Bruce P. Morin
2003-Oct-02 10:52 UTC
[Shorewall-users] Shorewall Praise and alaised interface issue:
Good Afternoon, For about the last year and a half we have been using Shorewall for our network and have been extremely pleased with the product. I wanted to mention that upfront because so many times we go through life not expressing our appreciation of such things. Tom, kudos to a great product. Now that is said, on to the issue: First we''ve been running a three interface setup: eth0 = goes to our DSL modem eth1 = goes to our lan (loc) with NAT eth2 = goes to our DMZ and each box on the dmz contains public addresses so no NAT or SNAT For us, this has been running extremely well and we haven''t had any issues, that is until now. We ran out of IP numbers on the DMZ and needed to get an additional IP block with a new subnet. Here is what we have done so far: First, we upgraded to Shorewall 1.4.6c Second, we created an alias for the eth2:1 with the new information including routing. Third we went to the MULTIPLE SUBNETS section of the FAQ and updated the interfaces file and the hosts file with: Hosts File: dmz eth2:208.164.49.159/29 dmz eth2:208.139.11.123/30 Interfaces: net ppp0 detect loc eth1 192.168.1.0/24 dmz eth2 208.164.49.159,208.139.11.123 Now we can ping internally and we access the public services on the DMZ from within the network, but we still can''t access from the outside. Can anyone shed some light on this or point me in the right direction? Sincerely, Bruce P. Morin
Tom Eastep
2003-Oct-02 11:06 UTC
[Shorewall-users] Shorewall Praise and alaised interface issue:
On Thu, 2003-10-02 at 10:52, Bruce P. Morin wrote:> Tom, kudos to a great product. >Thanks!> > > eth0 = goes to our DSL modem > > eth1 = goes to our lan (loc) with NAT > > eth2 = goes to our DMZ and each box on the dmz contains public addresses > so no NAT or SNAT > > > For us, this has been running extremely well and we haven''t had any > issues, that is until now. We ran out of IP numbers on the DMZ and > needed to get an additional IP block with a new subnet.How is your ISP handling that block? Is it being routed through one of your existing IP addresses or is your firewall/gateway expected to respond to ARP requests for this new subnet? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net