Shorewall users - Mar 2003 - Understanding proxyarp settings

Hi all,

I''m trying to implement proxyarp for the dmz on a 3 nic system, but
I''m
having trouble understanding the network settings that will allow it to
work - a bit OT maybe but I hope it''s ok.

The setup:
eth0 - loc (lan) masq''d using 192.168.1.0
eth1 - dmz (RH 7.3, stock kernel)
eth2 - net (216.138.246.133 & 216.138.246.134 <- default) (same RH 7.3)

The loc network is working fine, and the dmz server has worked fine when
facing the net directly (and even in an earlier dnat setup), but now
can''t ping out.  The inability to ping isn''t being logged,
which is what
leads me to believe it''s not (directly) a shorewall problem.

What I''m not clear on is: if proxyarp contains (only) the line
216.138.246.133    eth1    eth2    No

and my isp has told me to use (and so the fw uses):
one of 216.138.246.130 - 216.138.246.142
with gateway 216.138.246.129
and netmask 255.255.255.240

should the dmz ifcfg-eth0 be using gateway of .129 or .134 (the fw)? And 
either way, the same netmask?

Here is info from ip on the fw:

ip add show:

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
     link/ether 00:00:b4:a8:3c:74 brd ff:ff:ff:ff:ff:ff
     inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
     link/ether 00:50:ba:d6:6f:b3 brd ff:ff:ff:ff:ff:ff
     inet 10.10.10.1/24 brd 10.10.10.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
     link/ether 00:50:ba:c4:bc:4b brd ff:ff:ff:ff:ff:ff
     inet 216.138.246.134/28 brd 216.138.246.143 scope global eth2
     inet 216.138.246.133/28 brd 216.138.246.143 scope global secondary eth2

ip route show:

216.138.246.133 dev eth1  scope link
216.138.246.128/28 dev eth2  scope link
192.168.1.0/24 dev eth0  scope link
10.10.10.0/24 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default via 216.138.246.129 dev eth2

Any and all help is appreciated!

Thanks,
Oliver

On Fri, 21 Mar 2003, Oliver Meyn wrote:

Before we go any further: Have you performed the diagnostic 
procedure described in the Proxy ARP documentation to determine if your 
ISP''s ARP cache is stale?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

On Fri, 21 Mar 2003, Oliver Meyn wrote:
> 
> The setup:
> eth0 - loc (lan) masq''d using 192.168.1.0
> eth1 - dmz (RH 7.3, stock kernel)
> eth2 - net (216.138.246.133 & 216.138.246.134 <- default) (same RH
7.3)
> 
> The loc network is working fine, and the dmz server has worked fine when
> facing the net directly (and even in an earlier dnat setup), but now
> can''t ping out.  The inability to ping isn''t being
logged, which is what
> leads me to believe it''s not (directly) a shorewall problem.
> 
> What I''m not clear on is: if proxyarp contains (only) the line
> 216.138.246.133    eth1    eth2    No
> 
> and my isp has told me to use (and so the fw uses):
> one of 216.138.246.130 - 216.138.246.142
> with gateway 216.138.246.129
> and netmask 255.255.255.240
> 
> should the dmz ifcfg-eth0 be using gateway of .129 or .134 (the fw)? And 
> either way, the same netmask?
>
It should use the same gateway as the firewall -- the documentation is 
very clear on that point.
 
> Here is info from ip on the fw:
> 
> ip add show:
> 
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>      inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>      link/ether 00:00:b4:a8:3c:74 brd ff:ff:ff:ff:ff:ff
>      inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>      link/ether 00:50:ba:d6:6f:b3 brd ff:ff:ff:ff:ff:ff
>      inet 10.10.10.1/24 brd 10.10.10.255 scope global eth1
> 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>      link/ether 00:50:ba:c4:bc:4b brd ff:ff:ff:ff:ff:ff
>      inet 216.138.246.134/28 brd 216.138.246.143 scope global eth2
>      inet 216.138.246.133/28 brd 216.138.246.143 scope global secondary
eth2
> 
WHY DO YOU HAVE 216.138.246.133 DEFINED ON THE FIREWALL?????? NONE OF THE 
DOCUMENTATION TELLS YOU TO DO THAT!!!!

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

Hi Tom,
> >
> > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> >      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >      inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
100
> >      link/ether 00:00:b4:a8:3c:74 brd ff:ff:ff:ff:ff:ff
> >      inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
> > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
100
> >      link/ether 00:50:ba:d6:6f:b3 brd ff:ff:ff:ff:ff:ff
> >      inet 10.10.10.1/24 brd 10.10.10.255 scope global eth1
> > 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
100
> >      link/ether 00:50:ba:c4:bc:4b brd ff:ff:ff:ff:ff:ff
> >      inet 216.138.246.134/28 brd 216.138.246.143 scope global eth2
> >      inet 216.138.246.133/28 brd 216.138.246.143 scope global
> secondary eth2
> >
>
> WHY DO YOU HAVE 216.138.246.133 DEFINED ON THE FIREWALL?????? NONE OF THE
> DOCUMENTATION TELLS YOU TO DO THAT!!!!
>
> -Tom
This was a clearly mistaken assumption on my part.  With its removal the dmz
can ping and things look good.  Thanks very much for your speedy response,
and sorry for making you yell.

Cheers,
Oliver

On Fri, 21 Mar 2003, Oliver Meyn wrote:
> 
> This was a clearly mistaken assumption on my part.  With its removal the
dmz
> can ping and things look good.  Thanks very much for your speedy response,
> and sorry for making you yell.
> 
And I''m sorry for yelling ....

Glad to hear that it''s working.

-Tom

PS -- I''m updating the documents to make if very clear that the
proxyied
address(es) should not be added to the firewall''s external interface
:-)

-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net

> From: Tom Eastep [mailto:teastep@shorewall.net]
>
> Glad to hear that it''s working.
>
> -Tom
>
> PS -- I''m updating the documents to make if very clear that the
proxyied
> address(es) should not be added to the firewall''s external
interface :-)
Hehe, I feel like Homer Simpson - "see, because of me, there''s a
warning".
A further addition to the proxyarp docs that would have helped me (and so
might help the other Homers out there :) is that the dmz network config is
the same is it would be if it were parallel to the firewall (ie facing the
net).  Not sure if that''s always the case, but is for me.

Thanks again,
Oliver

On Fri, 21 Mar 2003, Oliver Meyn wrote:
> 
> Hehe, I feel like Homer Simpson - "see, because of me,
there''s a warning".
:-)

When I write the documentation, I try to tell folks what to do -- it is 
only feedback from problem reports that allows me to add what NOT to do.
> A further addition to the proxyarp docs that would have helped me (and so
> might help the other Homers out there :) is that the dmz network config is
> the same is it would be if it were parallel to the firewall (ie facing the
> net).  Not sure if that''s always the case, but is for me.
> 
That is always the right approach and I''ve added that to the docs.

Thanks,
-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.sf.net
Washington USA  \ teastep@shorewall.net