I am trying to add a machine into my dmz. It is the first machine I''ve ever added to this dmz and fro some reason I cannot establish communication between the dmz and the machine. Here is an example of my setup: ISP router --> firewall (eth0) firewall (eth1) --> local network firewall (eth2) --> DMZ eth0 and eth2 have public IP addresses as does the machine I just added to the DMZ. On the machine in the dmz I can do an arp -a and I can see the dmz interface on the firewall but I can''t ping it. On the firewall I do an arp -a and I don''t see any entry on eth2. I can''t ping from the firewall to the machine or vise-versa. I am not using proxyarp, ip masq, dnat, or snat. I have the necessary rules and policies. I am using version 2.0.6 of shorewall. Any ideas? Thanks, -- Justin Paulsen IT Coordinator Frederic School District (715) 327-4223 paulsenj@frederic.k12.wi.us "The world is open. Are you?"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Justin Paulsen wrote:> I am trying to add a machine into my dmz. It is the first machine I''ve > ever added to this dmz and fro some reason I cannot establish > communication between the dmz and the machine. > > Here is an example of my setup: > > ISP router --> firewall (eth0) > firewall (eth1) --> local network > firewall (eth2) --> DMZ > > eth0 and eth2 have public IP addresses as does the machine I just added > to the DMZ. > > On the machine in the dmz I can do an arp -a and I can see the dmz > interface on the firewall but I can''t ping it. On the firewall I do an > arp -a and I don''t see any entry on eth2. > > I can''t ping from the firewall to the machine or vise-versa. I am not > using proxyarp, ip masq, dnat, or snat. I have the necessary rules and > policies. I am using version 2.0.6 of shorewall. > > Any ideas?Sounds like a subnetting/routing problem. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD4DBQFBhpvgO/MAbZfjDLIRAuzmAJic146GG12oZ87fT+9cDk3V2KmOAJ4x8CTm p0Ig86tPvs67T5hl6/855g==4SSa -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> >>>On the machine in the dmz I can do an arp -a and I can see the dmz >>>interface on the firewall but I can''t ping it. On the firewall I do an >>>arp -a and I don''t see any entry on eth2. >>> > > Sounds like a subnetting/routing problem. >Something to keep in mind -- there is *nothing* that you can mis-configure in Shorewall that will stop ARP on a single LAN segment from working. Given that the firewall can''t get an ARP response from the new system in the DMZ, you have a problem that is unrelated to Shorewall; subnetting is the most obvious thing to check first since it determines when ARP is used and on what interface the ARP requests are sent. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBhqcUO/MAbZfjDLIRAqdBAKCJOy3XqkLklmHeNH0mQ4KWQhO+qACgnHqr gt8cVVVlm3bjxRZTloCFqAY=4ZEx -----END PGP SIGNATURE-----