Shorewall users - Oct 2003 - Internal gateways

I have a network question,
    I have two servers on a 10.5.198.0/24  internal network seg. 
One is shorewall two interface with one static ip. eth0 64.42.49.235
on  a /29 network. eth1 10.5.198.254 (gateway for loc)
(FQIP will change after build and installation)
. The other server is for a Toyota server is for web access 
cars and do Toyota work.. The shorewall server is for Ford network.
    The Toyota server is on the same LAN as shorewall its ip10.5.198.29
with the Toyota gateway 10.5.198.29.
    The Toyota server is used through IE6 for webbrowsing only
at the client level. Right now they just use the proxy setting 
in their browsers to change and access the Toyota gateway.
    Is there a way to route this with Shorewall since this is arp 
request.
    To put it simply when visiting 10.5.198.29 its a different
web server and gateway on the same lan.
    Is there a way to have Shorewall route this somehow???

Thanks,

Mike

On Wed, 2003-10-01 at 14:15, Mike Lander wrote:
> I have a network question,
>     I have two servers on a 10.5.198.0/24  internal network seg. 
> One is shorewall two interface with one static ip. eth0 64.42.49.235
> on  a /29 network. eth1 10.5.198.254 (gateway for loc)
> (FQIP will change after build and installation)
> . The other server is for a Toyota server is for web access 
> cars and do Toyota work.. The shorewall server is for Ford network.
>     The Toyota server is on the same LAN as shorewall its ip10.5.198.29
> with the Toyota gateway 10.5.198.29.
Did you mean for the two IP addresses in the above sentence to be the
same?
>     The Toyota server is used through IE6 for webbrowsing only
> at the client level. Right now they just use the proxy setting 
> in their browsers to change and access the Toyota gateway.
>     Is there a way to route this with Shorewall since this is arp 
> request.
>     To put it simply when visiting 10.5.198.29 its a different
> web server and gateway on the same lan.
>     Is there a way to have Shorewall route this somehow???
> 
I''m lost....

Sorry
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Wednesday, October 01, 2003 2:19 PM
Subject: Re: [Shorewall-users] Internal gateways

> On Wed, 2003-10-01 at 14:15, Mike Lander wrote:
> > I have a network question,
> >     I have two servers on a 10.5.198.0/24  internal network seg.
> > One is shorewall two interface with one static ip. eth0 64.42.49.235
> > on  a /29 network. eth1 10.5.198.254 (gateway for loc)
> > (FQIP will change after build and installation)
> > . The other server is for a Toyota server is for web access
> > cars and do Toyota work.. The shorewall server is for Ford network.
> >     The Toyota server is on the same LAN as shorewall its
ip10.5.198.29
> > with the Toyota gateway 10.5.198.238 -------------------------- 
correction sorry!-----------
> Did you mean for the two IP addresses in the above sentence to be the
> same?
>
> >     The Toyota server is used through IE6 for webbrowsing only
> > at the client level. Right now they just use the proxy setting
> > in their browsers to change and access the Toyota gateway.
> >     Is there a way to route this with Shorewall since this is arp
> > request.
> >     To put it simply when visiting 10.5.198.29 its a different
> > web server and gateway on the same lan.
> >     Is there a way to have Shorewall route this somehow???
> >
>
> I''m lost....
>
> Sorry
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

On Wed, 2003-10-01 at 14:28, Mike Lander wrote:
> ----- Original Message ----- 
> From: "Tom Eastep" <teastep@shorewall.net>
> To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
> Sent: Wednesday, October 01, 2003 2:19 PM
> Subject: Re: [Shorewall-users] Internal gateways
> 
> 
> > On Wed, 2003-10-01 at 14:15, Mike Lander wrote:
> > > I have a network question,
> > >     I have two servers on a 10.5.198.0/24  internal network seg.
> > > One is shorewall two interface with one static ip. eth0
64.42.49.235
> > > on  a /29 network. eth1 10.5.198.254 (gateway for loc)
> > > (FQIP will change after build and installation)
> > > . The other server is for a Toyota server is for web access
> > > cars and do Toyota work.. The shorewall server is for Ford
network.
> > >     The Toyota server is on the same LAN as shorewall its
ip10.5.198.29
> > > with the Toyota gateway 10.5.198.238 -------------------------- 
> correction sorry!-----------
I assumed that they were different addresses but I''m still lost as to
what problem you are trying to solve with Shorewall. Remember that all
we know about your problem is what you tell us; phrases like "at the
client level" have no meaning to us (or they have such a general meaning
as to be of no help in trying to understand the problem).

My *guess* is that the clients are trying to access the Toyota server
through the Shorewall box but the Toyota server is sending the replies
back out through 10.6.198.238 -- is that the problem you are trying to
solve? 

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Wednesday, October 01, 2003 2:36 PM
Subject: Re: [Shorewall-users] Internal gateways

> On Wed, 2003-10-01 at 14:28, Mike Lander wrote:
> > ----- Original Message ----- 
> > From: "Tom Eastep" <teastep@shorewall.net>
> > To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
> > Sent: Wednesday, October 01, 2003 2:19 PM
> > Subject: Re: [Shorewall-users] Internal gateways
> >
> >
> > > On Wed, 2003-10-01 at 14:15, Mike Lander wrote:
> > > > I have a network question,
> > > >     I have two servers on a 10.5.198.0/24  internal network
seg.
> > > > One is shorewall two interface with one static ip. eth0
64.42.49.235
> > > > on  a /29 network. eth1 10.5.198.254 (gateway for loc)
> > > > (FQIP will change after build and installation)
> > > > . The other server is for a Toyota server is for web access
> > > > cars and do Toyota work.. The shorewall server is for Ford
network.
> > > >     The Toyota server is on the same LAN as shorewall its
ip10.5.198.29
> > > > with the Toyota gateway 10.5.198.238
--------------------------
> > correction sorry!-----------
>
> I assumed that they were different addresses but I''m still lost as
to
> what problem you are trying to solve with Shorewall. Remember that all
> we know about your problem is what you tell us; phrases like "at the
> client level" have no meaning to us (or they have such a general
meaning
> as to be of no help in trying to understand the problem).
>
> My *guess* is that the clients are trying to access the Toyota server
> through the Shorewall box but the Toyota server is sending the replies
> back out through 10.6.198.238 -- is that the problem you are trying to
> solve?
>
> -Tom


The two servers have different gateways. shorewall''s config eth0
64.42.49.235
with gateway. 64.42.49.233 on a /29.broadcast 64.42.49.239
shorewalls loc interface eth1 10.5.198.20 on a 10.5.198.0/24
    So the main gateway for most traffic for (clients or workstations)
is 10.5.198.20. exception is this weird Toyota network
    When a workstation needs to access the  Toyota network.
The person or person''s at their workstation is currently going to the
proxy
settings in IE6 and changing browser settings to use a proxy
server the settings are 10.5.198.29 port 80.
They also have alternate gateway 10.5.198.238 that is changed at
workstation.
Then they can access Toyota Box.They have to then switch off the proxy
settings
to use the main router to browse. I don''t have a shorewall
box in yet. Building it right now.
    Very sorry for the confusion..

Thank you

Mike

On Wed, 2003-10-01 at 15:25, Mike Lander wrote:
> 
> The two servers have different gateways. shorewall''s config eth0
> 64.42.49.235
> with gateway. 64.42.49.233 on a /29.broadcast 64.42.49.239
> shorewalls loc interface eth1 10.5.198.20 on a 10.5.198.0/24
>     So the main gateway for most traffic for (clients or workstations)
> is 10.5.198.20. exception is this weird Toyota network
>     When a workstation needs to access the  Toyota network.
> The person or person''s at their workstation is currently going to
the proxy
> settings in IE6 and changing browser settings to use a proxy
> server the settings are 10.5.198.29 port 80.
So there is a Proxy running there?
> They also have alternate gateway 10.5.198.238 that is changed at
> workstation.
How many workstations are there? Is it not practical to add persistent
routes at each workstation to the Toyota network through 10.5.198.238?
Or is your idea to be lazy and just add these routes once (on the
firewall) and let it be involved in outgoing Toyota traffic (but not
incoming Toyota traffic)?

If the latter:

a) Use Shorewall 1.4.6b
b) Set the ''newnotsyn'' and ''routeback''
options on the local interface

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

I have installed and configured shorewall although it does not start
because during bootup as reported by dmesg the ethernet cards are not
reported to be located so if I do a "dmesg |grep eth" there is no
result
could the problem be that my nic cards are modular and I need to build
them in.  




As a result of this shorewall fails to start.

Any suggestions?




Jim

On Wed, 2003-10-01 at 15:47, Jim wrote:
> 
> Any suggestions?
> 
Yes -- this is not an appropriate forum for learning how to get your
ethernet cards working. Once you have them working, if you have problems
with Shorewall then please feel free to post here for help.

And when you do post again, please start a new thread rather than hijack
someone else''s as you did this time.

Thanks

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> On Wed, 2003-10-01 at 15:25, Mike Lander wrote:
>
> >
> > The two servers have different gateways. shorewall''s config
eth0
> > 64.42.49.235
> > with gateway. 64.42.49.233 on a /29.broadcast 64.42.49.239
> > shorewalls loc interface eth1 10.5.198.20 on a 10.5.198.0/24
> >     So the main gateway for most traffic for (clients or workstations)
> > is 10.5.198.20. exception is this weird Toyota network
> >     When a workstation needs to access the  Toyota network.
> > The person or person''s at their workstation is currently
going to the
proxy
> > settings in IE6 and changing browser settings to use a proxy
> > server the settings are 10.5.198.29 port 80.
>
> So there is a Proxy running there?
Yes
>
> > They also have alternate gateway 10.5.198.238 that is changed at
> > workstation.
>
> How many workstations are there? Is it not practical to add persistent
> routes at each workstation to the Toyota network through 10.5.198.238?
> Or is your idea to be lazy and just add these routes once (on the
> firewall) and let it be involved in outgoing Toyota traffic (but not
> incoming Toyota traffic)?
> appx 90 workstations
> If the latter:
>
> a) Use Shorewall 1.4.6b
> b) Set the ''newnotsyn'' and ''routeback''
options on the local interface
>
> -Tom
>
> I just called the admin on there network, the totota gateway is
used if you need totota access. But it is really slow to browse on the
Toyota network. So I stand corrected, they use persistent
routes ie: one gateway. The gateway that shorewall will be on
is much faster and they use this gateway if they don''t need Toyota
access.
    Their question was "Can we use our fast gateway on our
workstations and have the workstations use the toyota route
only when needed.automatically?"
    Since they are on the same network I was not sure if
Shorewall could do this since both boxes on the same subnet?

Mike

----- Original Message ----- 
From: "Mike Lander" <landers@lanlinecomputers.com>
To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Wednesday, October 01, 2003 4:36 PM
Subject: Re: [Shorewall-users] Internal gateways

>
>
> > On Wed, 2003-10-01 at 15:25, Mike Lander wrote:
> >
> > >
> > > The two servers have different gateways. shorewall''s
config eth0
> > > 64.42.49.235
> > > with gateway. 64.42.49.233 on a /29.broadcast 64.42.49.239
> > > shorewalls loc interface eth1 10.5.198.20 on a 10.5.198.0/24
> > >     So the main gateway for most traffic for (clients or
workstations)
> > > is 10.5.198.20. exception is this weird Toyota network
> > >     When a workstation needs to access the  Toyota network.
> > > The person or person''s at their workstation is currently
going to the
> proxy
> > > settings in IE6 and changing browser settings to use a proxy
> > > server the settings are 10.5.198.29 port 80.
> >
> > So there is a Proxy running there?
>
> Yes
>
> >
> > > They also have alternate gateway 10.5.198.238 that is changed at
> > > workstation.
> >
> > How many workstations are there? Is it not practical to add persistent
> > routes at each workstation to the Toyota network through 10.5.198.238?
> > Or is your idea to be lazy and just add these routes once (on the
> > firewall) and let it be involved in outgoing Toyota traffic (but not
> > incoming Toyota traffic)?
> > appx 90 workstations
> > If the latter:
> >
> > a) Use Shorewall 1.4.6b
> > b) Set the ''newnotsyn'' and
''routeback'' options on the local interface
> >
> > -Tom
> >
> > I just called the admin on there network, the totota gateway is
> used if you need totota access. But it is really slow to browse on the
> Toyota network. So I stand corrected, they use persistent
> routes ie: one gateway. The gateway that shorewall will be on
> is much faster and they use this gateway if they don''t need Toyota
access.
>     Their question was "Can we use our fast gateway on our
> workstations and have the workstations use the toyota route
> only when needed.automatically?"
>     Since they are on the same network I was not sure if
> Shorewall could do this since both boxes on the same subnet?
>
> Mike
    I should add that shorewall will be running, squid,squidguard,
openvpn,poptop,named,httpd,nodhcp.

Thank you,
Mike

On Wed, 1 Oct 2003, Mike Lander wrote:
> > I just called the admin on there network, the totota gateway is
> used if you need totota access. But it is really slow to browse on the
> Toyota network. So I stand corrected, they use persistent
> routes ie: one gateway. The gateway that shorewall will be on
> is much faster and they use this gateway if they don''t need Toyota
access.
>     Their question was "Can we use our fast gateway on our
> workstations and have the workstations use the toyota route
> only when needed.automatically?"
>     Since they are on the same network I was not sure if
> Shorewall could do this since both boxes on the same subnet?
>
Again, the best way is to simply add persistent routes on the client
workstations (although that is more labor intensive) but either way should
work.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

How many workstations are there? Is it not practical to add persistent
routes at each workstation to the Toyota network through 10.5.198.238?
Or is your idea to be lazy and just add these routes once (on the
firewall) and let it be involved in outgoing Toyota traffic (but not
incoming Toyota traffic)?

If the latter:  No


Thanks Tom,
    I think I will try the workstation routes, I did not realize that
is was being lazy, I thought it to be more practical for shorewall to
handle?
I have elected to take your advice on first option:
    Would this be the command to enter at the workstations?
Being the guru boolean mathematician you are?
route -p add 10.5.198.29 mask 255.255.255.0 10.5.198.238

Thanks again,


Mike

On Wed, 1 Oct 2003, Mike Lander wrote:
>
> How many workstations are there? Is it not practical to add persistent
> routes at each workstation to the Toyota network through 10.5.198.238?
> Or is your idea to be lazy and just add these routes once (on the
> firewall) and let it be involved in outgoing Toyota traffic (but not
> incoming Toyota traffic)?
>
> If the latter:  No
>
>
> Thanks Tom,
>     I think I will try the workstation routes, I did not realize that
> is was being lazy, I thought it to be more practical for shorewall to
> handle?
> I have elected to take your advice on first option:
>     Would this be the command to enter at the workstations?
> Being the guru boolean mathematician you are?
> route -p add 10.5.198.29 mask 255.255.255.0 10.5.198.238
>
Since all hosts on the LAN are presumably on 10.5.198.0/24, that route
command isn''t right. There must be other networks behind 10.5.198.238
that
the clients need to access through that host.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Mike:

FWIW I would view the other router as hostile.
Tom, does this make me lazy??  ;)

I''d add a third nic to the box, using the same
internal ip, setting proxyarp on those two
interfaces.
find 10.5.198.238 and plug it only into that nic
and
not the hub/switch. add a host route to
10.5.198.29
though 10.5.198.238  (I''m assuming that its on the
side
of the router) Are there any other machines that
need
to be contacted though 10.5.198.238?
add more routes as required...Add your rules and
policies.
I have something like that rigged up... Contact me
off list
if you like, this is more of a routing issue than
a shorewall
one. Well I use shorewall to set it up....

Jerry


----- Original Message -----
From: "Mike Lander" <landers@lanlinecomputers.com>
To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Wednesday, October 01, 2003 06:46 PM
Subject: Re: [Shorewall-users] Internal gateways

>
> ----- Original Message -----
> From: "Mike Lander"
<landers@lanlinecomputers.com>
> To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
> Sent: Wednesday, October 01, 2003 4:36 PM
> Subject: Re: [Shorewall-users] Internal gateways
>
>
> >
> >
> > > On Wed, 2003-10-01 at 15:25, Mike Lander
wrote:
> > >
> > > >
> > > > The two servers have different gateways.
shorewall''s config eth0
> > > > 64.42.49.235
> > > > with gateway. 64.42.49.233 on a
/29.broadcast 64.42.49.239
> > > > shorewalls loc interface eth1 10.5.198.20
on a 10.5.198.0/24
> > > >     So the main gateway for most traffic
for (clients or workstations)
> > > > is 10.5.198.20. exception is this weird
Toyota network
> > > >     When a workstation needs to access the
Toyota network.
> > > > The person or person''s at their
workstation is currently going to the
> > proxy
> > > > settings in IE6 and changing browser
settings to use a proxy
> > > > server the settings are 10.5.198.29 port
80.
> > >
> > > So there is a Proxy running there?
> >
> > Yes
> >
> > >
> > > > They also have alternate gateway
10.5.198.238 that is changed at
> > > > workstation.
> > >
> > > How many workstations are there? Is it not
practical to add persistent
> > > routes at each workstation to the Toyota
network through 10.5.198.238?
> > > Or is your idea to be lazy and just add
these routes once (on the
> > > firewall) and let it be involved in outgoing
Toyota traffic (but not
> > > incoming Toyota traffic)?
> > > appx 90 workstations
> > > If the latter:
> > >
> > > a) Use Shorewall 1.4.6b
> > > b) Set the ''newnotsyn'' and
''routeback''
options on the local interface
> > >
> > > -Tom
> > >
> > > I just called the admin on there network,
the totota gateway is
> > used if you need totota access. But it is
really slow to browse on the
> > Toyota network. So I stand corrected, they use
persistent
> > routes ie: one gateway. The gateway that
shorewall will be on
> > is much faster and they use this gateway if
they don''t need Toyota access.
> >     Their question was "Can we use our fast
gateway on our
> > workstations and have the workstations use the
toyota route
> > only when needed.automatically?"
> >     Since they are on the same network I was
not sure if
> > Shorewall could do this since both boxes on
the same subnet?

----- Original Message ----- 
From: "Tom Eastep" <teastep@shorewall.net>
To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Wednesday, October 01, 2003 7:31 PM
Subject: Re: [Shorewall-users] Internal gateways

> On Wed, 1 Oct 2003, Mike Lander wrote:
>
> >
> > How many workstations are there? Is it not practical to add persistent
> > routes at each workstation to the Toyota network through 10.5.198.238?
> > Or is your idea to be lazy and just add these routes once (on the
> > firewall) and let it be involved in outgoing Toyota traffic (but not
> > incoming Toyota traffic)?
> >
> > If the latter:  No
> >
> >
> > Thanks Tom,
> >     I think I will try the workstation routes, I did not realize that
> > is was being lazy, I thought it to be more practical for shorewall to
> > handle?
> > I have elected to take your advice on first option:
> >     Would this be the command to enter at the workstations?
> > Being the guru boolean mathematician you are?
> > route -p add 10.5.198.29 mask 255.255.255.0 10.5.198.238
> >
>
> Since all hosts on the LAN are presumably on 10.5.198.0/24, that route
> command isn''t right. There must be other networks behind
10.5.198.238 that
> the clients need to access through that host.
>
> -Tom
Would this be bettter?
 route -p add 10.0.0.0 mask 255.0.0.0 10.5.198.238


Thanks,

Mike

On Wed, 1 Oct 2003, Mike Lander wrote:
>
> Would this be bettter?
>  route -p add 10.0.0.0 mask 255.0.0.0 10.5.198.238
>
It''s not going to be that simple, Mike. You''re going to have
to research
what networks the clients need to access in the Toyata intranet.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 1 Oct 2003, Jerry Vonau wrote:
> Mike:
>
> FWIW I would view the other router as hostile.
> Tom, does this make me lazy??  ;)
>
> I''d add a third nic to the box, using the same internal ip,
setting
> proxyarp on those two interfaces. find 10.5.198.238 and plug it only
> into that nic and not the hub/switch. add a host route to 10.5.198.29
> though 10.5.198.238 (I''m assuming that its on the other side of
the
> router)
Jerry -- I don''t believe that we have nearly enough information to try
to
design a three-interface solution.

I''m assuming that the LAN segment is 10.5.198.0/24 which would place
10.5.198.29 on that segment.

To design ANY solution, we need to know the networks gatewayed through
10.5.198.238.

 -Tom

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

> On Wed, 1 Oct 2003, Jerry Vonau wrote:
>
> > Mike:
> >
> > FWIW I would view the other router as hostile.
> > Tom, does this make me lazy??  ;)
> >
> > I''d add a third nic to the box, using the same internal ip,
setting
> > proxyarp on those two interfaces. find 10.5.198.238 and plug it only
> > into that nic and not the hub/switch. add a host route to 10.5.198.29
> > though 10.5.198.238 (I''m assuming that its on the other side
of the
> > router)
>
> Jerry -- I don''t believe that we have nearly enough information to
try to
> design a three-interface solution.
>
> I''m assuming that the LAN segment is 10.5.198.0/24 which would
place
> 10.5.198.29 on that segment.
>
> To design ANY solution, we need to know the networks gatewayed through
> 10.5.198.238.
>
>  -Tom
>
Hey Guys,
    When I started this post only then unfortunately did I realize I needed
more homework. I have set up simular networks with Gm, Linc. Mercury, Ford
Chry. Hyndai (Not yet Toyota)
and others. I have simply added static route in linux to alternate gateways
and been able to access those networks when there are alternate
 gateways to car manufactures. I once had Tom help me with static
nat when I needed the packets to return over openvpn. These networks where
set to their gateway and packets would not return over openvpn.
    The salmon return analogy Tom uses for packets returning magically.
Thanks,

Mike

--- Mike Lander <landers@lanlinecomputers.com> wrote:
> Would this be bettter?
>  route -p add 10.0.0.0 mask 255.0.0.0 10.5.198.238
No.. This encompasses the existing 10.5.198.0/224 network.

You need to find out the actual "NETWOK" ip that they are going to
when they go through the proxy.

This most definitely isn''t on the same 10.5.198.0/24 network thats why
thiers a router thier
internally.

JBanks

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

--- Mike Lander <landers@lanlinecomputers.com>
wrote:
> Hey Guys,
>     When I started this post only then unfortunately did I realize I needed
> more homework. I have set up simular networks with Gm, Linc. Mercury, Ford
> Chry. Hyndai (Not yet Toyota)
> and others. I have simply added static route in linux to alternate gateways
> and been able to access those networks when there are alternate
>  gateways to car manufactures. I once had Tom help me with static
> nat when I needed the packets to return over openvpn. These networks where
> set to their gateway and packets would not return over openvpn.
>     The salmon return analogy Tom uses for packets returning magically.
> Thanks,
> 
> Mike
Personally Mike, this is what I thought from the very beginning of your post.
I''m not sure but it
seems that having the proxy in the mix is whats complicating things as well as
not knowing what
the actual other networks are behind the internal router that you need to get
to. I''ll be keeping
my eye on this thread.

What state are you working in Mike. WA?

JBanks

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

----- Original Message ----- 
From: "Joshua Banks" <l0f33t@yahoo.com>
To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Thursday, October 02, 2003 1:57 AM
Subject: Re: [Shorewall-users] Internal gateways

>
> --- Mike Lander <landers@lanlinecomputers.com> wrote:
> > Hey Guys,
> >     When I started this post only then unfortunately did I realize I
needed
> > more homework. I have set up simular networks with Gm, Linc. Mercury,
Ford
> > Chry. Hyndai (Not yet Toyota)
> > and others. I have simply added static route in linux to alternate
gateways
> > and been able to access those networks when there are alternate
> >  gateways to car manufactures. I once had Tom help me with static
> > nat when I needed the packets to return over openvpn. These networks
where
> > set to their gateway and packets would not return over openvpn.
> >     The salmon return analogy Tom uses for packets returning
magically.
> > Thanks,
> >
> > Mike
>
> Personally Mike, this is what I thought from the very beginning of your
post. I''m not sure but it
> seems that having the proxy in the mix is whats complicating things as
well as not knowing what
> the actual other networks are behind the internal router that you need to
get to. I''ll be keeping
> my eye on this thread.
>
> What state are you working in Mike. WA?
>
> JBanks
>
Yes Wa,
    I remember the first time I dealt with 3rd party servers on a Lan with
GM.
and my first linux firewall, was a simular situation with General motors.
I just added the route in Linux exactly like this 10.0.0.0 255.0.0.0 gw
10.5.198.29
where the 10.5.198.29 was the ip address of the GM server.
and the workstations could access the alternate gateway when they
needed the GM network. GM has a private network through sattelites.

    Are there any rules policies etc: to change in shorewall when you give
Linux alternate gateways or does shorewall find that automagically.?
The neat thing is when I install the shorewall box.
The Toyota network will still work. I just have to
change the gateway a workstation and try the above.
Or try the persisent route might be a better idea.
    Then get openvpn working to their remote collision
center.

Thanks a bunch Tom and Josh
What state are you in Josh.

Mike

On Thu, 2003-10-02 at 09:38, Mike Lander wrote:
> 
>     Are there any rules policies etc: to change in shorewall when you give
> Linux alternate gateways or does shorewall find that automagically.?
For the most part, it is automatic. If you specify the internal
interface name in the SUBNET column of the masq file then Shorewall will
use the routing table to find all of the networks accessible through the
local interface and will set up masquerading for all of them. 

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hi Mike,

I responded to your personal email address instead of to the list since my
dialoge didn''t have
anything to with Shorewall. Look forward to your response.

JBanks
--- Mike Lander <landers@lanlinecomputers.com>
wrote:
> 
> ----- Original Message ----- 
> From: "Joshua Banks" <l0f33t@yahoo.com>
> To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
> Sent: Thursday, October 02, 2003 1:57 AM
> Subject: Re: [Shorewall-users] Internal gateways
> 
> 
> >
> > --- Mike Lander <landers@lanlinecomputers.com> wrote:
> > > Hey Guys,
> > >     When I started this post only then unfortunately did I
realize I
> needed
> > > more homework. I have set up simular networks with Gm, Linc.
Mercury,
> Ford
> > > Chry. Hyndai (Not yet Toyota)
> > > and others. I have simply added static route in linux to
alternate
> gateways
> > > and been able to access those networks when there are alternate
> > >  gateways to car manufactures. I once had Tom help me with static
> > > nat when I needed the packets to return over openvpn. These
networks
> where
> > > set to their gateway and packets would not return over openvpn.
> > >     The salmon return analogy Tom uses for packets returning
magically.
> > > Thanks,
> > >
> > > Mike
> >
> > Personally Mike, this is what I thought from the very beginning of
your
> post. I''m not sure but it
> > seems that having the proxy in the mix is whats complicating things as
> well as not knowing what
> > the actual other networks are behind the internal router that you need
to
> get to. I''ll be keeping
> > my eye on this thread.
> >
> > What state are you working in Mike. WA?
> >
> > JBanks
> >
> Yes Wa,
>     I remember the first time I dealt with 3rd party servers on a Lan with
> GM.
> and my first linux firewall, was a simular situation with General motors.
> I just added the route in Linux exactly like this 10.0.0.0 255.0.0.0 gw
> 10.5.198.29
> where the 10.5.198.29 was the ip address of the GM server.
> and the workstations could access the alternate gateway when they
> needed the GM network. GM has a private network through sattelites.
> 
>     Are there any rules policies etc: to change in shorewall when you give
> Linux alternate gateways or does shorewall find that automagically.?
> The neat thing is when I install the shorewall box.
> The Toyota network will still work. I just have to
> change the gateway a workstation and try the above.
> Or try the persisent route might be a better idea.
>     Then get openvpn working to their remote collision
> center.
> 
> Thanks a bunch Tom and Josh
> What state are you in Josh.
> 
> Mike
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

Thanks Josh,
    My mail server may block yahoo if its on any spam blacklists
if it does I will try whitelisting your addresss.
Thanks,
Mike

----- Original Message ----- 
From: "Joshua Banks" <l0f33t@yahoo.com>
To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Friday, October 03, 2003 10:28 AM
Subject: Re: [Shorewall-users] Internal gateways

> Hi Mike,
>
> I responded to your personal email address instead of to the list since my
dialoge didn''t have
> anything to with Shorewall. Look forward to your response.
>
> JBanks
> --- Mike Lander <landers@lanlinecomputers.com> wrote:
> >
> > ----- Original Message ----- 
> > From: "Joshua Banks" <l0f33t@yahoo.com>
> > To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
> > Sent: Thursday, October 02, 2003 1:57 AM
> > Subject: Re: [Shorewall-users] Internal gateways
> >
> >
> > >
> > > --- Mike Lander <landers@lanlinecomputers.com> wrote:
> > > > Hey Guys,
> > > >     When I started this post only then unfortunately did I
realize I
> > needed
> > > > more homework. I have set up simular networks with Gm, Linc.
Mercury,
> > Ford
> > > > Chry. Hyndai (Not yet Toyota)
> > > > and others. I have simply added static route in linux to
alternate
> > gateways
> > > > and been able to access those networks when there are
alternate
> > > >  gateways to car manufactures. I once had Tom help me with
static
> > > > nat when I needed the packets to return over openvpn. These
networks
> > where
> > > > set to their gateway and packets would not return over
openvpn.
> > > >     The salmon return analogy Tom uses for packets returning
magically.
> > > > Thanks,
> > > >
> > > > Mike
> > >
> > > Personally Mike, this is what I thought from the very beginning
of
your
> > post. I''m not sure but it
> > > seems that having the proxy in the mix is whats complicating
things as
> > well as not knowing what
> > > the actual other networks are behind the internal router that you
need
to
> > get to. I''ll be keeping
> > > my eye on this thread.
> > >
> > > What state are you working in Mike. WA?
> > >
> > > JBanks
> > >
> > Yes Wa,
> >     I remember the first time I dealt with 3rd party servers on a Lan
with
> > GM.
> > and my first linux firewall, was a simular situation with General
motors.
> > I just added the route in Linux exactly like this 10.0.0.0 255.0.0.0
gw
> > 10.5.198.29
> > where the 10.5.198.29 was the ip address of the GM server.
> > and the workstations could access the alternate gateway when they
> > needed the GM network. GM has a private network through sattelites.
> >
> >     Are there any rules policies etc: to change in shorewall when you
give
> > Linux alternate gateways or does shorewall find that automagically.?
> > The neat thing is when I install the shorewall box.
> > The Toyota network will still work. I just have to
> > change the gateway a workstation and try the above.
> > Or try the persisent route might be a better idea.
> >     Then get openvpn working to their remote collision
> > center.
> >
> > Thanks a bunch Tom and Josh
> > What state are you in Josh.
> >
> > Mike
> >
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
>
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Shopping - with improved product search
> http://shopping.yahoo.com
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

--- Mike Lander <landers@lanlinecomputers.com>
wrote:
> Thanks Josh,
>     My mail server may block yahoo if its on any spam blacklists
> if it does I will try whitelisting your addresss.
> Thanks,
> Mike

Hey Mike,

I just resent the email.

Joshua Banks

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

Hey Tom,
    I have installed the shorewall server, which knocked out netgear
router, recall the post around 10/1/2003 regarding Toyota network.
    Last post below.

    Shorewall is installed two nics, with squid running, one static wan ip
63.228.99.225  255.255.255.248
local is 10.5.198.0/24 shorewalls eth1 is 10.5.198.254
    There is another proxy server on the internal network for access to
Toyota. proxy server ip 10.5.198.29 with gateway 10.5.198.238
so the two gateways are shorewall 10.5.198.254, Toyota 10.5.198.238
    The clients have to manually config their browser to the Toyota as you
might recall.
    You ask "what networks will they be accessing behind the 10.5.198.29
answer dealer.toyota.com which resolves to 63.90.86.9
    Which would be the best way to solve this??

Thanks
Mike

[root@ns2 root]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
63.228.99.224   0.0.0.0         255.255.255.248 U     0      0        0 eth0
10.5.198.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         63.228.99.230   0.0.0.0         UG    0      0        0 eth0

eth0      Link encap:Ethernet  HWaddr 00:0C:76:1D:27:EA
          inet addr:63.228.99.225  Bcast:63.228.99.231  Mask:255.255.255.248
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:99198 errors:0 dropped:0 overruns:0 frame:0
          TX packets:95246 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:74635880 (71.1 Mb)  TX bytes:19668054 (18.7 Mb)
          Interrupt:11 Base address:0x7000

eth1      Link encap:Ethernet  HWaddr 00:50:BF:79:1C:D8
          inet addr:10.5.198.254  Bcast:10.5.198.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:124788 errors:0 dropped:0 overruns:0 frame:0
          TX packets:131252 errors:0 dropped:0 overruns:0 carrier:0
          collisions:29938 txqueuelen:100
          RX bytes:31172997 (29.7 Mb)  TX byte

Last Post---------------------------------------------------------

On Wed, 1 Oct 2003, Mike Lander wrote:
>
> Would this be bettter?
>  route -p add 10.0.0.0 mask 255.0.0.0 10.5.198.238
>
It''s not going to be that simple, Mike. You''re going to have
to research
what networks the clients need to access in the Toyata intranet.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
>

Hi Mike,

I''ve re-read through your previous postings.

It''s still unclear to me as to what you want Shorewall todo
"specifically".  Please re-explain simply what your trying to
accomplish and why, so that I get a fresh understanding of where your
at with this.

I don''t want to ask you 20 questions, so I will just ask acouple..

What are, if any, host requirments on the 10.5.198.0/24? 

Do client/pc''s on the 10.5.198.0/24 network need to use (or be seen as
coming from) the proxy server ip of 10.5.198.29???? Or can you by pass
the proxy server all together if possible?

Does 10.5.198.238 route packets to and from the Toyota network. Is that
a router or a server configured as a router?

If your wanting to by pass the proxy server and use shorewall to get to
the toyota network all you need is routing configured correctly on
Shorewall to use 10.5.198.238 to get to the Toyota network. But you
will also need to remember that clients will need to resolve dns for
the toyota domain. You didn''t bother to mention anything about dns.

I''m still doing allot of guessing so hopefully the link below will
help.
http://shorewall.net/Multiple_Zones.html

Joshua Banks

__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

Hey Josh,
    Thanks for the reply, I have shorewall setup to be a firewall
and primary gateway, it has squid and squidguard running for
content filtering, as well as file server running samba.
    It also has openvpn to a remote bodyshop for access to their
accounting server all this is running on their local network.
    local is 10.5.198.0/24
The shorewall gateway is 10.5.198.254 running a squid proxy
on DSL
The toyota server is on a 56k limited bandwith connection also
giving an alternate internet access.
    What they are doing now is far less people on the network
use Toyota, so they configure their windows 9x or xp machines
to use the toyota gateway. ANd confiure their browsers to use
proxy server 10.5.198.29.
    Then they have bypassed the squid protection and shorewall
alltogether.
    They would like to use my shorewall server to route the packets
to the toyota proxy server. Their is also dns with toyota that I can use

So useing shorewall as a gate route dealer.toyota.com goes to
the toyota proxy, everything else the other gate shorewall server.
    I have not tryed bypassing the proxy yet.
Is this a pretty good start to answer your questions

Thanks,
Mike

----- Original Message ----- 
From: "Joshua Banks" <l0f33t@yahoo.com>
To: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Friday, November 14, 2003 12:40 PM
Subject: Re: [Shorewall-users] Internal gateways

>
> Hi Mike,
>
> I''ve re-read through your previous postings.
>
> It''s still unclear to me as to what you want Shorewall todo
> "specifically".  Please re-explain simply what your trying to
> accomplish and why, so that I get a fresh understanding of where your
> at with this.
>
> I don''t want to ask you 20 questions, so I will just ask acouple..
>
> What are, if any, host requirments on the 10.5.198.0/24?
>
> Do client/pc''s on the 10.5.198.0/24 network need to use (or be
seen as
> coming from) the proxy server ip of 10.5.198.29???? Or can you by pass
> the proxy server all together if possible?
>
> Does 10.5.198.238 route packets to and from the Toyota network. Is that
> a router or a server configured as a router?
>
> If your wanting to by pass the proxy server and use shorewall to get to
> the toyota network all you need is routing configured correctly on
> Shorewall to use 10.5.198.238 to get to the Toyota network. But you
> will also need to remember that clients will need to resolve dns for
> the toyota domain. You didn''t bother to mention anything about
dns.
>
> I''m still doing allot of guessing so hopefully the link below will
> help.
> http://shorewall.net/Multiple_Zones.html
>
> Joshua Banks
>
> __________________________________
> Do you Yahoo!?
> Protect your identity with Yahoo! Mail AddressGuard
> http://antispam.yahoo.com/whatsnewfree
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>