Hi- One last question for the week, I promise. I''ve got one IP ProxyArp''d according to the instructions at http://www.shorewall.net/ProxyARP.htm. I''ve setup the shorewall/proxyarp file as follows: #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT 208.4.145.73 br0 eth1 no yes #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE The ADDRESS is an unused IP in my public subnet, the INTERFACE is a bridge between eth0 (internal nic) and tap0 (virtual interface for OpenVPN). I have a rule in my shorewall/rules file as follows: ACCEPT net loc:208.4.145.73 tcp 22 Now the wierdness begins. I''ve done all the ARPing stuff and the proxyarped interface is accessible from OUTSIDE my network. However, any attempts to access from my local network time out, with no errors in my syslog. I''ve tried changing the ACCEPT rule to: ACCEPT all loc:208.4.145.73 tcp 22 With no difference in results. The proxyarped host can also access any devices on the net, but not in the local zone. Attempts by it to access the local zone time out with no errors in the syslog. I''m running out of hair to pull out. Any suggestions for troubleshooting? I can attach a shorewall dump if required. Keith Mitchell CTO Productivity Associates, Inc. 5625 Ruffin Rd STE 220 San Diego, CA 92123 858-495-3528 (Direct) 858-495-3540 (Fax) ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
Keith Mitchell wrote:> > Now the wierdness begins. I''ve done all the ARPing stuff and the > proxyarped interface is accessible from OUTSIDE my network. However, > any attempts to access from my local network time out, with no errors in > my syslog. I''ve tried changing the ACCEPT rule to: > > ACCEPT all loc:208.4.145.73 tcp 22 > > With no difference in results. The proxyarped host can also access any > devices on the net, but not in the local zone. Attempts by it to access > the local zone time out with no errors in the syslog. I''m running out > of hair to pull out. Any suggestions for troubleshooting? I can attach > a shorewall dump if required.What you are seeing is not weird at all -- it just shows that trying to stick a host with a public IP address in the middle of an RFC1918 network is hard to make work right. I suggest that you give it up -- making this work requires unspeakable hacks. If you really want to use Proxy ARP then put the Proxy ARP hosts on their own LAN segment as shown in the Shorewall Setup Guide. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Cool thanks. I''m glad it''s a "this is incredibly difficult" and not a "you''re doing it wrong" issue. I can''t thank you enough for your incredible firewalling tool Tom, as well as extremely helpful documentation and support. -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Thursday, June 01, 2006 5:21 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] ProxyArp Keith Mitchell wrote:> > Now the wierdness begins. I''ve done all the ARPing stuff and the > proxyarped interface is accessible from OUTSIDE my network. However, > any attempts to access from my local network time out, with no errors > in my syslog. I''ve tried changing the ACCEPT rule to: > > ACCEPT all loc:208.4.145.73 tcp 22 > > With no difference in results. The proxyarped host can also access > any devices on the net, but not in the local zone. Attempts by it to > access the local zone time out with no errors in the syslog. I''m > running out of hair to pull out. Any suggestions for troubleshooting?> I can attach a shorewall dump if required.What you are seeing is not weird at all -- it just shows that trying to stick a host with a public IP address in the middle of an RFC1918 network is hard to make work right. I suggest that you give it up -- making this work requires unspeakable hacks. If you really want to use Proxy ARP then put the Proxy ARP hosts on their own LAN segment as shown in the Shorewall Setup Guide. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642