Shorewall users - Aug 2003 - proxy arp

hello tom.
thanks for ur earlier response i trully appreciate it,pls i have a prob here, i
want to configure a firewall server for a my network with about 64 public ip
addr, i used shorewall proxy arp config cording to the shorewall how to proxy
arp but i am having some probs with it.sometimes some of the ip addr cant browse
,but will be able to ping the fw and also the gateway to my isp but they cant
ping my dns or outside and cant browse, but when d fw is restarted they might
work, so i am having an on/off situation here, pls wat do u think is responsible
for this ?, i have formatted my linux rhl 9.0 and reinstalled shorewall but it
is still d same tin?.
i have eth0 = 80.179.254.80 gw 80.179.254.66 =fw
and eth2= 172.16.0.1 gw 80.179.254.80 = dmz
eth1=192.168.0.1 gw 80.179.254.80 =loc
 
and i did proxy arp for the dm zone
e.g
80.179.254.90  eth2  eth0 no.
 
.
thanks
iddy



---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

Hi,

I''am using Shorewall 1.3.14 on Mandrake9.0.
I have this situation:

I have 3 network cards. 1st (eth0) has external ip x.y.z.16, 2nd
(eth1) has 192.168.6.1, 3rd(eth2) has 192.168.5.1.

My proxyarp:
x.y.z.17  eth2  eth0  no

My masq:
eth0           eth1  x.y.z.16
eth2:x.y.z.17  eth1  x.y.z.16 #this one is here just that hosts
in 192.168.6.0/24  was able to go to x.y.z.17

eth0 is connected to ISP''s switch, eth1 goes to switch in which
are others computer with IPs in 192.168.6.0/24. eth2 goes to
standalone computer with ip x.y.z.17.

I have question about proxy arp. Everything works fine if I make
connection between the eth2(192.168.5.1) and standalone computer
with external IP(x.y.z.17) directly. From this computer I can
connect to internet and vice versa.

But if I plug the cable from eth2 to different (new) HUB and in
this same HUB I will connect computer x.y.z.17 together with
another network computers in 192.168.3.0/24 (for example), then
on this computers I''m not able to set any IP. I tried it under
win xp, and computers refused me because of IP conflict. However
for x.y.z.17 I can still go to the internet.

So, now the cable from eth2 is already back in the x.y.z.17
directly. But I would like to know, if is there some limitation
or security reason why this happened? I''m asking if it is
possible to have other network (in this case 192.168.3.0/24) in
the same hub with x.y.z.17(via proxy arp).

Feel free to ask me for more information.

Thanks for help.
Peter


-- 
Potrebujete vice prostoru pro vase stranky?
Ptejte se na http://sluzby.volny.cz/cs/product/ftp_paid

On Fri, 2003-09-19 at 00:30, borpeter@post.cz wrote:
> 
> I have 3 network cards. 1st (eth0) has external ip x.y.z.16, 2nd
> (eth1) has 192.168.6.1, 3rd(eth2) has 192.168.5.1.
> 
> My proxyarp:
> x.y.z.17  eth2  eth0  no
> 
> My masq:
> eth0           eth1  x.y.z.16
> eth2:x.y.z.17  eth1  x.y.z.16 #this one is here just that hosts
> in 192.168.6.0/24  was able to go to x.y.z.17
Not necessary.
> 
> So, now the cable from eth2 is already back in the x.y.z.17
> directly. But I would like to know, if is there some limitation
> or security reason why this happened? I''m asking if it is
> possible to have other network (in this case 192.168.3.0/24) in
> the same hub with x.y.z.17(via proxy arp).
> 
I''ve never tried it -- You''ll probably have to use tcpdump on
the
firewall to see what is happening when you try to assign the IP address
(be sure to use the ''-e'' and ''-n'' tcpdump
options then look at the ARP
section of http://shorewall.net/shorewall_setup_guide.htm to help you
understand what you see). 

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thanks for your answer.

My routing table is here:

Dest        Gateway   Genmask         ...  Iface
x.y.z.17    *         255.255.255.255      eth2
x.y.z.0     *         255.255.255.224      eth0
192.168.6.0 *         255.255.255.0        eth1
192.168.5.0 *         255.255.255.0        eth2
0.0.0.0     x.y.z.1   0.0.0.0              eth0

This routing table was created by shorewall.

I removed second masquerade rule and then I tried this:
I can ping x.y.z.17 from fw itself, of course. But If I tried to
ping x.y.z.17 from computer in 192.168.6.0/24, then I saw this
message from shorewall:"loc2venloc":ACCEPT:IN=eth1 OUT=eth2
SRC=192.168.6.3 DST=x.y.z.17 ... PROTO ICMP ...". Yes, it''s
correct, I have rule that allows computer in zone "loc" (eth1) to
ping computers in zone "venloc" (eth2 computer 194.213.62.17).
However on the x.y.z.17 is another firewall (I provide external
IP to another person). And this forewall refuses all of these
connnections (antispoofing). If I want to have connection to
x.y.z.17 too, then I have to have this masq. Or is there other
way, how can I do that?

Thanks.
Peter
> On Fri, 2003-09-19 at 00:30, borpeter@post.0cz
> wrote:
> > 
> > I have 3 network cards. 1st (eth0) has
> > external ip x.y.z.16, 2nd
> > (eth1) has 192.168.6.1, 3rd(eth2) has
> > 192.168.5.1.
> > 
> > My proxyarp:
> > x.y.z.17  eth2  eth0  no
> > 
> > My masq:
> > eth0           eth1  x.y.z.16
> > eth2:x.y.z.17  eth1  x.y.z.16 #this one is
> > here just that hosts
> > in 192.168.6.0/24  was able to go to
> > x.y.z.17
> 
> Not necessary.
> 
> > 
> > So, now the cable from eth2 is already back
> > in the x.y.z.17
> > directly. But I would like to know, if is
> > there some limitation
> > or security reason why this happened? I''m
> > asking if it is
> > possible to have other network (in this
> > case 192.168.3.0/24) in
> > the same hub with x.y.z.17(via proxy arp).
> > 
> 
> I''ve never tried it -- You''ll probably have
> to use tcpdump on the
> firewall to see what is happening when you
> try to assign the IP address
> (be sure to use the ''-e'' and ''-n''
tcpdump
> options then look at the ARP
> section of
> http://shorewall.net/shorewall_setup_guide.htm
> to help you
> understand what you see). 
> 
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made
> easy
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
-- 
Vyhraj Ford Fiesta s klimatizac? a dal?? ceny!
V?ce na http://soutez.volny.cz

On Fri, 2003-09-19 at 07:42, borpeter@post.cz wrote:
> Thanks for your answer.
> 
> My routing table is here:
> 
> Dest        Gateway   Genmask         ...  Iface
> x.y.z.17    *         255.255.255.255      eth2
> x.y.z.0     *         255.255.255.224      eth0
> 192.168.6.0 *         255.255.255.0        eth1
> 192.168.5.0 *         255.255.255.0        eth2
> 0.0.0.0     x.y.z.1   0.0.0.0              eth0
> 
> This routing table was created by shorewall.
> 
> I removed second masquerade rule and then I tried this:
> I can ping x.y.z.17 from fw itself, of course. But If I tried to
> ping x.y.z.17 from computer in 192.168.6.0/24, then I saw this
> message from shorewall:"loc2venloc":ACCEPT:IN=eth1 OUT=eth2
> SRC=192.168.6.3 DST=x.y.z.17 ... PROTO ICMP ...". Yes, it''s
> correct, I have rule that allows computer in zone "loc" (eth1) to
> ping computers in zone "venloc" (eth2 computer 194.213.62.17).
> However on the x.y.z.17 is another firewall (I provide external
> IP to another person). And this forewall refuses all of these
> connnections (antispoofing). If I want to have connection to
> x.y.z.17 too, then I have to have this masq. Or is there other
> way, how can I do that?
You could do the SNAT on x.y.z.17 for traffic being forwarded.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Now, the person has external ip and also his own firewall strategy
and I''m not sure if his firewall will work correctly, if non
external ip (what I will give him by SNAT (I suppose)) will be
assign to one of his firewall network card. I want to give him
connection to internet, independent on me. Is there any similar
scenario?

> On Fri, 2003-09-19 at 07:42, borpeter@post.cz
> wrote:
> > Thanks for your answer.
> > 
> > My routing table is here:
> > 
> > Dest        Gateway   Genmask         ... 
> > Iface
> > x.y.z.17    *         255.255.255.255     
> > eth2
> > x.y.z.0     *         255.255.255.224     
> > eth0
> > 192.168.6.0 *         255.255.255.0       
> > eth1
> > 192.168.5.0 *         255.255.255.0       
> > eth2
> > 0.0.0.0     x.y.z.1   0.0.0.0             
> > eth0
> > 
> > This routing table was created by
> > shorewall.
> > 
> > I removed second masquerade rule and then I
> > tried this:
> > I can ping x.y.z.17 from fw itself, of
> > course. But If I tried to
> > ping x.y.z.17 from computer in
> > 192.168.6.0/24, then I saw this
> > message from
> > shorewall:"loc2venloc":ACCEPT:IN=eth1
> > OUT=eth2
> > SRC=192.168.6.3 DST=x.y.z.17 ... PROTO ICMP
> > ...". Yes, it''s
> > correct, I have rule that allows computer
> > in zone "loc" (eth1) to
> > ping computers in zone "venloc" (eth2
> > computer 194.213.62.17).
> > However on the x.y.z.17 is another firewall
> > (I provide external
> > IP to another person). And this forewall
> > refuses all of these
> > connnections (antispoofing). If I want to
> > have connection to
> > x.y.z.17 too, then I have to have this
> > masq. Or is there other
> > way, how can I do that?
> 
> You could do the SNAT on x.y.z.17 for traffic
> being forwarded.
> 
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made
> easy
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
-- 
Potrebujete vice prostoru pro vase stranky?
Ptejte se na http://sluzby.volny.cz/cs/product/ftp_paid

On Fri, 2003-09-19 at 10:29, borpeter@post.cz wrote:
> Now, the person has external ip and also his own firewall strategy
> and I''m not sure if his firewall will work correctly, if non
> external ip (what I will give him by SNAT (I suppose)) will be
> assign to one of his firewall network card. I want to give him
> connection to internet, independent on me. Is there any similar
> scenario?
I don''t understand what problem you are describing or are trying to
solve.

If you want my help, please give details (a diagram with addresses would
be useful) and please don''t hide the real IP addresses. IP addresses
aren''t secrets!

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net