Mark Underwood
2002-Apr-16 21:16 UTC
[Shorewall-users] Possible multiple interfaces on same hub problem? Not sure.
Hi, Tom, thx for the great work. I''m working my way through the Troubleshooting doc to solve our setup issues. If I remain stuck, I''ll put our situation up on a web page for critique, but I''m trying to work through all the possible pitfalls before asking others to contribute time on this. Our config is a traditional DMZ setup on a Red Hat 7.2 three-NIC FW, with updated iptable RPMs. I''ll be happy if I can put the FW into service with just the DMZ and NET zones operational. I can''t use the Quick Start because we have 6-plus static IP servers in the DMZ, and can''t use a single external IP. Originally I was simply going to static NAT the DMZ servers, but it''s looking like ProxyARP or Bind9, because subnets aren''t able to see each other. More on that perhaps in a future communication. I''ve disabled the LOC zone NIC for now, so I''m not even testing that part of it. The firewall WAN port is hooked to a Flowpoint DSL router/modem that has a hub built in. I''ve been testing with one cable going from that hub to the FW, and another cable going to a separate hub for some unrelated live stuff going on. Obviously ARP requests from the live action will be visible at the WAN port. Will that hose the FW or Shorewall? This is my main inquiry for this note. I can try to test with the live action disconnected, and power down the Flowpoint to clear its ARP cache (assuming that will do it), but this would limit my test time severely. What I''m seeing so far - I can ping the FW from the DMZ servers, but packets from DMZ machines seem to stop at the $IF_DMZ and not get relayed to (or through?) $IF_NET for handling by the FW (or the Flowpoint?). I.e., the ARP''s just go unanswered. There are no Shorewall error messages other than ACCEPTs. (I was able to brute force a workaround using the "Rules - routing policy database" section of the Linux Advanced Routing How-To, but this seemed to interfere with Shorewall by preventing DMZ=>DMZ access. I think this idea of tweaking routing tables just confused Shorewall and me, but I mention it in passing). Thanks, Mark