I''ve had a shorewall firewall protecting my home network for almost 3 years now which is currently on a RedHat 7.3 box and I''m running version 1.4.7 I''m replacing this box with a newer one and have set it up with Gentoo linux and the 2.6.9-r9 kernel and installed Gentoo''s distro of shorewall which is version 2.0.7. I have also compiled the needed netfilter modules into the kernel. Most of my configuration could stay the same and things like the shorewall.conf file could be completely replaced with the newer 2.0.7 .conf file as I didn''t have anything non-default set there. The eth0,1,2 cards are detected and setup correctly mirroring exactly the old installation. Shorewall starts and seems to set everything up correctly, for example "route -n" or "arp -evn" list things the same except for the localhost line whereas the new box shows the gateway for the localhost as 127.0.0.1 and the old box had the gateway for the localhost as 127.0.0.1 but that shouldn''t be causing any problems. If I look at the /proc/.../net/ipv4/... values I see they match on both systems. Everything seems to be running smoothly but when I unplug the network cables from the old firewall box onto the new one proxyarp fails. I have a DMZ with external IP addresses and the firewall used proxyarp to forward packets to it (and this way I didn''t have to have worry about forwarding internal traffic to internal ip addresses and external traffic to external ip addresses). I tested from outside and traffic simply is not getting in (not being blocked or dropped - just sort of disappearing). Also from my DMZ boxes they should be able to access my dnscache service on the firewall on port 192.168.1.1 and yet it can''t (yet test show it''s not anything to do with dnscache). When I watch the logs traffic coming in is normal and it''s blocking only the things that it should but proxyarp is failing. I am wondering if perhaps this is because this kernel is too new (there are options for this kernel available that are not shown in the documentation)? Or perhaps someone else has had problems with the Gentoo distro and shorewall. Jay
On Fri, 2004-12-17 at 21:20 -0700, Jason Carlson wrote:> Most of my configuration could stay the same and things like the > shorewall.conf file could be completely replaced with the newer 2.0.7 > .conf file as I didn''t have anything non-default set there. >This is a common misconception -- in fact, replacing the old shorewall.conf file with a new one can lead to INCOMPATIBLE behavior.> The eth0,1,2 cards are detected and setup correctly mirroring exactly > the old installation. Shorewall starts and seems to set everything up > correctly, for example "route -n" or "arp -evn" list things the same > except for the localhost line whereas the new box shows the gateway for > the localhost as 127.0.0.1 and the old box had the gateway for the > localhost as 127.0.0.1 but that shouldn''t be causing any problems. > > If I look at the /proc/.../net/ipv4/... values I see they match on both > systems. > > Everything seems to be running smoothly but when I unplug the network > cables from the old firewall box onto the new one proxyarp fails.Of course it does! You are changing the MAC address of the internet interface! When you bring up the interface, the ''ifup'' script/program will likely do a gratuitous ARP broadcast for the interface''s primary address but won''t for any other address (such as Proxy ARP addresses). You have to go through the gratuitous ARP procedure utilizing ''arping'' that is described on the Proxy ARP page in the Shorewall documentation before the new firewall will work. -Tom PS -- I just went through the same experience; note my announcement from earlier in the week about a new firewall at shorewall.net. I had to use ''arping'' on the Proxy ARP address as well as those addresses used for one-to-one NAT. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key