Hi,
I''m trying to use Shorewall (3.0.6) to accomplish what I thought was
going
to be fairly simple. Unfortunately, I can''t get the dmz to work
correctly,
and I''m getting martians logged against the interface at issue.
Any help I could get would be greatly appreciated!
A picture of my physical setup is attached. I have also attached a shorewall
dump.
To make a long story short, I have three external interfaces, each connected
to an ADSL modem via Ethernet. I want to use one of the interfaces (ADSL0)
to provide traffic to/from our lan, one of the interfaces to provide vpn
access to our lan, and one of the interfaces to support a small dmz with a
handful of servers. 
I have set Shorewall up with the following interfaces:
net     eth0            detect
tcpflags,routefilter,nosmurfs,logmartians,blacklist
vpn     eth1            detect
tcpflags,routefilter,norfc1918,nosmurfs,logmartians,blacklist
dmzo    eth2            detect
tcpflags,routefilter,norfc1918,nosmurfs,logmartians,blacklist
vpnre   tun0            detect
lan     eth3            detect          tcpflags,detectnets,nosmurfs
dmz     eth4
And with the following zones:
fw      firewall
net     ipv4	# adsl0 to the internet
lan     ipv4	# our lan 10.161.101.0
dmz     ipv4	# internal dmz 10.10.10.0
dmzo    ipv4	# adsl2 to the internet
vpn     ipv4	# adsl1 to the internet to support vpn
vpnre   ipv4	# tunnel interface for openvpn
I''m using the following routing:
67.40.108.40 dev eth2  scope link  src 67.40.108.41
192.168.0.0 dev eth0  scope link  src 192.168.0.2
67.40.108.64 dev eth1  scope link  src 67.40.108.65
67.40.108.40/29 dev eth2  proto kernel  scope link  src 67.40.108.41
67.40.108.64/29 dev eth1  proto kernel  scope link  src 67.40.108.65
10.161.101.0/24 dev eth3  proto kernel  scope link  src 10.161.101.1
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.2
10.10.10.0/24 dev eth4  proto kernel  scope link  src 10.10.10.1
169.254.0.0/16 dev eth4  scope link
default via 192.168.0.1 dev eth0
I''m using the following special routing tables & rules to make sure
that
traffic originating from an adsl interface is responded to using that
interface:
adsl0
192.168.0.0 dev eth0  scope link  src 192.168.0.2
default via 192.168.0.1 dev eth0
adsl1
67.40.108.64 dev eth1  scope link  src 67.40.108.65
default via 67.40.108.70 dev eth1
adsl2
67.40.108.40 dev eth2  scope link  src 67.40.108.41
default via 67.40.108.46 dev eth2
I have the dmz set up to use proxyarp from eth4 to eth2. A proxy arp rule
that I''m trying to test is as follows:
#ADDRESS        INTERFACE       EXTERNAL        HAVEROUTE       PERSISTENT
67.40.108.44    eth4            eth2            no              yes
When trying to test the dmz using an external computer, the log shows:
May 15 12:06:32 gateway kernel: martian source 67.40.108.44 from
216.83.137.157, on dev eth2
May 15 12:06:32 gateway kernel: ll header:
00:0f:b5:8a:e5:bc:00:15:05:36:ba:2a:08:00
216.83.137.157 is the ip address of the machine that I''m using for
testing.
I''ve seen martians before but involving unroutable RFC1918 addresses.
Regards,
Rob Hicks