I have two servers at a remote site, behind a router, which are accessible from the world and from our local lan by proxy arp. This is working thru eth3. eth0 is the net zone, and eth1 is my loc1 zone. But these remote servers are not accessible from a separate subnet on that same interface. On eth3 I have several subnets with zones/hosts defined. The zone with the remote servers is called yext (212.179.127.96/27) and the other zone is called mdm (192.168.5.64/26). Computers in the mdm zone can reach the internet, and servers in our dmz zone (a 4th interface, eth2) but they can''t get thru to the yext zone. So I added to my proxyarp file two lines with eth3 in both the INTERFACE and the EXTERNAL column as follows: ############################################################## #ADDRESS INTERFACE EXTERNAL HAVEROUTE 212.179.127.100 eth3 eth0 yes 212.179.127.101 eth3 eth0 yes 212.179.127.100 eth3 eth1 yes 212.179.127.101 eth3 eth3 yes 212.179.127.100 eth3 eth3 yes 212.179.127.81 eth3 eth0 yes #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE This has *not* solved the problem. Is the above possible at all? How do I get this to work? Here is the routing table: [root@Paran-Bak shorewall]# /sbin/ip route sh 212.179.127.7 dev eth1 scope link 212.179.127.96/28 via 192.168.5.2 dev eth3 212.179.127.64/27 via 192.168.5.3 dev eth3 199.203.66.128/27 via 192.168.5.2 dev eth3 192.168.5.64/26 via 192.168.5.3 dev eth3 212.179.127.0/25 dev eth0 scope link 192.168.5.0/24 dev eth3 scope link 192.168.4.0/24 via 192.168.5.2 dev eth3 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.200 192.168.1.0/24 dev eth1 scope link 192.168.10.0/24 dev eth2 scope link 172.21.0.0/16 via 192.168.5.2 dev eth3 172.16.0.0/12 via 192.168.5.16 dev eth3 127.0.0.0/8 dev lo scope link default via 212.179.127.1 dev eth0 The router which connects the remote servers is 192.168.5.2, and the zone mdm (a bank of modems for dialup users) is on 192.168.5.3 And a few relevant lines from my policy file: mdm net ACCEPT info mdm mext ACCEPT info mdm yext ACCEPT info yext net ACCEPT yext mdm ACCEPT info When I try to make these connections from the mdm zone to the yext zone, nothing gets logged. TIA, Micha Micha Silver Arava Development Co micha@arava.co.il tel: (972) 8-6592270 cellular: (972) 53-665918 "What good are computers? They can only give you answers." ~ Pablo Picasso
On Tue, 15 Apr 2003, Micha Silver wrote:> I have two servers at a remote site, behind a router, which are accessible > from the world and from our local lan by proxy arp. This is working thru > eth3. eth0 is the net zone, and eth1 is my loc1 zone. > But these remote servers are not accessible from a separate subnet on that > same interface. On eth3 I have several subnets with zones/hosts defined. The > zone with the remote servers is called yext (212.179.127.96/27) and the > other zone is called mdm (192.168.5.64/26). Computers in the mdm zone can > reach the internet, and servers in our dmz zone (a 4th interface, eth2) but > they can''t get thru to the yext zone. > So I added to my proxyarp file two lines with eth3 in both the INTERFACE and > the EXTERNAL column as follows: > > ############################################################## > #ADDRESS INTERFACE EXTERNAL HAVEROUTE > 212.179.127.100 eth3 eth0 yes > 212.179.127.101 eth3 eth0 yes > 212.179.127.100 eth3 eth1 yes > 212.179.127.101 eth3 eth3 yes > 212.179.127.100 eth3 eth3 yes > 212.179.127.81 eth3 eth0 yes > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > This has *not* solved the problem. Is the above possible at all? How do I > get this to work? >See http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html AND DON''T USE SHOREWALL 1.4.1 OR 1.4.1a!!! -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Tuesday 15 April 2003 18:01, Tom Eastep wrote:> On Tue, 15 Apr 2003, Micha Silver wrote: > > I have two servers at a remote site, behind a router, which are > > accessible from the world and from our local lan by proxy arp. This is > > working thru eth3. eth0 is the net zone, and eth1 is my loc1 zone. > > But these remote servers are not accessible from a separate subnet on > > that same interface. On eth3 I have several subnets with zones/hosts > > defined. The zone with the remote servers is called yext > > (212.179.127.96/27) and the other zone is called mdm (192.168.5.64/26). > > Computers in the mdm zone can reach the internet, and servers in our dmz > > zone (a 4th interface, eth2) but they can''t get thru to the yext zone. > > So I added to my proxyarp file two lines with eth3 in both the INTERFACE > > and the EXTERNAL column as follows: > > > > ############################################################## > > #ADDRESS INTERFACE EXTERNAL HAVEROUTE > > 212.179.127.100 eth3 eth0 yes > > 212.179.127.101 eth3 eth0 yes > > 212.179.127.100 eth3 eth1 yes > > 212.179.127.101 eth3 eth3 yes > > 212.179.127.100 eth3 eth3 yes > > 212.179.127.81 eth3 eth0 yes > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > > This has *not* solved the problem. Is the above possible at all? How do I > > get this to work? > > See http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.htmlSo if I understand correctly, you''re suggesting that I just add another aliased address to the FW''s external interface (I already have 7 aliases, and more are planned), then do DNAT to the remote server''s internal address ??> > AND DON''T USE SHOREWALL 1.4.1 OR 1.4.1a!!! >Yes, I''ve been following your discussion of 1.4.2 with the routeback option. I''m currently with 1.4.0.> -Tom
On Tue, 15 Apr 2003, Micha Silver wrote:> > So if I understand correctly, you''re suggesting that I just add another > aliased address to the FW''s external interface (I already have 7 aliases, and > more are planned), then do DNAT to the remote server''s internal address ??No -- I''m suggesting that you allow your firewall to route between the subnets on eth3 as described under "MULTIPLE SUBNETS" on the page that I referred you to. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 15 Apr 2003, Tom Eastep wrote:> > No -- I''m suggesting that you allow your firewall to route between the > subnets on eth3 as described under "MULTIPLE SUBNETS" on the page that I > referred you to. >And you clearly have to remove the extra ProxyARP entries that you added -- those will cause chaos on the eth3 segment. -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Tuesday 15 April 2003 21:00, Tom Eastep wrote:> On Tue, 15 Apr 2003, Tom Eastep wrote: > > No -- I''m suggesting that you allow your firewall to route between the > > subnets on eth3 as described under "MULTIPLE SUBNETS" on the page that I > > referred you to.Here are the relevant lines, first from my interfaces file:: - eth3 192.168.5.255 tcpflags,routefilter and from my hosts file: yext eth3:212.179.127.96/28 # dialup mdm eth3:192.168.5.64/26 and from rules: ACCEPT all yext tcp ssh,http,https,ftp,ftp-data,5631,5632 ACCEPT dmz yext tcp 137,138,139 ACCEPT loc1 yext tcp 137,138,139 ACCEPT yext all tcp - ssh,http,https,ftp,ftp-data,5631,5632 # pcAnywhere to and from Yair servers internal computers ACCEPT yext all udp ssh,5632 ACCEPT all yext udp ssh,5632 Does this look about right?> > And you clearly have to remove the extra ProxyARP entries that you added > -- those will cause chaos on the eth3 segment.I figured as much. THis is my proxyarp file now: 212.179.127.100 eth3 eth0 yes 212.179.127.101 eth3 eth0 yes 212.179.127.100 eth3 eth1 yes 212.179.127.81 eth3 eth0 yes Thanks for all the help, as always.
On Tue, 15 Apr 2003, Micha Silver wrote:> On Tuesday 15 April 2003 21:00, Tom Eastep wrote: > > On Tue, 15 Apr 2003, Tom Eastep wrote: > > > No -- I''m suggesting that you allow your firewall to route between the > > > subnets on eth3 as described under "MULTIPLE SUBNETS" on the page that I > > > referred you to. > > Here are the relevant lines, first from my interfaces file:: > - eth3 192.168.5.255 tcpflags,routefilter >You probably want to add 212.179.127.111 as a broadcast address.> and from my hosts file: > yext eth3:212.179.127.96/28 > # dialup > mdm eth3:192.168.5.64/26 > > and from rules: > ACCEPT all yext tcp ssh,http,https,ftp,ftp-data,5631,5632You NEVER need ftp-data as a destination port; and PcAnywhere only uses port 5632 with UDP.> ACCEPT dmz yext tcp 137,138,139 > ACCEPT loc1 yext tcp 137,138,139 > ACCEPT yext all tcp - > ssh,http,https,ftp,ftp-data,5631,5632 > # pcAnywhere to and from Yair servers internal computers > ACCEPT yext all udp ssh,5632 > ACCEPT all yext udp ssh,5632ssh doesn''t use UDP.> > Does this look about right?Depends on what you want to do between the mdm and yext zones. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net