Shorewall users - Sep 2004 - Public IP

I have problem with IP public, my Network configuration

[wireless] <------> [Router] <------ > [ Linux proxy ] < 
------ > [Client ]

IP configuration
[202.123.123.1] <------->[202.123.123.2 and 192.168.0.1] < 
------ > [192.168.0.2 and 202.123.123.3] < ------ > 
[202.123.123.4]


this configuration will use IP 202.123.123.2 on internet
how to config my network to use IP 202.123.123.4 on 
internet
============================================Netkuis Instan untuk wilayah Bandung
(kode area 022) - SD,SMP,SMA
Berhadiah total puluhan juta rupiah... periode I dimulai 1 April 2004
=============================================

On Thursday 02 September 2004 22:46, paidjo wrote:
> I have problem with IP public, my Network configuration
>
> [wireless] <------> [Router] <------ > [ Linux proxy ] <
> ------ > [Client ]
>
> IP configuration
> [202.123.123.1] <------->[202.123.123.2 and 192.168.0.1] <
> ------ > [192.168.0.2 and 202.123.123.3] < ------ >
> [202.123.123.4]
>
>
> this configuration will use IP 202.123.123.2 on internet
> how to config my network to use IP 202.123.123.4 on
> internet
Is there a Shorewall question in there somewhere? 

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Subject: [Shorewall-users] Public IP


I have problem with IP public, my Network configuration

[wireless] <------> [Router] <------ > [ Linux proxy ] < 
------ > [Client ]

IP configuration
[202.123.123.1] <------->[202.123.123.2 and 192.168.0.1] < 
------ > [192.168.0.2 and 202.123.123.3] < ------ > 
[202.123.123.4]


this configuration will use IP 202.123.123.2 on internet
how to config my network to use IP 202.123.123.4 on 
internet
------------

See if this fits your needs

http://www.shorewall.net/ProxyARP.htm

Jerry

On Friday 03 September 2004 06:44, Jerry Vonau wrote:
> Subject: [Shorewall-users] Public IP
>
>
> I have problem with IP public, my Network configuration
>
> [wireless] <------> [Router] <------ > [ Linux proxy ] <
> ------ > [Client ]
>
> IP configuration
> [202.123.123.1] <------->[202.123.123.2 and 192.168.0.1] <
> ------ > [192.168.0.2 and 202.123.123.3] < ------ >
> [202.123.123.4]
>
>
> this configuration will use IP 202.123.123.2 on internet
> how to config my network to use IP 202.123.123.4 on
> internet
> ------------
>
> See if this fits your needs
>
> http://www.shorewall.net/ProxyARP.htm
>
The big unknown here is the box labeled "Linux Proxy" -- If all
outbound
traffic is proxied then all outbound traffic will have to undergo SNAT in the 
router and will appear to come from 202.123.123.2.

But we don''t even know if Shorewall is involved here or on which box it
is
running so I don''t know how we can advise this fellow about what to do
from a
Shorewall perspective.

And one wonders about the rationale for setting up the network with this 
topology in the first place. For example, if Shorewall is running on the 
"Linux Proxy" then possibly converting that system to a bridge is the
answer
(get rid of the RFC1918 network in the middle altogether).

We''re going to have to have a better description of the problem before
we can
help.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
| For example, if Shorewall is running on the
| "Linux Proxy" then possibly converting that system to a bridge is
the
answer
| (get rid of the RFC1918 network in the middle altogether).

And even if Shorewall isn''t running on the Proxy, converting the proxy
to a bridge might still make sense. I''ve run Squid on a bridge
successfully (see http://shorewall.net/myfiles.htm).

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBOKCoO/MAbZfjDLIRAvqFAJsFw/8GsEWgHSB3bAOTPpf7xVJ1mQCcCU85
bhZ5r8fdSbn1pbMaA2knass=K+Cr
-----END PGP SIGNATURE-----

i was read your "About My Network"
but i''m confuse your setting


Ursa : IP 192.168.1.5 and 206.124.146.178
and
Easteplaptop

this computer must set 2 IP in 1 card??192.168.1.5 and 
206.124.146.178
or just LOCAL IP? 192.168.1.5

thanks

wayn


On Fri, 03 Sep 2004 09:49:44 -0700
  Tom Eastep <teastep@shorewall.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Tom Eastep wrote:
> | For example, if Shorewall is running on the
> | "Linux Proxy" then possibly converting that system to 
>a bridge is the
> answer
> | (get rid of the RFC1918 network in the middle 
>altogether).
> 
> And even if Shorewall isn''t running on the Proxy, 
>converting the proxy
> to a bridge might still make sense. I''ve run Squid on a 
>bridge
> successfully (see http://shorewall.net/myfiles.htm).
> 
> - -Tom
> - --
> Tom Eastep    \ Nothing is foolproof to a sufficiently 
>talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ 
>https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - 
>http://enigmail.mozdev.org
> 
> iD8DBQFBOKCoO/MAbZfjDLIRAvqFAJsFw/8GsEWgHSB3bAOTPpf7xVJ1mQCcCU85
> bhZ5r8fdSbn1pbMaA2knass> =K+Cr
> -----END PGP SIGNATURE-----
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
>https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
--------------------------
Plasahosting
www.plasahosting.com
Hosting Rp. 60ribu/tahun
Domain Rp. 80ribu/tahun
--------------------------

============================================Netkuis Instan untuk wilayah Bandung
(kode area 022) - SD,SMP,SMA
Berhadiah total puluhan juta rupiah... periode I dimulai 1 April 2004
=============================================

No, you use the private one (192.168.1.5) on the network card.

Traffic coming from the Internet would ''see'' it as
206.124.146.178 using
either proxyarp or by directly mapping the IP using NAT.

Jeff
----- Original Message ----- 
From: "paidjo" <yanayun@telkom.net>
To: "Mailing List for Shorewall Users"
<shorewall-users@lists.shorewall.net>
Sent: Saturday, September 04, 2004 1:37 AM
Subject: Re: [Shorewall-users] Public IP


i was read your "About My Network"
but i''m confuse your setting


Ursa : IP 192.168.1.5 and 206.124.146.178
and
Easteplaptop

this computer must set 2 IP in 1 card??192.168.1.5 and
206.124.146.178
or just LOCAL IP? 192.168.1.5

<snip>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeff wrote:
| No, you use the private one (192.168.1.5) on the network card.
|
| Traffic coming from the Internet would ''see'' it as
206.124.146.178 using
| either proxyarp or by directly mapping the IP using NAT.
|

And in the case cited by the original poster, I use one-to-one NAT.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBOctOO/MAbZfjDLIRAqJtAJ9tyEP2rIZpzR7OPTmcyysgs7bUgQCgx3Ay
SobvKcw0wqd/eMA0QjYmt7A=Zsk6
-----END PGP SIGNATURE-----

i''m try using your document "About My Network" to setup 
Bridge using Slackware 9.1
my Bridge similar with computer Wookie

my bridge config
#########################
#! /bin/sh

ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
#ifconfig lo 127.0.0.1 #this line should be uncommented if 
you don''t use rc.inet1

brctl addbr br0

brctl addif br0 eth0
brctl addif br0 eth1

ifconfig br0 192.168.0.2 netmask 255.255.255.0 up
#route add default gw 192.168.1.1 metric 1 #this line 
should be uncommented if
                                            #you don''t use 
rc.inet1
#########################


hosts file
net   br0:eth0
loc   br0:eth1

interface file
-   br0  192.168.0.255

masq file empty

zones file
net     Net             Internet
loc     Local           Local Networks

rules file use from two-interface.tar.gz

Bride can active, it'' remove IP address eth0 and eth1
and active br0 with ip 192.168.0.2

i found error when restart shorewall

    Rule "all all tcp - ssh 16" added.
    Rule "all all tcp ssh - 16" added.
    Rule "all all tcp - ftp 16" added.
    Rule "all all tcp ftp - 16" added.
    Rule "all all tcp ftp-data - 8" added.
    Rule "all all tcp - ftp-data 8" added.
Processing /etc/shorewall/ecn...
Activating Rules...
iptables: No chain/target/match by that name
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
Terminated

please tell me what wrong with my scripts


On Sat, 04 Sep 2004 07:03:59 -0700
  Tom Eastep <teastep@shorewall.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Jeff wrote:
> | No, you use the private one (192.168.1.5) on the 
>network card.
> |
> | Traffic coming from the Internet would ''see'' it as 
>206.124.146.178 using
> | either proxyarp or by directly mapping the IP using 
>NAT.
> |
> 
> And in the case cited by the original poster, I use 
>one-to-one NAT.
> 
> - -Tom
> - --
> Tom Eastep    \ Nothing is foolproof to a sufficiently 
>talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ 
>https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - 
>http://enigmail.mozdev.org
> 
> iD8DBQFBOctOO/MAbZfjDLIRAqJtAJ9tyEP2rIZpzR7OPTmcyysgs7bUgQCgx3Ay
> SobvKcw0wqd/eMA0QjYmt7A> =Zsk6
> -----END PGP SIGNATURE-----
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
>https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
--------------------------
Plasahosting
www.plasahosting.com
Hosting Rp. 60ribu/tahun
Domain Rp. 80ribu/tahun
--------------------------

============================================Netkuis Instan untuk wilayah Bandung
(kode area 022) - SD,SMP,SMA
Berhadiah total puluhan juta rupiah... periode I dimulai 1 April 2004
=============================================

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

paidjo wrote:
| i''m try using your document "About My Network" to setup
Bridge using
| Slackware 9.1

You might consider using the Shorewall Bridge documentation --
http://shorewall.net/bridge.html.

|
| Bride can active, it'' remove IP address eth0 and eth1
| and active br0 with ip 192.168.0.2

I don''t understand what you are trying to say -- if you are saying that
you had to remove the IP addresses from eth0 and eth1, you are correct
- -- again, please read the Shorewall Bridge documentation.

|
| i found error when restart shorewall
|
|    Rule "all all tcp - ssh 16" added.
|    Rule "all all tcp ssh - 16" added.
|    Rule "all all tcp - ftp 16" added.
|    Rule "all all tcp ftp - 16" added.
|    Rule "all all tcp ftp-data - 8" added.
|    Rule "all all tcp - ftp-data 8" added.
| Processing /etc/shorewall/ecn...
| Activating Rules...
| iptables: No chain/target/match by that name
| Processing /etc/shorewall/stop ...
| IP Forwarding Enabled
| Processing /etc/shorewall/stopped ...
| Terminated
|
| please tell me what wrong with my scripts

Please follow the instructions at http://shorewall.net/troubleshoot.htm
under the heading "shorewall start and shorewall restart Errors".

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBOe2qO/MAbZfjDLIRArmUAJ4ln02MrF/K73wlhZI3uJRfXhOHGQCgj9LP
jlYcC8qQStzB4OC/B9khF3A=e8wT
-----END PGP SIGNATURE-----

i can resolve this problem by replace
eth0 with host address

host file must change to
net   br0:192.168.0.0/24
loc   br0:192.168.0.0/24

not use config bellow

net   br0:eth0
loc   br0:eth1


maybe nicolaz echaniz have the same problem with me, 
please change this to host number.


but now,
i have problem with transparant proxy on my bridge

i put command on top of rules file
REDIRECT loc  3128 tcp www  - !192.168.0.0/24

Client can''t access to this proxy, client bypass this 
tranparent proxy
but still can access to internet (www)

please help me
i''m use shorewall version 2.0.8


thanks
Wayan Bali

nb:
sorry my english is bad, it''s not my national language
:(








On Sat, 04 Sep 2004 09:30:34 -0700
  Tom Eastep <teastep@shorewall.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> paidjo wrote:
> | i''m try using your document "About My Network" to 
>setup Bridge using
> | Slackware 9.1
> 
> You might consider using the Shorewall Bridge 
>documentation --
> http://shorewall.net/bridge.html.
> 
> |
> | Bride can active, it'' remove IP address eth0 and eth1
> | and active br0 with ip 192.168.0.2
> 
> I don''t understand what you are trying to say -- if you 
>are saying that
> you had to remove the IP addresses from eth0 and eth1, 
>you are correct
> - -- again, please read the Shorewall Bridge 
>documentation.
> 
> |
> | i found error when restart shorewall
> |
> |    Rule "all all tcp - ssh 16" added.
> |    Rule "all all tcp ssh - 16" added.
> |    Rule "all all tcp - ftp 16" added.
> |    Rule "all all tcp ftp - 16" added.
> |    Rule "all all tcp ftp-data - 8" added.
> |    Rule "all all tcp - ftp-data 8" added.
> | Processing /etc/shorewall/ecn...
> | Activating Rules...
> | iptables: No chain/target/match by that name
> | Processing /etc/shorewall/stop ...
> | IP Forwarding Enabled
> | Processing /etc/shorewall/stopped ...
> | Terminated
> |
> | please tell me what wrong with my scripts
> 
> Please follow the instructions at 
>http://shorewall.net/troubleshoot.htm
> under the heading "shorewall start and shorewall restart 
>Errors".
> 
> - -Tom
> - --
> Tom Eastep    \ Nothing is foolproof to a sufficiently 
>talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ 
>https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - 
>http://enigmail.mozdev.org
> 
> iD8DBQFBOe2qO/MAbZfjDLIRArmUAJ4ln02MrF/K73wlhZI3uJRfXhOHGQCgj9LP
> jlYcC8qQStzB4OC/B9khF3A> =e8wT
> -----END PGP SIGNATURE-----
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
>https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
--------------------------
Plasahosting
www.plasahosting.com
Hosting Rp. 60ribu/tahun
Domain Rp. 80ribu/tahun
--------------------------

============================================Netkuis Instan untuk wilayah Bandung
(kode area 022) - SD,SMP,SMA
Berhadiah total puluhan juta rupiah... periode I dimulai 1 April 2004
=============================================

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

paidjo wrote:
| i can resolve this problem by replace
| eth0 with host address
|
| host file must change to
| net   br0:192.168.0.0/24
| loc   br0:192.168.0.0/24
|
| not use config bellow
|
| net   br0:eth0
| loc   br0:eth1
|
|
| maybe nicolaz echaniz have the same problem with me, please change this
| to host number.
|

Nicolaz runs an embedded system that does not install all available
kernel modules nor does it load those modules automatically. He solved
his problem by installing and loading the proper kernel module
(ipt_physdev.o).

If you are not running such a limited system and you are seeing the same
symptoms then your kernel probably doesn''t support physdev match. Note
that the Shorewall bridge documentation is very clear about the
requirement for that support, both in your kernel and in iptables.

|
| but now,
| i have problem with transparant proxy on my bridge
|
| i put command on top of rules file
| REDIRECT loc  3128 tcp www  - !192.168.0.0/24
|
| Client can''t access to this proxy, client bypass this tranparent
proxy
| but still can access to internet (www)

Two questions:

a) Did you have to set ''routeback'' on ''br0''
in order for traffic to flow
through the bridge?
b) Is there any traffic going through the ''br0_fwd'' chain
("shorewall
show br0_fwd -- look at the first two columns).

If the answer to these questions is ''no'' then your kernel does
not
contain the Netfilter/Bridge patches either. In that case, Shorewall
cannot affect the traffic flowing through the bridge in any way.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBOyI7O/MAbZfjDLIRAm1QAKC4ZOaG7ZpRjYWOdL5J4bkbXldl/ACfWXMA
JkNY0pVemQZ3zRtsAIfjDZI=SlPJ
-----END PGP SIGNATURE-----

my new network

[router eth0:202.123.123.1 and eth1:192.168.0.254] 
<------> [br0:192.168.0.2] <----> [client 192.168.0.3]

i can''t set gateway to 192.168.0.2, but must use gateway 
192.168.0.254
> Two questions:
> 
> a) Did you have to set ''routeback'' on
''br0'' in order for
>traffic to flow
> through the bridge?
No.., if i set routeback ->Error: routeback cant set in 
Multi-Zone
> b) Is there any traffic going through the ''br0_fwd'' 
>chain ("shorewall
> show br0_fwd -- look at the first two columns).
> 
root@gdln:~# shorewall show br0_fwd
Shorewall-2.0.8 Chain br0_fwd at gdln.gdln-unud.org - Tue 
Sep  7 01:19:18 CIT 2004

Counters reset Tue Sep  7 01:15:21 CIT 2004

Chain br0_fwd (1 references)
  pkts bytes target     prot opt in     out     source 
              destination

     0     0 dynamic    all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
        state INVALID,NEW


i can''t found netfilter/bridge patch, please tell me where 
i can download, and what file. i''m confuse to 
http://bridge.sf.net.
Please tell me simple link to download
  
my kernel was konfig
CONFIG_BRIDGE=m

thanks
wayan

> If the answer to these questions is ''no'' then your 
>kernel does not
> contain the Netfilter/Bridge patches either. In that 
>case, Shorewall
> cannot affect the traffic flowing through the bridge in 
>any way.
> 
> - -Tom
> - --
> Tom Eastep    \ Nothing is foolproof to a sufficiently 
>talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ 
>https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - 
>http://enigmail.mozdev.org
> 
> iD8DBQFBOyI7O/MAbZfjDLIRAm1QAKC4ZOaG7ZpRjYWOdL5J4bkbXldl/ACfWXMA
> JkNY0pVemQZ3zRtsAIfjDZI> =SlPJ
> -----END PGP SIGNATURE-----
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
>https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
--------------------------
Plasahosting
www.plasahosting.com
Hosting Rp. 60ribu/tahun
Domain Rp. 80ribu/tahun
--------------------------

============================================Netkuis Instan untuk wilayah Bandung
(kode area 022) - SD,SMP,SMA
Berhadiah total puluhan juta rupiah... periode I dimulai 1 April 2004
=============================================

hi,
my bridge still cant connect to internet
i was fix all problem, (kernel compile, etc, with bridge 
support)

i''m always recieve messsage "Dead loop on virtual device 
br0"

what wrong?

thanks

============================================Netkuis Instan untuk wilayah Bandung
(kode area 022) - SD,SMP,SMA
Berhadiah total puluhan juta rupiah... periode I dimulai 1 April 2004
=============================================

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

paidjo wrote:
| hi,
| my bridge still cant connect to internet
| i was fix all problem, (kernel compile, etc, with bridge support)
|
| i''m always recieve messsage "Dead loop on virtual device
br0"
|
| what wrong?

I have no idea -- that isn''t a Shorewall problem.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBPHgsO/MAbZfjDLIRAul0AKCEp3JMJuIHIYbysxseDaw7dmg80wCeN4Im
a6NKCNDKdOPWWTwdZ3wenOQ=B8O7
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
| paidjo wrote:
| | hi,
| | my bridge still cant connect to internet
| | i was fix all problem, (kernel compile, etc, with bridge support)
| |
| | i''m always recieve messsage "Dead loop on virtual device
br0"
| |
| | what wrong?
|
| I have no idea -- that isn''t a Shorewall problem.
|

But if you forward the information requested at
http://shorewall.net/support.htm and include the output from ''brctl
show'', we will try to help.

Also please tell us how you have physically cabled your network.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBPIU3O/MAbZfjDLIRAsp/AJ95GCUy7fvntcQQfnvhuAE6dGuvUgCgrM9Z
15fACVP5hsdia0OwFmd8SkE=Y29y
-----END PGP SIGNATURE-----

information from shorewall

----------------------------------------------
shorewall show br0_fwd
Shorewall-2.0.8 Chain br0_fwd at gdln.gdln-unud.org - Wed 
Sep  8 02:26:59 CIT 2004

Counters reset Wed Sep  8 02:08:52 CIT 2004

Chain br0_fwd (1 references)
  pkts bytes target     prot opt in     out     source 
              destination

   564 41206 dynamic    all  --  *      *       0.0.0.0/0 
           0.0.0.0/0
         state INVALID,NEW
   516 43073 ACCEPT     all  --  *      br0 
    192.168.0.0/24       192.168.0.0/24
     0     0 ACCEPT     all  --  *      br0 
    192.168.0.0/24       192.168.0.0/24

---------------------------------------------

my cable from bridge to router using cross cable cat-5

hosts file
#ZONE           HOST(S)                         OPTIONS
net   br0:192.168.0.0/24        routeback
loc   br0:192.168.0.0/24        routeback

interface file
-   br0   192.168.0.255

masq file
br0                     192.168.0.0/24

rules file use two-interface.tar.gz


------------------
i''m try to delete routeback from host file, it''s still 
problem
and remove masq config, it''s still problem

my standard installastion without bridge normal connect 
from client to internet

spec:
Slackware 9.1 kernel 2.4.22 with pacth bridge-nf
CONFIG_BRIDGE=m
CONFIG_IP_NF_MATCH_PHYSDEV=m

if  use kernel 2.4.27 my bridge always hang when recieve 
package (ping or browsing)
shorewall version 2.0.8

thanks
wayan

On Mon, 06 Sep 2004 08:41:43 -0700
  Tom Eastep <teastep@shorewall.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Tom Eastep wrote:
> | paidjo wrote:
> | | hi,
> | | my bridge still cant connect to internet
> | | i was fix all problem, (kernel compile, etc, with 
>bridge support)
> | |
> | | i''m always recieve messsage "Dead loop on virtual 
>device br0"
> | |
> | | what wrong?
> |
> | I have no idea -- that isn''t a Shorewall problem.
> |
> 
> But if you forward the information requested at
> http://shorewall.net/support.htm and include the output 
>from ''brctl
> show'', we will try to help.
> 
> Also please tell us how you have physically cabled your 
>network.
> 
> - -Tom
> - --
> Tom Eastep    \ Nothing is foolproof to a sufficiently 
>talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ 
>https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - 
>http://enigmail.mozdev.org
> 
> iD8DBQFBPIU3O/MAbZfjDLIRAsp/AJ95GCUy7fvntcQQfnvhuAE6dGuvUgCgrM9Z
> 15fACVP5hsdia0OwFmd8SkE> =Y29y
> -----END PGP SIGNATURE-----
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
>https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
============================================Netkuis Instan untuk wilayah Bandung
(kode area 022) - SD,SMP,SMA
Berhadiah total puluhan juta rupiah... periode I dimulai 1 April 2004
=============================================

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

paidjo wrote:

|
| hosts file
| #ZONE           HOST(S)                         OPTIONS
| net   br0:192.168.0.0/24        routeback
| loc   br0:192.168.0.0/24        routeback
|

You MUST get the physdev match code working if you want to make a
bridge/firewall. That is, you must be able to code:

	net	br0:ethi
	loc	br0:ethj

Until then, you are just wasting your time and ours.

| masq file
| br0                     192.168.0.0/24

You *don''t* masquerade in a bridge!

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBPcsvO/MAbZfjDLIRAmKJAJwI26OsD4Tkgl/lgMf5WThvYe7nDQCgtc2E
QRcLsJgRJgSQ/0OoOQeXxwY=nXE9
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
| paidjo wrote:
|
| |
| | hosts file
| | #ZONE           HOST(S)                         OPTIONS
| | net   br0:192.168.0.0/24        routeback
| | loc   br0:192.168.0.0/24        routeback
| |
|
| You MUST get the physdev match code working if you want to make a
| bridge/firewall. That is, you must be able to code:
|
|     net    br0:ethi
|     loc    br0:ethj
|
| Until then, you are just wasting your time and ours.
|
| | masq file
| | br0                     192.168.0.0/24
|
| You *don''t* masquerade in a bridge!

I would also advise you to get the bridge working first -- then add the
firewall.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBPdUbO/MAbZfjDLIRAugeAKCmLZI+2Qy693tPci+aYTnFXxkoDQCZAblD
DotVlr4lIWhOCmRD5VMpfok=1dXs
-----END PGP SIGNATURE-----