Hello,
You may recall some of My Dmz question around Thanksgiving.
While I have configured a Proxy arp Dmz. I would like to practice
with the routed setup you suggested Tom as your network was
simular.
Here is one of your quotes "The configuration of eth2 is largely
irrelevant but you certainly don''t
want to confuse things by assigning any default gateway out of that
interface. I personally would configure it as 64.42.53.202/32 as
described in the Shorewall proxy ARP docs."
When I tryed this I could not get eth2 configured as you state in
shorewall docs
Warning
Your distribution''s network configuration GUI may not be capable of
configuring a device in this way. It may complain about the duplicate
address or it may configure the address incorrectly. Here is what the above
configuration should look like when viewed using ip (the line "inet
130.252.100.17/32 scope global eth1" is the most important):
gateway:~# ip addr ls eth1
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:a0:cc:d1:db:12 brd ff:ff:ff:ff:ff:ff
inet 130.252.100.17/32 scope global eth1
gateway:~#
I would still get broad cast in my inet line.
What is the best way or command ip addr add 66.224.62.121/32 - i eth1?
I cannot get this to work?
Thanks ,
Mike
On Mon, 2004-12-06 at 12:36 -0800, Mike Lander wrote:> I would still get broad cast in my inet line.Then just set the broadcast address to the interface address; that also works. gateway:/etc/shorewall/actiondir # ip addr ls dev eth1 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:a0:cc:d2:35:3a brd ff:ff:ff:ff:ff:ff inet 206.124.146.176/32 brd 206.124.146.176 scope global eth1 inet6 fe80::2a0:ccff:fed2:353a/64 scope link valid_lft forever preferred_lft forever gateway:/etc/shorewall/actiondir # -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
With eth0 net eth1 Dmz and
Dmz server net work interface config
is 66.224.62.121 mask 255.255.255.224 gw 66.224.62.120 (eth0 gateway on
shorewall)
I can ping dmz from firewall to dmz and vice verse but no net communication.
I keep getting stumped here :(
Shorewall box config below
[root@66-224-62-120 root]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
66.224.62.121 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
66.224.62.96 0.0.0.0 255.255.255.224 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 66.224.62.97 0.0.0.0 UG 0 0 0 eth0
[root@66-224-62-120 root]# ip addr ls dev eth1
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:50:bf:92:5d:75 brd ff:ff:ff:ff:ff:ff
inet 66.224.62.120/32 brd 66.224.62.120 scope global eth1
[root@66-224-62-120 root]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:E0:4C:39:0B:5B
inet addr:66.224.62.120 Bcast:66.224.62.127 Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11485 errors:27 dropped:0 overruns:0 frame:0
TX packets:6975 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1034848 (1010.5 Kb) TX bytes:2581051 (2.4 Mb)
Interrupt:10 Base address:0xb000
eth1 Link encap:Ethernet HWaddr 00:50:BF:92:5D:75
inet addr:66.224.62.120 Bcast:66.224.62.120 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1326 errors:0 dropped:0 overruns:0 frame:0
TX packets:1066 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:154473 (150.8 Kb) TX bytes:641475 (626.4 Kb)
Interrupt:11 Base address:0xd000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:197 errors:0 dropped:0 overruns:0 frame:0
TX packets:197 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:15797 (15.4 Kb) TX bytes:15797 (15.4 Kb)
Mike
I should make my problem more clear The Dmz server cannot talk to the net or vice verse The firewall can Mike
On Mon, 2004-12-06 at 16:31 -0800, Mike Lander wrote:> I should make my problem more clear > The Dmz server cannot talk to the net or vice verse > The firewall can"tcpdump -e" is your friend. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> On Mon, 2004-12-06 at 16:31 -0800, Mike Lander wrote: >> I should make my problem more clear >> The Dmz server cannot talk to the net or vice verse >> The firewall can > > "tcpdump -e" is your friend. > > -TomWell that helped no one will answer arp to who is 66.224.62.121 9 (the dmz server) Note at the bottom it answers eth0 66.224.62.120 Mike 18:16:35.565258 0:40:33:e3:cf:c3 0:40:ca:31:c6:e7 arp 60: arp who-has mail.lanlinecomputers.com tell 66-224-62-100.atgi.net 18:16:35.565426 0:40:ca:31:c6:e7 0:40:33:e3:cf:c3 arp 60: arp reply mail.lanlinecomputers.com is-at 0:40:ca:31:c6:e7 18:16:37.747558 0:60:49:80:24:46 Broadcast arp 64: arp who-has 66-224-62-116.atgi.net tell 66-224-62-97.atgi.net 18:16:39.081316 0:60:49:80:24:46 Broadcast arp 64: arp who-has 66-224-62-99.atgi.net tell 66-224-62-97.atgi.net 18:16:40.368333 0:60:49:80:24:46 Broadcast arp 64: arp who-has 66-224-62-116.atgi.net tell 66-224-62-97.atgi.net 18:16:42.076987 0:60:49:80:24:46 Broadcast arp 64: arp who-has 66-224-62-99.atgi.net tell 66-224-62-97.atgi.net 18:16:42.450871 0:60:49:80:24:46 Broadcast arp 64: arp who-has 66-224-62-126.atgi.net tell 66-224-62-97.atgi.net 18:16:46.692611 0:60:49:80:24:46 Broadcast arp 64: arp who-has 66-224-62-116.atgi.net tell 66-224-62-97.atgi.net 18:16:48.086116 0:60:49:80:24:46 Broadcast arp 64: arp who-has 66-224-62-99.atgi.net tell 66-224-62-97.atgi.net 18:16:55.983326 0:40:33:e3:cf:c3 0:60:49:80:24:46 arp 60: arp who-has 66-224-62-97.atgi.net tell 66-224-62-100.atgi.net 18:16:55.984055 0:60:49:80:24:46 0:40:33:e3:cf:c3 arp 64: arp reply 66-224-62-97.atgi.net is-at 0:60:49:80:24:46 18:17:00.136677 0:40:33:e3:cf:c3 Broadcast arp 60: arp who-has 66-224-62-121.atgi.net tell 66-224-62-100.atgi.net 18:17:01.135690 0:40:33:e3:cf:c3 Broadcast arp 60: arp who-has 66-224-62-121.atgi.net tell 66-224-62-100.atgi.net 18:17:02.135689 0:40:33:e3:cf:c3 Broadcast arp 60: arp who-has 66-224-62-121.atgi.net tell 66-224-62-100.atgi.net 18:17:05.463832 0:40:33:e3:cf:c3 Broadcast arp 60: arp who-has 66-224-62-121.atgi.net tell 66-224-62-100.atgi.net 18:17:06.463844 0:40:33:e3:cf:c3 Broadcast arp 60: arp who-has 66-224-62-121.atgi.net tell 66-224-62-100.atgi.net 18:17:07.463847 0:40:33:e3:cf:c3 Broadcast arp 60: arp who-has 66-224-62-121.atgi.net tell 66-224-62-100.atgi.net 18:17:10.474571 0:40:33:e3:cf:c3 Broadcast arp 60: arp who-has 66-224-62-121.atgi.net tell 66-224-62-100.atgi.net 18:17:11.473616 0:40:33:e3:cf:c3 Broadcast arp 60: arp who-has 66-224-62-121.atgi.net tell 66-224-62-100.atgi.net 18:17:12.473619 0:40:33:e3:cf:c3 Broadcast arp 60: arp who-has 66-224-62-121.atgi.net tell 66-224-62-100.atgi.net 18:17:15.641616 0:40:33:e3:cf:c3 0:e0:4c:39:b:5b arp 60: arp who-has 66-224-62-120.atgi.net tell 66-224-62-100.atgi.net 18:17:15.641653 0:e0:4c:39:b:5b 0:40:33:e3:cf:c3 arp 42: arp reply 66-224-62-120.atgi.net is-at 0:e0:4c:39:b:5b 18:17:24.222161 0:60:49:80:24:46 Broadcast arp 64: arp who-has 66-224-62-121.atgi.net tell 66-224-62-97.atgi.net 18:17:24.405793 0:60:49:80:24:46 Broadcast arp 64: arp who-has 66-224-62-114.atgi.net tell 66-224-62-97.atgi.net
On Mon, 2004-12-06 at 18:19 -0800, Mike Lander wrote:> > On Mon, 2004-12-06 at 16:31 -0800, Mike Lander wrote: > >> I should make my problem more clear > >> The Dmz server cannot talk to the net or vice verse > >> The firewall can > > > > "tcpdump -e" is your friend. > > > > -Tom > Well that helped no one will answer arp to who is 66.224.62.121 9 (the dmz > server) > Note at the bottom it answers eth0 66.224.62.120Mike I''m not sitting behind you watching what you are doing!!!! a) Which interface on which computer did you get the trace from (minor detail) b) PLEASE use the -n option; I don''t know your obscure DNS names and I don''t want to known them. Don''t bother to answer tonight -- the Seattle Seahawks are on Monday Night football for the first time in years and I''m not listening to the list. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
29 packets received by filter 0 packets dropped by kernel [root@66-224-62-120 root]# arp -na ? (66.224.62.100) at 00:40:33:E3:CF:C3 [ether] on eth0 ? (66.224.62.121) at 00:40:CA:2E:BE:E5 [ether] on eth1 [root@66-224-62-120 root]# Yet the firewall knows the mac of the dmz server
On Mon, 2004-12-06 at 18:34 -0800, Mike Lander wrote:> 29 packets received by filter > 0 packets dropped by kernel > [root@66-224-62-120 root]# arp -na > ? (66.224.62.100) at 00:40:33:E3:CF:C3 [ether] on eth0 > ? (66.224.62.121) at 00:40:CA:2E:BE:E5 [ether] on eth1 > [root@66-224-62-120 root]# > > > Yet the firewall knows the mac of the dmz serverYou haven''t configured Proxy ARP correctly. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I think I found the trouble. I dont know why. Trying to find in shorewall
docs.
I added proxyarp option to both interfaces in /etc/shorewall/interfaces and
it worked!!
I have spent most my time using the /etc/shorewall/proxyarp
And configuring Dmz servers to Isp gateway
I thought in routed environment you did not need proxy arp entrys.
Btw:
The reason I am spending more time is I tried to move my email server
behind
the dmz (its on the outside now no firewall) and this same problem occurred.
Yet the web server in the Dmz worked I added static route still had
trouble.
I know its me and my config I am just not fluid or fluent with this
proxy arp
stuff yet.
Mike
On Mon, 2004-12-06 at 19:39 -0800, Mike Lander wrote:> I think I found the trouble. I dont know why. Trying to find in shorewall > docs. > I added proxyarp option to both interfaces in /etc/shorewall/interfaces and > it worked!! > I have spent most my time using the /etc/shorewall/proxyarp > And configuring Dmz servers to Isp gateway > I thought in routed environment you did not need proxy arp entrys. > Btw: > The reason I am spending more time is I tried to move my email server > behind > the dmz (its on the outside now no firewall) and this same problem occurred. > Yet the web server in the Dmz worked I added static route still had > trouble. > I know its me and my config I am just not fluid or fluent with this > proxy arp > stuff yet.It''s clear that you don''t fully understand ARP -- try looking again at the ARP section of the Shorewall Setup Guide. If you are still lost, then I suggest that you invest in a copy of Thomas Maufer''s book and read it. Until you understand ARP, you will never be really comfortable troubleshooting ethernet problems. -tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Mon, 2004-12-06 at 19:55 -0800, Tom Eastep wrote:> On Mon, 2004-12-06 at 19:39 -0800, Mike Lander wrote: > > It''s clear that you don''t fully understand ARP -- try looking again at > the ARP section of the Shorewall Setup Guide. If you are still lost, > then I suggest that you invest in a copy of Thomas Maufer''s book and > read it. Until you understand ARP, you will never be really comfortable > troubleshooting ethernet problems.Hint: If the upstream router is sending ARP who-has requests for the DMZ server''s IP address then that address is NOT routed through the firewall (because if it were, the upstream router would be sending ARP who-has requests for the firewall''s IP address only). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> On Mon, 2004-12-06 at 19:55 -0800, Tom Eastep wrote: >> On Mon, 2004-12-06 at 19:39 -0800, Mike Lander wrote: >> >> It''s clear that you don''t fully understand ARP -- try looking again at >> the ARP section of the Shorewall Setup Guide. If you are still lost, >> then I suggest that you invest in a copy of Thomas Maufer''s book and >> read it. Until you understand ARP, you will never be really comfortable >> troubleshooting ethernet problems. > > Hint: If the upstream router is sending ARP who-has requests for the DMZ > server''s IP address then that address is NOT routed through the firewall > (because if it were, the upstream router would be sending ARP who-has > requests for the firewall''s IP address only). > > -TomI think I need to know what shorewall does under the hood when you add proxyarp to interfaces to fully understand. I have a good understanding of arp requests and answers. (No expert) My trouble is know the don''t sniffer commands by heart for diagnosis I had to look it up for instance to filter out sql domain requests and ssh just to be able to look at the logs. They where flooding by at hundreds minute I think I need more experience with tcpdump filters book. I just learned a couple tcpdumps that helped [root@66-224-62-120 root]# tcpdump -e -n not tcp port ssh and tcp port domain and tcp port 1433 I don''t think I could have diagnosed this without filtering this stuff out. I am trying Tom, I have read that proxy arp page and more in the shorewall docs. I just miss things some times. Sorry be nuisance in your game watching. I know this must wear you out at times.Who won or should I ask? Thanks a million, Mike