Tom Eastep
2005-Jun-03 16:08 UTC
[Shorewall-devel] New Document for People Helping with Shorewall Support
The Shorewall support page advocates including the output of "shorewall status" with problem reports that involve some sort of connection problem. I suspect that the number of people who feel comfortable analyzing problems through use this output is small. To help, I''ve created http://shorewall.net/AnalyzingShorewallStatus.html I suspect that the document isn''t appropriate for general consumption but you may wish to post it on the development site. I''ll be happy to provide the Docbook source on request. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.shorewall.net/pipermail/shorewall-devel/attachments/20050603/4b2059d3/signature.bin
Jerry Vonau
2005-Jun-03 16:33 UTC
[Shorewall-devel] New Document for People Helping with ShorewallSupport
Thanks Tom, should prove to be a great resource page. Boy, some of the examples sure look familier. Jerry
Tom Eastep
2005-Jun-03 17:10 UTC
[Shorewall-devel] New Document for People Helping with ShorewallSupport
Jerry Vonau wrote:> Thanks Tom, should prove to be a great resource page. > Boy, some of the examples sure look familier.I thought that you would recognize the first one :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom & Company: I''ve been thinking about the proxy-arp howto, for the setup of a subnet, would it not be easier to use a network route on the dmz interface with the net interface having the public ip/32, (or even /24, as you have to build a host route to the gateway anyway). Then, in proxyarp, do something like this: #GATEWAY NET-IF DMZ-IF HAVEROUTE PERSISTENT # #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT>From the looks of it, I don''t think anything else would need to bechanged, "while read address interface external haveroute persistent;" from firewall is parsing the positions of the entries, not the actual names, right? That would set the proxy-arp flag for the correct interface (net) for traffic bound for the dmz. Instead of proxying all the hosts, it''s just the gateway, the roles are just reversed. The single host route for the gateway should do it. Looks to be clearer, with the single host route. If there are any other boxes on the net side, you would just added a ip address, like you would do now. Any thoughts? Yea I know, use a bridge, but this should work right? I don''t have a subnet at the moment, to test this out, or am I out to lunch here? Jerry
Jerry Vonau wrote:> Yea I know, use a bridge, but this should work right? I don''t have a > subnet > at the moment, to test this out, or am I out to lunch here?It should work fine -- as would simply setting the "proxyarp" option on both interfaces in /etc/shorewall/interfaces. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.shorewall.net/pipermail/shorewall-devel/attachments/20050604/bf4b5b43/signature.bin