I been running shorewall with out any problems for several months. But I''ve now run into a problem. Hopefully this will be enough information. I''m running shorewall version 1.4.8. On Fedora core 1. Coming into my location I have a T1. I have 5 internet routable IP''s. I''m currently using one as my default internet connection. My ISP''s router is actually assigned all of my internet routeable IP''s and they forward the traffic to in internal ethernet segment. On this segment i have my firewall. The firewall has 3 interfaces. eth0 is internal lan, eth1 ISP lan, eth2 ISP lan. I have one internet routable ip going to eth1 and a second going to eth2. Everything is working properly for eth1, On eth2 I am trying to run a webserver on my firewall.(I have an application using port 80 on eth1) I can see the traffic hitting the firewall on eth2, but I don''t get a response, At first I was seeing the traffic being dropped in the log files, but I made some changes from the FAQ for using multiple ISP''s and I''m no longer getting that. Does anyone have any feedback as to whether this is a shorewall problem or if it possibly has to do with the routing on my linux box? Or is there a better way to accomplish what I''m trying to do that does not require an additional machine? Any help would be greatly apprciated. Nick -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. If you have any questions please contact nick@precisionmillworks.com Mailscanner thanks transtec Computers for their support.
nick@precisionmillworks.com wrote:> I been running shorewall with out any problems for several months. But > I''ve now run into a problem. Hopefully this will be enough information. > I''m running shorewall version 1.4.8. On Fedora core 1. Coming into my > location I have a T1. I have 5 internet routable IP''s. I''m currently > using one as my default internet connection. My ISP''s router is actually > assigned all of my internet routeable IP''s and they forward the traffic to > in internal ethernet segment. On this segment i have my firewall. The > firewall has 3 interfaces. eth0 is internal lan, eth1 ISP lan, eth2 ISP > lan.Why? One ethernet adapter can more than handle the traffic for a T1.> I have one internet routable ip going to eth1 and a second going to > eth2. Everything is working properly for eth1, On eth2 I am trying to run > a webserver on my firewall.(I have an application using port 80 on eth1) > I can see the traffic hitting the firewall on eth2, but I don''t get a > response, At first I was seeing the traffic being dropped in the log > files, but I made some changes from the FAQ for using multiple ISP''sAbout all you needed to do was assign both eth1 and eth2 to the ''net'' zone and set ''arp_filter'' on both interfaces.> and > I''m no longer getting that. Does anyone have any feedback as to whether > this is a shorewall problem or if it possibly has to do with the routing > on my linux box? Or is there a better way to accomplish what I''m trying > to do that does not require an additional machine?I would remove one NIC (eth2) from your system and jump up and down on it until you no longer have the urge to use it for anything. Then I would reassemble the machine and assign both of the public addresses to the same interface (eth1) -- the Shorewall Setup Guide should give you plenty of ideas for how to use your addresses without requiring multiple physical adapters facing your ISP. Also see http://Shorewall_and_Aliased_Interfaces.html for additional information. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > I would remove one NIC (eth2) from your system and jump up and down on > it until you no longer have the urge to use it for anything. Then I > would reassemble the machine and assign both of the public addresses to > the same interface (eth1) -- the Shorewall Setup Guide should give you > plenty of ideas for how to use your addresses without requiring multiple > physical adapters facing your ISP. Also see > http://Shorewall_and_Aliased_Interfaces.html for additional information.I should warn you that if you take my advice and go with one external interface, you may have problems with the second address for a while because of a stale ARP cache in your ISP''s router (see either the Proxy ARP documentation or the One-to-one NAT documentation for diagnosis and possible remedies). I should also mention that if your ISP has an archane rule about "one IP address" = "one MAC address" then you''re stuck with both NICs and the interesting problems that come with them (although specifying ''arp_filter'' in /etc/shorewall/interfaces should avoid the worst of those). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Possibly Parallel Threads
- CentOS 5.7 eth0, eth1 and arpwatch flip flops
- Tunneling public ips, proxy arp, tinc config
- Configure / enable xenbr1 on SLES10 base system
- SW 2.2.0: 4 interface system, log reports impossible "IN=" and DROPS
- Multiple network cards on same subnet problem (arp_filter=1)