Shorewall users - Aug 2002 - Can''t connect from the net...

Hello,

I''m running Shorewall-1.3.5b on Bering 1.0 rc3.

I''ve been trying to setup shorewall with the three-interface config and
I''m having some trouble.  I''ve setup proxy-arp to my dmz and
can''t seem to connect to the dmz box from the net, or to the net from
the dmz.  I can access the net with no trouble from the loc zone.  I can also
connect to the dmz from the loc zone with no trouble.

Interestingly, "shorewall show log" doesn''t display anything
dropped for connection attempts from the outside to the dmz.  tcpdump show the
packets arriving at eth0, not passing through to eth2 (the dmz interface) or to
eth1 for that matter.  I''m attempting to connect with ssh, or just
telneting to a port that should be open (smtp for example).

My guess is that I''ve missed or misunderstood something with proxyarp,
but after reading the FAQ and the shorewall site, I''m still no
closer...

I have a static bridged /29 with 63.195.75.137 being the ISPs router and
63.195.75.142 the firewall eth0 interface.  My dmz box is 63.195.75.138 sitting
on eth2 (the dmz interface).  My loc interface is masqueraded using the
firewall''s IP.

I''ve configured the dmz box to use 63.195.75.137 as it''s
default gateway (same as eth0).


My Configuration:

zones:
net    63.195.75.136/29
loc    192.168.1.0/24
dmz   192.168.2.0/24

interfaces:
net     eth0            detect         
routefilter,norfc1918,blacklist,filterping
loc     eth1            detect          dhcp
dmz    eth2            detect

hosts: is empty...

rules I''ve added to the three-interface config:
ACCEPT          net             dmz            tcp     ssh
ACCEPT          net             dmz            tcp     smtp
ACCEPT          net             dmz            tcp     auth

ACCEPT          loc             dmz             udp    domain
ACCEPT          loc             dmz             tcp     domain
ACCEPT          loc             dmz             tcp     ssh
ACCEPT          loc             dmz             tcp     www
ACCEPT          loc             dmz             tcp     https
ACCEPT          loc             dmz             tcp     smtp
ACCEPT          loc             dmz             tcp     auth

ACCEPT          dmz             net             tcp     domain
ACCEPT          dmz             net             udp    domain
ACCEPT          dmz             net             tcp     smtp
ACCEPT          dmz             net             tcp     www
ACCEPT          dmz             net             tcp     ssh
ACCEPT          dmz             net             tcp     auth
ACCEPT          dmz             net             tcp     whois

proxyarp:
63.195.75.138           eth2            eth0            No

masq:
eth0                    eth1            63.195.75.142
eth0                    eth2            63.195.75.142

nat: is empty...

[root@firewall shorewall]# ip route show
63.195.75.138 dev eth2  scope link 
63.195.75.136/29 dev eth0  proto kernel  scope link  src 63.195.75.142 
192.168.2.0/24 dev eth2  proto kernel  scope link  src 192.168.2.1 
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.1 
default via 63.195.75.137 dev eth0 


Thanks for any help you may be able to provide!!!
Jim Susoy

On Fri, 16 Aug 2002, Jim Susoy wrote:
> Hello,
>
> I''m running Shorewall-1.3.5b on Bering 1.0 rc3.
>
> I''ve been trying to setup shorewall with the three-interface
config and
> I''m having some trouble.  I''ve setup proxy-arp to my dmz
and can''t seem
> to connect to the dmz box from the net, or to the net from the dmz.  I
> can access the net with no trouble from the loc zone.  I can also
> connect to the dmz from the loc zone with no trouble.
>
> Interestingly, "shorewall show log" doesn''t display
anything dropped for
> connection attempts from the outside to the dmz.  tcpdump show the
> packets arriving at eth0, not passing through to eth2 (the dmz
> interface) or to eth1 for that matter.
Did you follow the detailed advice at
http://www.shorewall.net/ProxyARP.htm about running tcpdump with the
"e"
flag? If so, what did that show you? If not, then why not?

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Tom,

Thanks for the response!
> Did you follow the detailed advice at
> http://www.shorewall.net/ProxyARP.htm about running tcpdump with the
"e"
> flag? If so, what did that show you? If not, then why not?
I could have sworn I tried this but...well...that is exactly my problem
<sigh>.  I''m sorry for having wasted your time with an RTFM.

I''m waiting for the ISP''s router''s arp cache to
expire (4 hours so far!).
I''ll let you know if that doesn''t solve the problem.

Thanks for your time,
-Jim Susoy