thr3ads.net - Shorewall users - [Shorewall-users] proto kernel? [Mar 2003]

If this information is useful, please help other people find it:
Share via:

Isaac Chapman

2003-Mar-10 12:29 UTC

[Shorewall-users] proto kernel?

Hello I''m trying to duplicate my existing firewall onto a different
computer, and am having considerable difficulty in getting my dmz to view
and be visible from the outside world.  After hours of trying to narrow down
any cause or difference, the only thing I could find is a difference in the
output of ip route.  What does the "proto kernel  scope link src ..."
mean?
And if this could possibly be the cause (as it is the only difference I
could find) how/where would I implement this change?

Working firewall (ip route show):
208.253.224.124 dev eth1  scope link
208.253.224.112/28 dev eth1  proto kernel  scope link  src 208.253.224.113
208.253.224.96/27 dev eth0  proto kernel  scope link  src 208.253.224.100
192.168.0.0/24 dev eth2  proto kernel  scope link  src 192.168.0.1
127.0.0.0/8 dev lo  scope link
default via 208.253.224.97 dev eth0

Firewall with non-functional dmz (ip route show):
208.253.224.124 dev eth1  scope link
208.253.224.112/28 dev eth1  scope link
208.253.224.96/27 dev eth0  scope link
192.168.0.0/24 dev eth2  scope link
127.0.0.0/8 dev lo  scope link
default via 208.253.224.97 dev eth0

Tom Eastep

2003-Mar-10 12:57 UTC

head link

[Shorewall-users] proto kernel?

--On Monday, March 10, 2003 12:28:38 PM -0800 Isaac Chapman 
<isaacc@themeco.com> wrote:
> Hello I''m trying to duplicate my existing firewall onto a
different
> computer, and am having considerable difficulty in getting my dmz to view
> and be visible from the outside world.  After hours of trying to narrow
> down any cause or difference, the only thing I could find is a difference
> in the output of ip route.  What does the "proto kernel  scope link
src
> ..." mean? And if this could possibly be the cause (as it is the only
> difference I could find) how/where would I implement this change?
>
> Working firewall (ip route show):
> 208.253.224.124 dev eth1  scope link
> 208.253.224.112/28 dev eth1  proto kernel  scope link  src 208.253.224.113
> 208.253.224.96/27 dev eth0  proto kernel  scope link  src 208.253.224.100
> 192.168.0.0/24 dev eth2  proto kernel  scope link  src 192.168.0.1
> 127.0.0.0/8 dev lo  scope link
> default via 208.253.224.97 dev eth0
>
> Firewall with non-functional dmz (ip route show):
> 208.253.224.124 dev eth1  scope link
> 208.253.224.112/28 dev eth1  scope link
> 208.253.224.96/27 dev eth0  scope link
> 192.168.0.0/24 dev eth2  scope link
> 127.0.0.0/8 dev lo  scope link
> default via 208.253.224.97 dev eth0
>
>
a) What is the output of "ip addr show" between the two?
b) How are you testing the new firewall?
c) What symptoms are you seeing?
d) How have you configured your DMZ in Shorewall?

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

Isaac Chapman

2003-Mar-10 23:32 UTC

head link

[Shorewall-users] proto kernel?

Uhh...nevermind.  The problem ended up being one of my ISPs'' arp cache.
Using the instructions/guidance on arping at
http://shorewall.sourceforge.net/ProxyARP.htm helped clue me into that.
Thanks alot for all the work into developing shorewall, it beats the pants
off my old ipchains scripts.

The reason I needed to replicate my old firewall was so that I could install
an additional NIC to allow for multiple uplink providers, and divert some
local outgoing traffic through a DSL line to relieve congestion on a T1
line.  Right now I have the appropriate packet marking rules in
shorewall/tcrules, but am curious if there is a better or more appropriate
way to create the necessary additional route table than by having the
following in shorewall/start?

ip route flush table 8
ip route show table main | grep -Ev ^default | while read ROUTE; do ip route
add table 8 $ROUTE; done
ip route add table 8 default via x.x.x.x (dsl gateway)
ip rule add fwmark 8 table 8
ip route flush cache

Again, thanks for your help and for your diligent improvements on shorewall.
-Isaac Chapman

-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Tom
Eastep
Sent: Monday, March 10, 2003 12:58 PM
To: shorewall-users@lists.shorewall.net
Subject: Re: [Shorewall-users] proto kernel?




--On Monday, March 10, 2003 12:28:38 PM -0800 Isaac Chapman
<isaacc@themeco.com> wrote:
> Hello I''m trying to duplicate my existing firewall onto a
different
> computer, and am having considerable difficulty in getting my dmz to view
> and be visible from the outside world.  After hours of trying to narrow
> down any cause or difference, the only thing I could find is a difference
> in the output of ip route.  What does the "proto kernel  scope link
src
> ..." mean? And if this could possibly be the cause (as it is the only
> difference I could find) how/where would I implement this change?
>
> Working firewall (ip route show):
> 208.253.224.124 dev eth1  scope link
> 208.253.224.112/28 dev eth1  proto kernel  scope link  src 208.253.224.113
> 208.253.224.96/27 dev eth0  proto kernel  scope link  src 208.253.224.100
> 192.168.0.0/24 dev eth2  proto kernel  scope link  src 192.168.0.1
> 127.0.0.0/8 dev lo  scope link
> default via 208.253.224.97 dev eth0
>
> Firewall with non-functional dmz (ip route show):
> 208.253.224.124 dev eth1  scope link
> 208.253.224.112/28 dev eth1  scope link
> 208.253.224.96/27 dev eth0  scope link
> 192.168.0.0/24 dev eth2  scope link
> 127.0.0.0/8 dev lo  scope link
> default via 208.253.224.97 dev eth0
>
>
a) What is the output of "ip addr show" between the two?
b) How are you testing the new firewall?
c) What symptoms are you seeing?
d) How have you configured your DMZ in Shorewall?

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

Tom Eastep

2003-Mar-11 06:41 UTC

head link

[Shorewall-users] proto kernel?

--On Monday, March 10, 2003 11:32:01 PM -0800 Isaac Chapman 
<isaacc@themeco.com> wrote:
> Uhh...nevermind.  The problem ended up being one of my ISPs'' arp
cache.
> Using the instructions/guidance on arping at
> http://shorewall.sourceforge.net/ProxyARP.htm helped clue me into that.
I suspected that was the cause - hence the series of questions I asked.
> Thanks alot for all the work into developing shorewall, it beats the pants
> off my old ipchains scripts.
You''re welcome.
>
> The reason I needed to replicate my old firewall was so that I could
> install an additional NIC to allow for multiple uplink providers, and
> divert some local outgoing traffic through a DSL line to relieve
> congestion on a T1 line.  Right now I have the appropriate packet marking
> rules in
> shorewall/tcrules, but am curious if there is a better or more appropriate
> way to create the necessary additional route table than by having the
> following in shorewall/start?
>
That looks fine -- your alternative would be to create your own init script 
for your routing table, install it in /etc/init.d and create the 
appropriate symbolic links (preferably using your distro''s runlevel
tool
such as chkconfig on RedHat or insserv on SuSE).

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

Shorewall users - Mar 2003 - proto kernel?

[Shorewall-users] proto kernel?

[Shorewall-users] proto kernel?

[Shorewall-users] proto kernel?

[Shorewall-users] proto kernel?