but with a /32 netmask (only 1 host, no network) -> Second diagram Proxy ARP causes all the packets that are sent out via default route (ISP's router IP) to be accepted by the firewall. So only this default route is needed in this setup. Then the firewall does the correct routing. So the DMZ IP address doesn't matter, because no packet will ever be addressed to this interface's IP directly. Hope my explanation was understandable, Alex > > /K > > -----Original Message----- > From: sho...@li... > [mailto:sho...@li...] On Behalf Of Alexander > Wilms > Sent: 31. mai 2005 21:17 > To: Mailing List for Shorewall Users > Subject: Re: [Shorewall-users] Proxy ARPworkingfromInternet > butnotfromfwandloc > > On Tuesday 31 May 2005 19:53, K wrote: > > Thank's guys. > > (Alex and Jerry) > > > > Now all is working :-) > > OK, now you were quicker than me. ;-) > > But: > You just worked "around" the "original" problem. > > Let's clear up this issue a bit. > > Error Scenario: Your tcpdump dump showed that the packets where forwarded > correctly loc -> fw -> dmz. > But packets where not send out back from dmz server. > > So here we have/had two possibilities why your former setup didn't work: > > 1) Wrong routing by not choosing the ISP's router as default gateway: > - That's why I asked for your server's routing table, but your routing was > correct. > > So here comes the second possible reason: > > 2) Can it be that you are running shorewall (or raw ipables) on the DMZ > server? Including the rfc1918 interface option? Because in your setup > before > > Proxy-ARP this server was parallel to the firewall? > Btw., I'm very sure about that. ;-) > > > Your workaround: By using masquerading (and changing the dmz interface ip > of > > the shorewall box) now all packets seem to come from a public (and > non-rfc1918) address. So the still used rfc1918 option doesn't block > anymore. > > Is it like this Kristian? > > Btw, credits go to a friend who saw the big picture by saying: Ehhh, maybe > he > is blocking traffic with another shorewall installation on the server. This > server was connected to the Internet directly before. > > HTH, > Alex > > _______________________________________________ > Shorewall-users mailing list > Post: Sho...@li... > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > > > _______________________________________________ > Shorewall-users mailing list > Post: Sho...@li... > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm _______________________________________________ Shorewall-users mailing list Post: Sho...@li... Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm |