Hi all! I posted earlier about the proxy arp configuration http://shorewall.sourceforge.net/shorewall_setup_guide.htm#NonRouted, and was probably not sufficiently knowledgeable on the subject. I''ve gone through a bunch of documents on proxy arp, subnetting with proxy arp and the documentation at shorewall, and have come up with a setup that would be perfect for the job at hand - I just need to clear up a few things. Here''s the set up: * A whole class c network. * ISP''s router is at 195.149.134.1 * I''ll set up the fw''s external interface at 195.149.134.2/24 * I''ll set up a dmz interface at 195.149.134.3/25 * I''ll set up a dmz2 interface at 195.149.134.129/25 * I''ll set up a loc interface at 192.168.1.1/24 * I''ll specify ''proxyarp'' as an option for the external, dmz and dmz2 interfaces, but not for the loc interface. A few questions regarding this set up: * Am I correct in setting the proxyarp option on all interfaces except the loc one? The local clients will get to the other interfaces without this option, right (rules permitting)? * In the interfaces file, will there be a problem with two interfaces having the same broadcast address (net and dmz2)? * I want to masq the local clients going to the internet, so I thought I''d specify: eth0 eth3 in the masq file (eth3 is the loc interface). Would this achieve what I need - masq internal clients going to the Internet, but not going to the dmz and dmz2? * Will the proxyarp option take care of all I need regarding proxyarp, or do I have to do something else? Maybe a naive question, but I regard proxy arp as something pretty advanced (yes, I am new to it) and Shorewall taking care of it for me just sounds too good to be true! :-) * Any other obvious snags in the set up outlined above? Thanks for any input! Cheers, Orjan
--On Wednesday, November 20, 2002 11:45:36 PM +0100 shorewall at bolibompa <shorewall@bolibompa.com> wrote:> Hi all! > > I posted earlier about the proxy arp configuration > http://shorewall.sourceforge.net/shorewall_setup_guide.htm#NonRouted, and > was probably not sufficiently knowledgeable on the subject. I''ve gone > through a bunch of documents on proxy arp, subnetting with proxy arp and > the documentation at shorewall, and have come up with a setup that would > be perfect for the job at hand - I just need to clear up a few things. > > Here''s the set up: > > * A whole class c network. > > * ISP''s router is at 195.149.134.1 > > * I''ll set up the fw''s external interface at 195.149.134.2/24 > > * I''ll set up a dmz interface at 195.149.134.3/25 > > * I''ll set up a dmz2 interface at 195.149.134.129/25 > > * I''ll set up a loc interface at 192.168.1.1/24 > > * I''ll specify ''proxyarp'' as an option for the external, dmz and dmz2 > interfaces, but not for the loc interface. > > A few questions regarding this set up: > > * Am I correct in setting the proxyarp option on all interfaces except > the loc one? The local clients will get to the other interfaces without > this option, right (rules permitting)?Yes.> > * In the interfaces file, will there be a problem with two interfaces > having the same broadcast address (net and dmz2)?No.> > * I want to masq the local clients going to the internet, so I thought > I''d specify: eth0 eth3 > in the masq file (eth3 is the loc interface). Would this achieve what I > need - masq internal clients going to the Internet, but not going to the > dmz and dmz2?Yes.> > * Will the proxyarp option take care of all I need regarding proxyarp, or > do I have to do something else? Maybe a naive question, but I regard > proxy arp as something pretty advanced (yes, I am new to it) and > Shorewall taking care of it for me just sounds too good to be true! :-)You don''t need anything else.> > * Any other obvious snags in the set up outlined above? >You will need a host route to 195.149.134.1 on eth0 and be sure to flush all ARP caches (including your ISP''s router) after you set this up. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
Thanks Tom! So an entry like: route add -host 195.149.134.1 dev eth0 would be good to put in /etc/shorewall/init? Or would you suggest another place to add the route during startup? Shorewall amazes me by being so complete. Every time I get a more complex project to work on, Shorewall is just ready for it, making things so much more manageable. Thanks for a great product and great support! Cheers, Orjan> -----Original Message----- > From: Tom Eastep [mailto:teastep@shorewall.net]=20 > Posted At: den 21 november 2002 00:43 > Posted To: shorewall > Conversation: [Shorewall-users] Proxy ARP > Subject: Re: [Shorewall-users] Proxy ARP >=20 >=20 >=20 >=20 > --On Wednesday, November 20, 2002 11:45:36 PM +0100 shorewall=20 > at bolibompa=20 > <shorewall@bolibompa.com> wrote: >=20 > > Hi all! > > > > I posted earlier about the proxy arp configuration > >=20 > http://shorewall.sourceforge.net/shorewall_setup_guide.htm#Non > Routed, and > > was probably not sufficiently knowledgeable on the subject.=20 > I''ve gone > > through a bunch of documents on proxy arp, subnetting with=20 > proxy arp and > > the documentation at shorewall, and have come up with a=20 > setup that would > > be perfect for the job at hand - I just need to clear up a=20 > few things. > > > > Here''s the set up: > > > > * A whole class c network. > > > > * ISP''s router is at 195.149.134.1 > > > > * I''ll set up the fw''s external interface at 195.149.134.2/24 > > > > * I''ll set up a dmz interface at 195.149.134.3/25 > > > > * I''ll set up a dmz2 interface at 195.149.134.129/25 > > > > * I''ll set up a loc interface at 192.168.1.1/24 > > > > * I''ll specify ''proxyarp'' as an option for the external,=20 > dmz and dmz2 > > interfaces, but not for the loc interface. > > > > A few questions regarding this set up: > > > > * Am I correct in setting the proxyarp option on all=20 > interfaces except > > the loc one? The local clients will get to the other=20 > interfaces without > > this option, right (rules permitting)? >=20 > Yes. >=20 > > > > * In the interfaces file, will there be a problem with two=20 > interfaces > > having the same broadcast address (net and dmz2)? >=20 > No. >=20 > > > > * I want to masq the local clients going to the internet,=20 > so I thought > > I''d specify: eth0 eth3 > > in the masq file (eth3 is the loc interface). Would this=20 > achieve what I > > need - masq internal clients going to the Internet, but not=20 > going to the > > dmz and dmz2? >=20 > Yes. >=20 > > > > * Will the proxyarp option take care of all I need=20 > regarding proxyarp, or > > do I have to do something else? Maybe a naive question, but I regard > > proxy arp as something pretty advanced (yes, I am new to it) and > > Shorewall taking care of it for me just sounds too good to=20 > be true! :-) >=20 > You don''t need anything else. >=20 > > > > * Any other obvious snags in the set up outlined above? > > >=20 > You will need a host route to 195.149.134.1 on eth0 and be=20 > sure to flush=20 > all ARP caches (including your ISP''s router) after you set this up. >=20 > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://shorewall.sf.net > ICQ: #60745924 \ teastep@shorewall.net >=20 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >=20
On Thu, 21 Nov 2002, shorewall at bolibompa wrote:> Thanks Tom! > > So an entry like: > route add -host 195.149.134.1 dev eth0 > > would be good to put in /etc/shorewall/init? Or would you suggest > another place to add the route during startup?You should probably integrate it into your Distribution''s scripts for bringing up eth0.> > Shorewall amazes me by being so complete. Every time I get a more > complex project to work on, Shorewall is just ready for it, making > things so much more manageable. Thanks for a great product and great > support! >You''re welcome! -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Thanks Tom,> > Here''s the set up: > > > > * A whole class c network. > > > > * ISP''s router is at 195.149.134.1 > > > > * I''ll set up the fw''s external interface at 195.149.134.2/24 > > > > * I''ll set up a dmz interface at 195.149.134.3/25 > > > > * I''ll set up a dmz2 interface at 195.149.134.129/25 > > > > * I''ll set up a loc interface at 192.168.1.1/24 > > > > * I''ll specify ''proxyarp'' as an option for the external,=20 > dmz and dmz2 > > interfaces, but not for the loc interface. > > > > A few questions regarding this set up: > > > > * Am I correct in setting the proxyarp option on all=20 > interfaces except > > the loc one? The local clients will get to the other=20 > interfaces without > > this option, right (rules permitting)? >=20 > Yes. >=20 > > > > * In the interfaces file, will there be a problem with two=20 > interfaces > > having the same broadcast address (net and dmz2)? >=20 > No. >=20 > > > > * I want to masq the local clients going to the internet,=20 > so I thought > > I''d specify: eth0 eth3 > > in the masq file (eth3 is the loc interface). Would this=20 > achieve what I > > need - masq internal clients going to the Internet, but not=20 > going to the > > dmz and dmz2? >=20 > Yes. >=20 > > > > * Will the proxyarp option take care of all I need=20 > regarding proxyarp, or > > do I have to do something else? Maybe a naive question, but I regard > > proxy arp as something pretty advanced (yes, I am new to it) and > > Shorewall taking care of it for me just sounds too good to=20 > be true! :-) >=20 > You don''t need anything else. >=20 > > > > * Any other obvious snags in the set up outlined above? > > >=20 > You will need a host route to 195.149.134.1 on eth0 and be=20 > sure to flush=20 > all ARP caches (including your ISP''s router) after you set this up. >=20 > -TomUnfortunately the customer just threw me a curve ball, so I have yet another question concerning proxy arp: If I use proxy arp and split the c network with a 25-mask and assign them to two different dmz interfaces, would it still be possible to use some of these addresses and send them to the local network with a DNAT rule? I really don''t want to do this since I think this defeats the pupose of a fw. I try to suggest ssh to the dmz and tunneling from there, but they seem hell bent on forwarding some requests to the lan.... Another thing that has nothing to do with Shorewall, but I can''t seem to find any info on (feel free to disregard this question!): I''m looking through docs on adding static routes on RedHat and they all refer to /etc/sysconfig/static-routes, but I also notice this file missing from RH8, as well as any info in the RedHat manuals. Anyone have a clue if they''ve changed this? Thanks again, Orjan
Thanks for all your help! Unfortunately the customer just threw me a curve ball, so I have yet another question concerning proxy arp: If I use proxy arp and split the c network with a 25-mask and assign them to two different dmz interfaces, would it still be possible to use some of these addresses and send them to the local network with a DNAT rule? I really don''t want to do this since I think this defeats the pupose of a fw. I try to suggest ssh to the dmz and tunneling from there, but they seem hell bent on forwarding some requests to the lan.... Another thing that has nothing to do with Shorewall, but I can''t seem to find any info on (feel free to disregard this question!): I''m looking through docs on adding static routes on RedHat and they all refer to /etc/sysconfig/static-routes, but I also notice this file missing from RH8, as well as any info in the RedHat manuals. Anyone have a clue if they''ve changed this? Thanks again, Orjan -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net]=20 Posted At: den 21 november 2002 00:43 Posted To: shorewall Conversation: [Shorewall-users] Proxy ARP Subject: Re: [Shorewall-users] Proxy ARP --On Wednesday, November 20, 2002 11:45:36 PM +0100 shorewall at bolibompa=20 <shorewall@bolibompa.com> wrote:> Hi all! > > I posted earlier about the proxy arp configuration > http://shorewall.sourceforge.net/shorewall_setup_guide.htm#NonRouted, and > was probably not sufficiently knowledgeable on the subject. I''ve gone > through a bunch of documents on proxy arp, subnetting with proxy arp and > the documentation at shorewall, and have come up with a setup that would > be perfect for the job at hand - I just need to clear up a few things. > > Here''s the set up: > > * A whole class c network. > > * ISP''s router is at 195.149.134.1 > > * I''ll set up the fw''s external interface at 195.149.134.2/24 > > * I''ll set up a dmz interface at 195.149.134.3/25 > > * I''ll set up a dmz2 interface at 195.149.134.129/25 > > * I''ll set up a loc interface at 192.168.1.1/24 > > * I''ll specify ''proxyarp'' as an option for the external, dmz and dmz2 > interfaces, but not for the loc interface. > > A few questions regarding this set up: > > * Am I correct in setting the proxyarp option on all interfaces except > the loc one? The local clients will get to the other interfaces without > this option, right (rules permitting)?Yes.> > * In the interfaces file, will there be a problem with two interfaces > having the same broadcast address (net and dmz2)?No.> > * I want to masq the local clients going to the internet, so I thought > I''d specify: eth0 eth3 > in the masq file (eth3 is the loc interface). Would this achieve what I > need - masq internal clients going to the Internet, but not going to the > dmz and dmz2?Yes.> > * Will the proxyarp option take care of all I need regarding proxyarp, or > do I have to do something else? Maybe a naive question, but I regard > proxy arp as something pretty advanced (yes, I am new to it) and > Shorewall taking care of it for me just sounds too good to be true! :-)You don''t need anything else.> > * Any other obvious snags in the set up outlined above? >You will need a host route to 195.149.134.1 on eth0 and be sure to flush all ARP caches (including your ISP''s router) after you set this up. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
--On Friday, November 22, 2002 03:50:33 PM +0100 shorewall at bolibompa <shorewall@bolibompa.com> wrote:> Thanks for all your help! > > Unfortunately the customer just threw me a curve ball, so I have yet > another question concerning proxy arp: > > If I use proxy arp and split the c network with a 25-mask and assign them > to two different dmz interfaces, would it still be possible to use some > of these addresses and send them to the local network with a DNAT rule? I > really don''t want to do this since I think this defeats the pupose of a > fw. I try to suggest ssh to the dmz and tunneling from there, but they > seem hell bent on forwarding some requests to the lan....Yes -- you can do that.> > Another thing that has nothing to do with Shorewall, but I can''t seem to > find any info on (feel free to disregard this question!): I''m looking > through docs on adding static routes on RedHat and they all refer to > /etc/sysconfig/static-routes, but I also notice this file missing from > RH8, as well as any info in the RedHat manuals. Anyone have a clue if > they''ve changed this? >I haven''t had to deal with any static routes on 8.0 -- sorry. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
> -----Original Message----- > From: Tom Eastep [mailto:teastep@shorewall.net] > Sent: Friday, November 22, 2002 8:54 AM > Subject: RE: [Shorewall-users] Proxy ARP > > > > > Another thing that has nothing to do with Shorewall, but I > > can''t seem to find any info on (feel free to disregard this > > question!): I''m looking through docs on adding static routes > > on RedHat and they all refer to /etc/sysconfig/static-routes, > > but I also notice this file missing from RH8, as well as any > > info in the RedHat manuals. Anyone have a clue if they''ve > > changed this? > > > > I haven''t had to deal with any static routes on 8.0 -- sorry. >I think redhat just forgot to create static-routes in the 8.0 distro. FWIW: It is still being executed in /etc/init.d/network on startup. So I would think you can create this file and have it add static routes at system startup. Worth a try at least. From my RH-8.0 system: [root@voyager init.d]# grep static-routes * network: # Add non interface-specific static-routes. network: if [ -f /etc/sysconfig/static-routes ]; then network: grep "^any" /etc/sysconfig/static-routes | while read ignore args ; do Steve Cowles
Thanks Steve, you''re right! Too ignorant to decipher those scripts, but got it working beautifully now. Thanks again, Orjan -----Original Message----- From: Cowles, Steve [mailto:Steve@SteveCowles.com]=20 Posted At: den 22 november 2002 16:33 Posted To: shorewall Conversation: [Shorewall-users] Proxy ARP Subject: RE: [Shorewall-users] Proxy ARP> -----Original Message----- > From: Tom Eastep [mailto:teastep@shorewall.net] > Sent: Friday, November 22, 2002 8:54 AM > Subject: RE: [Shorewall-users] Proxy ARP >=20 > > > > Another thing that has nothing to do with Shorewall, but I=20 > > can''t seem to find any info on (feel free to disregard this > > question!): I''m looking through docs on adding static routes > > on RedHat and they all refer to /etc/sysconfig/static-routes, > > but I also notice this file missing from RH8, as well as any > > info in the RedHat manuals. Anyone have a clue if they''ve > > changed this? > > >=20 > I haven''t had to deal with any static routes on 8.0 -- sorry. >=20I think redhat just forgot to create static-routes in the 8.0 distro. FWIW: It is still being executed in /etc/init.d/network on startup. So I would think you can create this file and have it add static routes at system startup. Worth a try at least. From my RH-8.0 system: [root@voyager init.d]# grep static-routes * network: # Add non interface-specific static-routes. network: if [ -f /etc/sysconfig/static-routes ]; then network: grep "^any" /etc/sysconfig/static-routes | while read ignore args ; do Steve Cowles _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users