Hit my first wall as to which list to use ? Situation - I have a working configuration of a Linux box running Shorewall 1.4.8 2.4.20 kernel (SuSE 9.0 Professional) eth0 to another Linux box firewall also running Shorewall 1.4.8 this is how I get to the Internet eth1 to a switch with the rest of my internal network eth2 to work All internal traffic comes to this same box because it is my name server and squid server (behind the "real" firewall) I currently get into work with a Citrix client to get to a Terminal Server box...no problem What I want: to use any other box in my network running citrix to get to work i.e. anything that comes into eth1 with an address of 172. needs to go out eth2 to work (NOT eth1 to the Internet) It seems I would be able to configure shorewall on this box to re-direct all traffic on that subnet to go out my eth2 interface ... Which list do I post this question on ? (I can re-post on Newbie list) _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Thu, 2003-12-04 at 12:13, Bill.Light@kp.org wrote:> Situation - > > I have a working configuration of a Linux box running Shorewall 1.4.8 > 2.4.20 kernel (SuSE 9.0 Professional) > > eth0 to another Linux box firewall also running Shorewall 1.4.8 this is > how I get to the Internet > eth1 to a switch with the rest of my internal network > eth2 to work > > All internal traffic comes to this same box because it is my name server > and squid server (behind the "real" firewall) > > I currently get into work with a Citrix client to get to a Terminal Server > box...no problem > > What I want: > > to use any other box in my network running citrix to get to work > > i.e. anything that comes into eth1 with an address of 172. needs > to go out eth2 to work (NOT eth1 to the Internet) > > It seems I would be able to configure shorewall on this box to re-direct > all traffic on that subnet to go out my eth2 interface ... >Isn''t this a simple routing problem? I don''t understand what barrier there is preventing you from doing what you want (other than you probably have to masquerade traffic from eth1 -> eth2). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Thu, 2003-12-04 at 12:13, Bill.Light@kp.org wrote:> Situation - > > I have a working configuration of a Linux box running Shorewall 1.4.8 > 2.4.20 kernel (SuSE 9.0 Professional) > > eth0 to another Linux box firewall also running Shorewall 1.4.8 thisis> how I get to the Internet > eth1 to a switch with the rest of my internal network > eth2 to work > > All internal traffic comes to this same box because it is my name server> and squid server (behind the "real" firewall) > > I currently get into work with a Citrix client to get to a TerminalServer> box...no problem > > What I want: > > to use any other box in my network running citrix to get to work > > i.e. anything that comes into eth1 with an address of 172. needs > to go out eth2 to work (NOT eth1 to the Internet) > > It seems I would be able to configure shorewall on this box to re-direct> all traffic on that subnet to go out my eth2 interface ... >Isn''t this a simple routing problem? I don''t understand what barrier there is preventing you from doing what you want (other than you probably have to masquerade traffic from eth1 -> eth2). -Tom ====================================================================== Thanks Tom - hmmmm I suppose it is, and yes, it probably does need to be masqueraded across the interfaces in this one box.... At least the question was answered....this probably doesn''t belong on either "shorewall" list What would that MASQ entry look like ? eth2:172.x.x.x/24 eth1:192.x.x.x/24 # ?? Maybe ?? I guess I can go try various options.... Sigh... sufficiently talented fool - Bill _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Thu, 2003-12-04 at 12:57, Bill.Light@kp.org wrote:> hmmmm I suppose it is, and yes, it probably does need to be masqueraded > across the interfaces in this one box.... > > At least the question was answered....this probably doesn''t belong on > either "shorewall" listThe question itself is fine on either list.> > What would that MASQ entry look like ? > > eth2:172.x.x.x/24 eth1:192.x.x.x/24 # ?? Maybe > ?? > > I guess I can go try various options.... >This is exactly why I get so tired of answering questions. We''ve just be through a two-day marathon on this list talking about people who don''t read the documentation and you conclude that rather than reading the documentation (http://www.shorewall.net/Documentation.htm#Masq) yourself, you should: a) Ask on the list; and if that doesn''t work b) "I guess I can go try various options...." I''m so discouraged..... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Thursday 04 December 2003 04:35 pm, Tom Eastep wrote:> > I guess I can go try various options.... > > This is exactly why I get so tired of answering questions. We''ve just be > through a two-day marathon on this list talking about people who don''t > read the documentation and you conclude that rather than reading the > documentation (http://www.shorewall.net/Documentation.htm#Masq) > yourself, you should: > > a) Ask on the list; and if that doesn''t work > b) "I guess I can go try various options...." > > I''m so discouraged.....Hi Tom. It''s been a long time since I''ve participated on the list, but this is something I''d like to address. I''ve noticed in my lurking that a great many people post to the list in the same "style" they''d use in a verbal conversation. Something like "go try various options" is a pretty nebulous statement, and it doesn''t actually preclude reading the documentation again. I _completely_ understand your frustration, as I watch in awe at the consistent level of in-depth technical advice you''ve provided to the list. I wonder, though, if perhaps you aren''t being a little too literal while others are being too informal? I''ve been quiet through all the discussion so far because I don''t have any positive contributions to make. It seems like you genuinely want to provide technical support, and I respect that committment to your work. I don''t want to advocate a solution like "Tom should only answer question that the community can''t answer in three days" because I don''t want to tell you how to run your show. I think a better solution is "Tom answers the questions he feels like answering, and sod the rest." ;) I think the newbies list is a good thing, provided the community is gentle in redirecting people who incorrectly / too-quickly subscribe to the (non-newbie) users mailing. _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Thu, 2003-12-04 at 14:00, Scott Merrill wrote:> On Thursday 04 December 2003 04:35 pm, Tom Eastep wrote: > > > I guess I can go try various options.... > > > > This is exactly why I get so tired of answering questions. We''ve just be > > through a two-day marathon on this list talking about people who don''t > > read the documentation and you conclude that rather than reading the > > documentation (http://www.shorewall.net/Documentation.htm#Masq) > > yourself, you should: > > > > a) Ask on the list; and if that doesn''t work > > b) "I guess I can go try various options...." > > > > I''m so discouraged..... > > Hi Tom. It''s been a long time since I''ve participated on the list, but this > is something I''d like to address. > > I''ve noticed in my lurking that a great many people post to the list in the > same "style" they''d use in a verbal conversation. Something like "go try > various options" is a pretty nebulous statement, and it doesn''t actually > preclude reading the documentation again. >I could buy that argument if the proposed /etc/shorewall/masq entry that the OP posted was syntactically valid -- it wasn''t which means to me that little or no reading was done BEFORE the reply was posted. Especially when a workable entry is so obvious: eth1 eth2 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Thu, 2003-12-04 at 14:00, Scott Merrill wrote:> > I _completely_ understand your frustration, as I watch in awe at the > consistent level of in-depth technical advice you''ve provided to the list. I > wonder, though, if perhaps you aren''t being a little too literal while others > are being too informal?It''s possible -- email is a rather imprecise medium.> > I''ve been quiet through all the discussion so far because I don''t have any > positive contributions to make. It seems like you genuinely want to provide > technical support, and I respect that committment to your work. I don''t want > to advocate a solution like "Tom should only answer question that the > community can''t answer in three days" because I don''t want to tell you how to > run your show. I think a better solution is "Tom answers the questions he > feels like answering, and sod the rest." ;)It may come to that :)> > I think the newbies list is a good thing, provided the community is gentle in > redirecting people who incorrectly / too-quickly subscribe to the > (non-newbie) users mailing.Nod. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Thu, 2003-12-04 at 14:00, Scott Merrill wrote:> On Thursday 04 December 2003 04:35 pm, Tom Eastep wrote: > > > I guess I can go try various options.... > > > > This is exactly why I get so tired of answering questions. We''ve justbe> > through a two-day marathon on this list talking about people who don''t > > read the documentation and you conclude that rather than reading the > > documentation (http://www.shorewall.net/Documentation.htm#Masq) > > yourself, you should: > > > > a) Ask on the list; and if that doesn''t work > > b) "I guess I can go try various options...." > > > > I''m so discouraged..... > > Hi Tom. It''s been a long time since I''ve participated on the list, butthis> is something I''d like to address. > > I''ve noticed in my lurking that a great many people post to the list inthe> same "style" they''d use in a verbal conversation. Something like "gotry> various options" is a pretty nebulous statement, and it doesn''t actually> preclude reading the documentation again. >I could buy that argument if the proposed /etc/shorewall/masq entry that the OP posted was syntactically valid -- it wasn''t which means to me that little or no reading was done BEFORE the reply was posted. Especially when a workable entry is so obvious: eth1 eth2 -Tom ============================================= Tom - As the latest "discourager" for you - I''m willing to reply, rather than hide or un-subscribe... The original entry above was EXACTLY what I tried, and it did NOT work. Something that I did, caused all traffic - including my local LAN to route Internet browsing through work...not a desired result. I did have a working configuration, but with SuSE''s impending "Discontinued SuSE Linux Distributions (7.3)" (which was announced today) when I hard disk died, I used the current release (SuSE Professional 9.0), as well as the "current" Shorewall (which was 1.4.7c at the time I built the box). I have not claimed it''s the fault of shorewall, I have read and re-read all six examples (you can count them if you think I didn''t already look) as well as the comment lines in the file /etc/shorewall/masq itself. If it had worked, I wouldn''t have posted the question to begin with. I''m not so proud that I wouldn''t post it to the newbies list - I chose this list, exactly because it didn''t work as it had for me before and the examples were NOT working for me... Which is why I say "I can go try various options" I was NOT attempting to discount your answer or trying to be lazy, my wife goes crazy with Shorewall Documentation sitting next to the bed, because that has become my night time reading. To aggravate matters, everytime I try to do this one little suggestion or a tidbit I pick up - if it blows me out I can''t get to it until 9 or 10 that night. I wouldn''t expect you to run every version and distro of Linux out there, and, by your posts, you have shown yourself to be Red Hat - I happened to have chosen SuSE. But there appear to be enough differences that it sometimes interferes with what may seem trivial to you. I apologize for the "discouragement" and aggravation and I''ll stick to the newbie list for posting. - Bill The Sufficiently Talented Fool _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Thu, 2003-12-04 at 15:20, Bill.Light@kp.org wrote:> > As the latest "discourager" for you - I''m willing to reply, rather than > hide or un-subscribe...Thanks.> > The original entry above was EXACTLY what I tried, and it did NOT work. > Something that I did, caused all traffic - including my local LAN to route > Internet browsing through work...not a desired result.The entry in /etc/shorewall/masq only affects the source address used for traffic forwarded from eth2->eth1; it doesn''t determine which traffic is routed that way. On your firewall system, I assume that the default route is via eth0? If so, then any traffic from eth2 that is not routed elsewhere by entries in your routing table will be routed to the default gateway on eth0. If at the time that you were seeing this unexpected (and from your point of view, incorrect) behavior, if you would have captured the information requested at http://www.shorewall.net/support.htm and would have forwarded it (to either list :-), we would have had a much better chance of helping you.> I did have a > working configuration, but with SuSE''s impending "Discontinued SuSE Linux > Distributions (7.3)" (which was announced today) when I hard disk died, I > used the current release (SuSE Professional 9.0), as well as the "current" > Shorewall (which was 1.4.7c at the time I built the box). > > I have not claimed it''s the fault of shorewall, I have read and re-read > all six examples (you can count them if you think I didn''t already look) > as well as the comment lines in the file /etc/shorewall/masq itself. If > it had worked, I wouldn''t have posted the question to begin with. I''m not > so proud that I wouldn''t post it to the newbies list - I chose this list, > exactly because it didn''t work as it had for me before and the examples > were NOT working for me...Ok -- this is all great information that was missing in your original post. Remember, Bill, that all we know about your problem is what you write in your posts. Now I realize that your post was actually trying to determine which list was appropriate -- in the future, please just post away; as someone else has pointed out, with this two-list setup we''re currently abusing ourselves with, we must be gentle in our rebukes regarding posts to the wrong list.> > Which is why I say "I can go try various options" I was NOT attempting > to discount your answer or trying to be lazy, my wife goes crazy with > Shorewall Documentation sitting next to the bed, because that has become > my night time reading.I use similar reading material as a substitute for sleeping pills :-)> To aggravate matters, everytime I try to do this > one little suggestion or a tidbit I pick up - if it blows me out I can''t > get to it until 9 or 10 that night.???> > I wouldn''t expect you to run every version and distro of Linux out there, > and, by your posts, you have shown yourself to be Red Hat - I happened to > have chosen SuSE. But there appear to be enough differences that it > sometimes interferes with what may seem trivial to you. >Nevertheless, the more information that you capture *at the time of the failure* and provide to us, the more we can help you. I can fire up SuSE under VMWare if need be to check for distribution differences but I''ve generally found that once I get the installation correct on a particular distribution, Shorewall works the same on all of them. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm