From: Tom E. <te...@sh...> - 2002-08-31 22:07:18
|
On Wednesday 28 August 2002 04:49 pm, phyxeld wrote: > On Thursday, August 22, 2002, at 07:21 AM, Tom Eastep wrote: > > What I recommend that you do is turn ADD_IP_ALIASES off in > > shorewall.conf and > > add the three static NAT addresses the same way that you did the .150 > > one. If > > you use ifconfig to look at your ip configuration (as opposed to using > > ip) > > you are going to be hopelessly confused otherwise. Even using 'ip' you > > will > > not be totally happy with what you see until you upgrade this site to > > Shorewall 1.3.x. > > > > The command to see what addresses are REALLY on eth2 is "ip addr show > > eth2". > > OK, I've upgraded the machine to 1.3.7b using the tarball (after > removing the deb install) and all seems to be working well. BUT, somehow > I keep ending up with a /8 netmask, ie all internet hosts in in the 64.x > class A have become inaccessible (and I'm sending lots of ARP packets > for places I shouldn't!). The ip utility uses VLSM notation... If you don't specify a VLSM on the adddress that you add, you get a VLSM supplied based on the old class-based system (which is "/8" on a 64.x.x.x address). > > "ip addr show eth2" shows this: > > 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > > link/ether 00:04:5a:68:33:98 brd ff:ff:ff:ff:ff:ff > > inet 64.x.x.147/8 brd 64.255.255.255 scope global eth2:0 > > inet 64.x.x.148/24 brd 64.255.255.255 scope global eth2 > > inet 64.x.x.150/8 brd 64.255.255.255 scope global secondary eth2:1 > > inet 64.x.x.149/8 brd 64.255.255.255 scope global secondary eth2 > > inet 64.x.x.146/8 brd 64.255.255.255 scope global secondary eth2 > > The .148 was also /8, but I changed it by hand with the ifconfig command. > > How do I set the netmask for each IP using the ip command, or better > still, how do I make shorewall do it when adding aliases? I'd like to > keep shorewall adding my aliases if possible, but 147 and 150 are > currently added with the ifconfig command (in /etc/network/interfaces) > because shorewall didn't seem to be adding them (.147 has changed since > my last email and isn't in the nat file anymore). Shorewall can't add addresses on more than one subnet -- that's why I told you to add them yourself. > > Where might I find docs for the iproute package? Debian has a > placeholder manpage only. Google tells all... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ te...@sh... |