Brian K. Andersen
2004-Sep-10 12:18 UTC
RE: Is ProxyARP or NAT entries really neccesary forDNAT to work?
I forgot to include my masq file. It''s pretty straightforward: eth2 eth0 eth2 eth1 Cheers, Brian
Tom Eastep
2004-Sep-10 13:34 UTC
Re: Is ProxyARP or NAT entries really neccesary forDNAT to work?
On Friday 10 September 2004 05:18, Brian K. Andersen wrote:> I forgot to include my masq file. It''s pretty straightforward: > > eth2 eth0 > eth2 eth1To use DNAT with original destination IP addresses other than the primary IP of your external interface, either your ISP must be routing traffic to those addresses via the primary IP *OR* your firewall must respond to ARP requests for those addresses. Most people find it most convenient to use their Distribution''s Network configuration GUI to simply add the other addresses to the external interface. As you have discovered, a side effect of entries in /etc/shorewall/proxyarp and in /etc/shorewall/nat (provided that ADD_IP_ALIASES=Yes in shorewall.conf which is the default) will cause your firewall to respond to ARP requests for the external addresses listed in those file entries. But the preferred method is to just configure these addresses outside of Shorewall. For more information, see: http://shorewall.net/Shorewall_and_Aliased_Interfaces.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key