Hi all, I have an issue about which I''d like to probe the very knowledgeable shorewall community ... I have a Debian unstable box with two NICs, of which one connects to the Internet (eth1) and one to a private LAN(eth0). I have used shorewall according to http://www.shorewall.net/MultiISP.html to sort our routing between the two. It seems to work fine - at least to the extend of my probing using tcpdump: packets show up through the correct interfaces. I have attached the dumps requested on the troubleshooting page in any case ... The trouble I have now is how to deal with the need for different nameservers for both net-parts in a lean manner and would highly appreciate, if people could point me into the right direction on how to make that work. I''m trying dnsmasq with the no-resolv option and subnet-specific nameserver assignments right now, but that doesn''t seem to work reliably. If you encountered this problem yourself: please let me know how you solved it. Thanks, Joh ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Johannes Graumann wrote:> Hi all, > > I have an issue about which I''d like to probe the very knowledgeable > shorewall community ... > I have a Debian unstable box with two NICs, of which one connects to > the Internet (eth1) and one to a private LAN(eth0). I have used > shorewall according to http://www.shorewall.net/MultiISP.html to sort > our routing between the two. It seems to work fine - at least to the > extend of my probing using tcpdump: packets show up through the > correct interfaces. I have attached the dumps requested on the > troubleshooting page in any case ...Why are you trying to use a multi-ISP setup for what appears to be a very vanilla two-interface firewall scenario? Is there really a path to the internet via 10.31.0.1?> The trouble I have now is how to deal with the need for different > nameservers for both net-parts in a lean manner and would highly > appreciate, if people could point me into the right direction on how > to make that work. I''m trying dnsmasq with the no-resolv option and > subnet-specific nameserver assignments right now, but that doesn''t > seem to work reliably. > If you encountered this problem yourself: please let me know how you > solved it.The Shorewall setup guide shows how to configure Bind 9 to do exactly what you want (I think it''s what you want, anyway). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep <teastep <at> shorewall.net> writes:> Why are you trying to use a multi-ISP setup for what appears to be a very > vanilla two-interface firewall scenario? Is there really a path to the > internet via 10.31.0.1?Yes, there''s a path to the internet that needs to be walked in order to get to institutionally licensed journal content.> The Shorewall setup guide shows how to configure Bind 9 to do exactly what > you want (I think it''s what you want, anyway).Will have a look - thanks! Joh ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Johannes Graumann
2007-Jan-12 10:47 UTC
Re: [Off-Topic] One Box, Inter- and Private Internet
Tom Eastep <teastep <at> shorewall.net> writes:> Why are you trying to use a multi-ISP setup for what appears to be a very > vanilla two-interface firewall scenario? Is there really a path to the > internet via 10.31.0.1?Wait ... just thought about this again ... there''s a need to access the internet through the lan (as I said in my previous post) for institutionally licensed content, but since all of that goes through a proxy anyway, I could just use - as you proposed - a vanilla two interfaces setup and call the proxy by it''s explicit IP ... In konqueror (sadly not in firefox) I can than have selected pages only go through the proxy, and since it will be defined by IP, shorewalll will route it to the correct subnet ... Sounds right? Joh ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Johannes Graumann wrote:> In konqueror (sadly not in firefox) I can than have selected > pages only go through the proxy, and since it will be defined by IP, shorewalll > will route it to the correct subnet ... > Sounds right?Yes -- except that it will not be Shorewall that will be doing the routing. It will be the basic routing configuration established by your distribution''s network configuration tools. Shorewall only gets involved in routing in very limited cases. See http://www1.shorewall.net/Shorewall_and_Routing.html. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV