Hi List, I''m using the proxyarp feature in Shorewall to keep using static IPs from machines inside the firewall. However, they all get announced with the firewall IP number it looks like. I know it could be a good thing to not expose their real IP-numbers and I haven''t noticed any problems with it. I would though like to control this myself and be able to set if one/several machine(s) should be masqueraded or not. Is there any way I can configure Shorewall not to do so? /Thomas
On Friday 23 January 2004 12:34 pm, Thomas Svenson wrote:> Hi List, > > I''m using the proxyarp feature in Shorewall to keep using static IPs from > machines inside the firewall. > > However, they all get announced with the firewall IP number it looks like. > > I know it could be a good thing to not expose their real IP-numbers and I > haven''t noticed any problems with it. I would though like to control this > myself and be able to set if one/several machine(s) should be masqueraded > or not. > > Is there any way I can configure Shorewall not to do so? >I suspect that you have something like this: /etc/shorewall/proxyarp 206.124.146.177 eth1 eth0 Yes /etc/shorewall/masq eth0 eth1 206.124.146.176 And when 206.124.146.177 connects to an internet host, the source address is 206.124.146.176 -- is this correct? If so, change your /etc/shorewall/masq entry to: eth0 <subnet> 206.124.146.176 Where <subnet> is the RFC1918 subnet that resides off of eth1. Or, if there is no such subnet just remove the /etc/shorewall/masq entry all together. In that case, the entry in /etc/shorewall/masq is probably there because you refused to believe the documentation when it said that the sample configurations and QuickStart guides only work correctly when you have a single public IP address. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:>> Is there any way I can configure Shorewall not to do so? >> > > I suspect that you have something like this: > > /etc/shorewall/proxyarp > > 206.124.146.177 eth1 eth0 YesExcept I have No under HAVEROUTE> /etc/shorewall/masq > > eth0 eth1 206.124.146.176Yes.> And when 206.124.146.177 connects to an internet host, the source > address is 206.124.146.176 -- is this correct?Yes, that is what other machines think is that machines IP number.> If so, change your /etc/shorewall/masq entry to: > > eth0 <subnet> 206.124.146.176Before I do that I just want to check. Can I still have No as HAVEROUTE then?> Where <subnet> is the RFC1918 subnet that resides off of eth1. > > Or, if there is no such subnet just remove the > /etc/shorewall/masq entry all together. In that case, the entry in > /etc/shorewall/masq is probably thereI use a RFC1918 subnet there, even though all machines on the "inside" have static IP.> because you refused to believe the documentation when it said > that the sample > configurations and QuickStart guides only work correctly when you > have a single public IP address.Hm, must have missed/forgot that paragraph :) Thanks Tom, /Thomas
On Friday 23 January 2004 01:04 pm, Thomas Svenson wrote:> > Before I do that I just want to check. Can I still have No as HAVEROUTE > then?Yes.> > > Where <subnet> is the RFC1918 subnet that resides off of eth1. > > > > Or, if there is no such subnet just remove the > > /etc/shorewall/masq entry all together. In that case, the entry in > > /etc/shorewall/masq is probably there > > I use a RFC1918 subnet there, even though all machines on the "inside" have > static IP.Then why do you need masquerading at all? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> On Friday 23 January 2004 01:04 pm, Thomas Svenson wrote: >> I use a RFC1918 subnet there, even though all machines on the >> "inside" have static IP. > > Then why do you need masquerading at all?Sometimes I connect other machines through dhcp inside it and then I need masquerading. Is there a way of not masquerading static IPs on the inside? My setup is like this: ADSL router Static IP | eth0 Static IP Firewall (with many servers running) RFC1918 IP eth1 | Switch | LAN Machines with static IPs Sometimes machines with RFC1918 IP via DHCP Note: "|" is used above to show cables between machines/devices. /Thomas
On Sunday 25 January 2004 04:36 am, Thomas Svenson wrote:> Tom Eastep wrote: > > On Friday 23 January 2004 01:04 pm, Thomas Svenson wrote: > >> I use a RFC1918 subnet there, even though all machines on the > >> "inside" have static IP. > > > > Then why do you need masquerading at all? > > Sometimes I connect other machines through dhcp inside it and then I need > masquerading. > > Is there a way of not masquerading static IPs on the inside? >I ALREADY ANSWERED THAT QUESTION!!!!! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net