Shorewall users - Oct 2002 - Proxy Arp

Hi,
    I''m a new user to shorewall firewall, but configuring it
wasn''t a big
problem after reading the documentation on the configuration. My machine is 
running on a Bering_1.0-rc3 LRP distribution and the shorewall version is  
1.3.9a. I am able to get it to do some simple masquerading between two 
network. But the problem that I encounter is that:

Senario:

- whenever I create an entry at the /etc/shorewall/proxyarp file and start 
the firewall, I will not be able to change the static private IP address of 
the workstation whose gateway is pointing to the router''s Internal
NIC''s IP
address when the firewall is running. But when I do ''shorewall
stop'' and
delete the entry in the /etc/shorewall/proxyarp file and do a
''shorewall
start'', I am able to change the IP address of the private IP address 
workstation.

- But if I do not create an entry in the /etc/shorewall/proxyarp file, my 
internal private IP address workstations will not be able to access to the 
proxy server for internet access but able to ping to the proxy server.

I have tried to solve this problem for a week but was not successful. I have 
tried to allow any connections to any connections in the iptables by 
manually inserting the rule into the INPUT and OUTPUT chain, but it did work 
either. I was not able to use the proxy server to access the internet (which 
my (Internet Properties --> Connections --> LAN Setting --> Proxy
Server -->
Address) is pointing to the proxy server''s IP address, and port is
8080).

Thanks,
Mei




_________________________________________________________________
Choose an Internet access plan right for you -- try MSN! 
http://resourcecenter.msn.com/access/plans/default.asp

ang meimei wrote:
> Hi,
>    I''m a new user to shorewall firewall, but configuring it
wasn''t a big
> problem after reading the documentation on the configuration. My machine 
> is running on a Bering_1.0-rc3 LRP distribution and the shorewall 
> version is  1.3.9a. I am able to get it to do some simple masquerading 
> between two network. But the problem that I encounter is that:
> 
> Senario:
> 
> - whenever I create an entry at the /etc/shorewall/proxyarp file and 
> start the firewall, I will not be able to change the static private IP 
> address of the workstation whose gateway is pointing to the
router''s
> Internal NIC''s IP address when the firewall is running. But when I
do
> ''shorewall stop'' and delete the entry in the
/etc/shorewall/proxyarp
> file and do a ''shorewall start'', I am able to change the
IP address of
> the private IP address workstation.
> 
> - But if I do not create an entry in the /etc/shorewall/proxyarp file, 
> my internal private IP address workstations will not be able to access 
> to the proxy server for internet access but able to ping to the proxy 
> server.
> 
> I have tried to solve this problem for a week but was not successful. I 
> have tried to allow any connections to any connections in the iptables 
> by manually inserting the rule into the INPUT and OUTPUT chain, but it 
> did work either. I was not able to use the proxy server to access the 
> internet (which my (Internet Properties --> Connections --> LAN
Setting
> --> Proxy Server --> Address) is pointing to the proxy
server''s IP
> address, and port is 8080).
> 
I can''t understand a single thing about your report.

a) What is your network topology?
b) Why are you using Proxy ARP?
c) Especially, why are you using Proxy ARP in conjunction with a Proxy 
Server? Other than the fact that the two both have the word "Proxy" in
them, they are totally unrelated.
d) When you say you can''t change the IP of a system behind your
firewall
because of an entry in the proxy ARP file, what does that mean? That you 
change the IP and then the system can''t access <something>?
e) When you are using a Proxy Server on port 8080, you must have at least 
these two rules:

ACCEPT	loc	fw	tcp	8080
ACCEPT	fw	net	tcp	80,443

You don''t need anything in the Proxy ARP file.

-Tom

PS -- Don''t EVER send me Shorewall related email at my HP address
again.

-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net