Shorewall users - May 2002 - Losing Connectivity on Static NAT''d System

Hi,

I have a LEAF Bering 1.0-rc1 system (Shorewall 1.2.8) and have 5 static 
external IP addresses to use.  One IP is the primary of the firewall, I 
am using proxy arp for three of the IP''s (DMZ network servers), and 
static NAT for the last IP (internal network system).  This is a similar 
setup to the newer example network in the Shorewall documentation.

Everyting, seems to work just fine, with one exception.  After a long 
period of idleness I find that I cannot connect to external and DMZ 
hosts from the statically NAT''d system, though it can connect to 
internal network hosts just fine.  All other connections work as 
configured (DMZ<->internal, internal (masq''d) <->Internet,
...), so
appears to be an issue specific to the static NAT.

When the problem occurs I cannot make any TCP connections to the 
Internet, for example, from the static NAT''d PC.  Also, if I ping an 
Internet host, from it the packets are dropped by the firewall:
    Shorewall:rfc1918:DROP:IN=eth0 OUT=eth0 SRC=<static_nat_host> 
DST=<non-internal_network_host> ...

If I tracert (Windows tracroute, using ICMP) from this static_nat_host 
to the same non-internal_network_host, the tracert works and then 
everything works fine, thereafter, until I don''t use the system for a 
while (ex:  turn it off, go to sleep, come back in the morning).

Just a guess:  Is this an ARP issue with Shorwall?

Your suggestions would be appreciated.

Thanks,
Brian

On Fri, 17 May 2002, Brian Credeur wrote:
> Hi,
>
> I have a LEAF Bering 1.0-rc1 system (Shorewall 1.2.8) and have 5 static
> external IP addresses to use.  One IP is the primary of the firewall, I
> am using proxy arp for three of the IP''s (DMZ network servers),
and
> static NAT for the last IP (internal network system).  This is a similar
> setup to the newer example network in the Shorewall documentation.
>
> Everyting, seems to work just fine, with one exception.  After a long
> period of idleness I find that I cannot connect to external and DMZ
> hosts from the statically NAT''d system, though it can connect to
> internal network hosts just fine.  All other connections work as
> configured (DMZ<->internal, internal (masq''d)
<->Internet, ...), so
> appears to be an issue specific to the static NAT.
>
> When the problem occurs I cannot make any TCP connections to the
> Internet, for example, from the static NAT''d PC.  Also, if I ping
an
> Internet host, from it the packets are dropped by the firewall:
>     Shorewall:rfc1918:DROP:IN=eth0 OUT=eth0 SRC=<static_nat_host>
> DST=<non-internal_network_host> ...
>
Do you have both sides of your firewall connected to the same hub or
switch?

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net