Network Configuration issues
I''ve been working on this for 2 days PLEASE HELP!
I am having the following issues with network configuration and I cannot
ping the external interface to begin troubleshooting the network
configuration.
I know that the ISP''s router is configured correctly since I have
attached it to a small Linksys firewall and was able to ping the
66.240.207.226 from another external network.
According to the documentation I can add AllowPing to the file
/etc/shorewall/action.Drop
or etc/shorewall/action.Reject.
Unfortunately neither of these files reside in the documented location
namely /etc/shorewall although they can be found in
/usr/share/shorewall. Is my installation incorrect or is the
doumnetation incorrect regarding the location of the above files.
I did edit /usr/share/shorewall/action.Drop and the file
/usr/share/shorewall/ action.AllowPing contains the following.
# Shorewall 2.0 /etc/shorewall/action.AllowPing
#
# This action accepts ''ping'' requests.
#
########################################################################
##############
#TARGET SOURCE DEST PROTO DEST SOURCE
RATE USER/
# PORT PORT(S)
LIMIT GROUP
ACCEPT - - icmp 8
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Are the action files in the wrong location and if so should I just copy
all the action.* files to /etc/shorewall/
VERSION
root@ipowall:/etc/shorewall # shorewall version
2.0.2f
ip addr show
root@ipowall:~ # ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0e:0c:60:9e:dc brd ff:ff:ff:ff:ff:ff
inet 66.240.207.226/28 brd 66.255.255.255 scope global eth0
inet6 fe80::20e:cff:fe60:9edc/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:0e:0c:60:9c:5d brd ff:ff:ff:ff:ff:ff
inet 192.168.0.2/24 brd 192.168.0.255 scope global eth1
inet6 fe80::20e:cff:fe60:9c5d/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:02:b3:f0:93:0a brd ff:ff:ff:ff:ff:ff
inet 209.126.225.34/28 brd 209.126.225.47 scope global eth2
inet6 fe80::202:b3ff:fef0:930a/64 scope link
valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 00:11:11:3f:32:a8 brd ff:ff:ff:ff:ff:ff
6: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
ip route show
root@ipowall:~ # ip route show
209.126.225.32/28 dev eth2 proto kernel scope link src 209.126.225.34
66.240.207.224/28 dev eth0 proto kernel scope link src 66.240.207.226
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.2
default via 209.126.225.33 dev eth2
default via 66.240.207.225 dev eth0
I used setup guide Shorewall Setup Guide
2005-01-22
Here is the contents of /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo eth0 eth1 eth2
iface lo inet loopback
# The primary network interface
# external Internet interface
iface eth0 inet static
address 66.240.207.226
netmask 255.255.255.240
gateway 66.240.207.225
# Internal LAN Interface
iface eth1 inet static
address 192.168.0.2
netmask 255.255.255.0
gateway 66.240.207.226
#routable DMZ interface
iface eth2 inet static
address 209.126.225.34
netmask 255.255.255.240
broadcast 209.126.225.47
network 209.126.225.32
gateway 209.126.225.33
Barry McDermid wrote:> Network Configuration issues > I''ve been working on this for 2 days PLEASE HELP! > > I am having the following issues with network configuration and I cannot > ping the external interface to begin troubleshooting the network > configuration. > > I know that the ISP''s router is configured correctly since I have > attached it to a small Linksys firewall and was able to ping the > 66.240.207.226 from another external network.Add this rule: AllowPing EXT $FW> > According to the documentation I can add AllowPing to the file > /etc/shorewall/action.Drop > or etc/shorewall/action.Reject. > > Unfortunately neither of these files reside in the documented location > namely /etc/shorewall although they can be found in > /usr/share/shorewall. Is my installation incorrect or is the > doumnetation incorrect regarding the location of the above files. > > I did edit /usr/share/shorewall/action.Drop and the file > /usr/share/shorewall/ action.AllowPing contains the following.Well, you are reading obsolete documentation -- the standard action files have been in /usr/share/shorewall for quite a while now. If you wish to modify one of them, you copy the file to /etc/shorewall and modify the copy. Also, since your EXT->fw is REJECT, not DROP then fiddling with the action.Drop file won''t fix the ability to ping from the outside. Your log is filling up with messages that, if you would have looked at FAQ 17, would have told you a lot about the problem. Also -- why version 2.0.2f???? That release is nine months old which is ancient in Shorewall terms... -Tom -- Tom Eastep \ Off-list replies are cheerfully ignored Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Thu, 3 Mar 2005 14:17:11 -0800, Barry McDermid <bmcdermid@ipayone.com> wrote:> Network Configuration issues > I''ve been working on this for 2 days PLEASE HELP! > > I am having the following issues with network configuration and I cannot > ping the external interface to begin troubleshooting the network > configuration. > > I know that the ISP''s router is configured correctly since I have > attached it to a small Linksys firewall and was able to ping the > 66.240.207.226 from another external network. > > According to the documentation I can add AllowPing to the file > /etc/shorewall/action.Drop > or etc/shorewall/action.Reject. > > Unfortunately neither of these files reside in the documented location > namely /etc/shorewall although they can be found in > /usr/share/shorewall. Is my installation incorrect or is the > doumnetation incorrect regarding the location of the above files. > > I did edit /usr/share/shorewall/action.Drop and the file > /usr/share/shorewall/ action.AllowPing contains the following. > > # Shorewall 2.0 /etc/shorewall/action.AllowPing > # > # This action accepts ''ping'' requests. > # > ######################################################################## > ############## > #TARGET SOURCE DEST PROTO DEST SOURCE > RATE USER/ > # PORT PORT(S) > LIMIT GROUP > ACCEPT - - icmp 8 > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > Are the action files in the wrong location and if so should I just copy > all the action.* files to /etc/shorewall/ > > VERSION > root@ipowall:/etc/shorewall # shorewall version > 2.0.2f > ip addr show > root@ipowall:~ # ip addr show > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:0e:0c:60:9e:dc brd ff:ff:ff:ff:ff:ff > inet 66.240.207.226/28 brd 66.255.255.255 scope global eth0 > inet6 fe80::20e:cff:fe60:9edc/64 scope link > valid_lft forever preferred_lft forever > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:0e:0c:60:9c:5d brd ff:ff:ff:ff:ff:ff > inet 192.168.0.2/24 brd 192.168.0.255 scope global eth1 > inet6 fe80::20e:cff:fe60:9c5d/64 scope link > valid_lft forever preferred_lft forever > 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:02:b3:f0:93:0a brd ff:ff:ff:ff:ff:ff > inet 209.126.225.34/28 brd 209.126.225.47 scope global eth2 > inet6 fe80::202:b3ff:fef0:930a/64 scope link > valid_lft forever preferred_lft forever > 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000 > link/ether 00:11:11:3f:32:a8 brd ff:ff:ff:ff:ff:ff > 6: sit0: <NOARP> mtu 1480 qdisc noop > link/sit 0.0.0.0 brd 0.0.0.0 > > ip route show > root@ipowall:~ # ip route show > 209.126.225.32/28 dev eth2 proto kernel scope link src 209.126.225.34 > 66.240.207.224/28 dev eth0 proto kernel scope link src 66.240.207.226 > 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.2 > default via 209.126.225.33 dev eth2 > default via 66.240.207.225 dev eth0 > > I used setup guide Shorewall Setup Guide > > 2005-01-22 > > Here is the contents of /etc/network/interfaces > > # This file describes the network interfaces available on your system > # and how to activate them. For more information, see interfaces(5). > > # The loopback network interface > auto lo eth0 eth1 eth2 > iface lo inet loopback > > # The primary network interface > # external Internet interface > iface eth0 inet static > address 66.240.207.226 > netmask 255.255.255.240 > gateway 66.240.207.225 > > # Internal LAN Interface > iface eth1 inet static > address 192.168.0.2 > netmask 255.255.255.0 > gateway 66.240.207.226 > > #routable DMZ interface > iface eth2 inet static > address 209.126.225.34 > netmask 255.255.255.240 > broadcast 209.126.225.47 > network 209.126.225.32 > gateway 209.126.225.33you need to use AllowPing on /etc/shorewall/rules example: AllowPing fw net RTFM carefully.>
Barry McDermid wrote:> Network Configuration issues > I''ve been working on this for 2 days PLEASE HELP!Also, you didn''t mention in your post that you are not a list member so people aren''t copying you on their replies... -Tom -- Tom Eastep \ Off-list replies are cheerfully ignored Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Thu, 03 Mar 2005 15:09:29 -0800, Tom Eastep <teastep@shorewall.net> wrote:> Barry McDermid wrote: > > Network Configuration issues > > I''ve been working on this for 2 days PLEASE HELP! > > Also, you didn''t mention in your post that you are not a list member so > people aren''t copying you on their replies... >IMHO people who wants support _must_ be member of this list.
I upgraded the version and the ping problem has been resolved at least with regard to being able to ping the external and DMZ interfaces from the internet. Unfortunately I still cannot ping the DMZ host and am unable to resolve port 80 on the dmz host from the internet. I can also SSh in from the outside so I''m getting there it''s just the pesky web server at this point. I know the web server is working because I can resolve port 80 locally (http://localhost) and I can ping the upstream interface so I know I have the server configured. Barry McDermid IT Manager IPAYONE.COM bmcdermid@ipayone.com 1-760-602-7756 -----Original Message----- From: Cristian Rodriguez [mailto:judas.iscariote@gmail.com] Sent: Thursday, March 03, 2005 5:15 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Network config and troubleshooting wih Ping On Thu, 03 Mar 2005 15:09:29 -0800, Tom Eastep <teastep@shorewall.net> wrote:> Barry McDermid wrote: > > Network Configuration issues > > I''ve been working on this for 2 days PLEASE HELP! > > Also, you didn''t mention in your post that you are not a list memberso> people aren''t copying you on their replies... >IMHO people who wants support _must_ be member of this list. _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Barry McDermid wrote:> I upgraded the version and the ping problem has been resolved at least > with regard to being able to ping the external and DMZ interfaces from > the internet. Unfortunately I still cannot ping the DMZ host and am > unable to resolve port 80 on the dmz host from the internet.My understanding of the word ''resolve'' in any context remotely related to this one renders the last sentence nonsensical. But reading the rest of your post, I guess that in your lexicon, "resolve" means "connect to". I''ll assume so.> I can also > SSh in from the outside so I''m getting there it''s just the pesky web > server at this point. I know the web server is working because I can > resolve port 80 locally (http://localhost)What you report proves only that you can connect to the web server from the local host. What address is the Web Server listening on? (hint: man netstat).> and I can ping the upstream > interface so I know I have the server configured.Can you ping the router upstream of the Shorewall box from the DMZ server? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> > > Can you ping the router upstream of the Shorewall box from the DMZ server? >Oh -- and you really need to resolve the nonsense with the two default routes on the firewall; one of them (the one on the DMZ interface) is silly AND WRONG. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Tom Eastep wrote: > > >> >>Can you ping the router upstream of the Shorewall box from the DMZ server? >> > > > Oh -- and you really need to resolve the nonsense with the two default > routes on the firewall; one of them (the one on the DMZ interface) is > silly AND WRONG. >Of course, now that I think of it, I''m probably assuming what your network topology looks like. So if you think what I''ve pointed out is wrong, then please describe your network. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Barry McDermid wrote:> Yes I can successfully ping the upstream/ISP router from the firewall.That''s nice but that isn''t what I asked. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Yes I can successfully ping the upstream/ISP router from the firewall. As for the two default routes I would prefer to keep the topology with a unique network on each interface if that''s ok with you. In the future I''ll use the word connect instead of resolve. Thanks Barry McDermid IT Manager IPAYONE.COM bmcdermid@ipayone.com 1-760-602-7756 -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Thursday, March 03, 2005 6:39 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Network config and troubleshooting wih Ping Tom Eastep wrote:> Tom Eastep wrote: > > >> >>Can you ping the router upstream of the Shorewall box from the DMZserver?>> > > > Oh -- and you really need to resolve the nonsense with the two default > routes on the firewall; one of them (the one on the DMZ interface) is > silly AND WRONG. >Of course, now that I think of it, I''m probably assuming what your network topology looks like. So if you think what I''ve pointed out is wrong, then please describe your network. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Yes I can successfully ping the upstream/ISP router from the firewall. As for the two default routes I would prefer to keep the topology with a unique network on each interface if that''s ok with you. In the future I''ll use the word connect instead of resolve. Thanks Barry McDermid IT Manager IPAYONE.COM bmcdermid@ipayone.com 1-760-602-7756 -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Thursday, March 03, 2005 6:39 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Network config and troubleshooting wih Ping Tom Eastep wrote:> Tom Eastep wrote: > > >> >>Can you ping the router upstream of the Shorewall box from the DMZserver?>> > > > Oh -- and you really need to resolve the nonsense with the two default > routes on the firewall; one of them (the one on the DMZ interface) is > silly AND WRONG. >Of course, now that I think of it, I''m probably assuming what your network topology looks like. So if you think what I''ve pointed out is wrong, then please describe your network. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Barry McDermid wrote:> As for the two default routes I would prefer to keep the topology with a > unique network on each interface if that''s ok with you. >Well, I''m not going to be available for the next 12 hours (medical tests) so I want you to explain in detail to the list how this topology is supposed to work because it sure isn''t obvious from what you have told us so far. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Barry McDermid wrote:> No I cannot ping the upstream router from the DMZ host/server. > If you think that I should use only the 66.240.207.224 network in order > to make Shorewall function then that''s what I''ll have to do. >THIS HAS NOTHING TO DO WITH SHOREWALL -- IT IS BASIC IP ROUTING.> So please tell me if this is correct > Ext interface 66.240.207.226/255.255.255.240 GW 66.240.207.225 > DMZ interface 66.240.207.227/255.255.255.240 GW 66.240.207.226I give up. Hopefully someone else will help you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
No I cannot ping the upstream router from the DMZ host/server. If you think that I should use only the 66.240.207.224 network in order to make Shorewall function then that''s what I''ll have to do. So please tell me if this is correct Ext interface 66.240.207.226/255.255.255.240 GW 66.240.207.225 DMZ interface 66.240.207.227/255.255.255.240 GW 66.240.207.226 The LAN will stay the same as before I really appreciate your all your help. Thanks Barry McDermid IT Manager IPAYONE.COM bmcdermid@ipayone.com 1-760-602-7756 -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Thursday, March 03, 2005 6:59 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Network config and troubleshooting wih Ping Barry McDermid wrote:> Yes I can successfully ping the upstream/ISP router from the firewall.That''s nice but that isn''t what I asked. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Tom I really do think you need that medical attention, thanks for being so tolerant and promoting your product so well. Barry McDermid IT Manager IPAYONE.COM bmcdermid@ipayone.com 1-760-602-7756 -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Thursday, March 03, 2005 7:28 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Network config and troubleshooting wih Ping Barry McDermid wrote:> No I cannot ping the upstream router from the DMZ host/server. > If you think that I should use only the 66.240.207.224 network inorder> to make Shorewall function then that''s what I''ll have to do. >THIS HAS NOTHING TO DO WITH SHOREWALL -- IT IS BASIC IP ROUTING.> So please tell me if this is correct > Ext interface 66.240.207.226/255.255.255.240 GW 66.240.207.225 > DMZ interface 66.240.207.227/255.255.255.240 GW 66.240.207.226I give up. Hopefully someone else will help you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Tom in the past with other firewalls that I''ve used such as Watchguard, Pix and Checkpoint I''ve always been able to use unique networks that were assigned by the ISP ie Verio, cari.net etc. It always worked well and I assumed the same functionality would be available on Shorewall ultimately it doesn''t really matter and it''s just what I''m used to your documentation doen''t really talk about this so I''ll put my preferences aside and go with you recommendation. Barry McDermid IT Manager IPAYONE.COM bmcdermid@ipayone.com 1-760-602-7756 -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Thursday, March 03, 2005 7:09 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Network config and troubleshooting wih Ping Barry McDermid wrote:> As for the two default routes I would prefer to keep the topology witha> unique network on each interface if that''s ok with you. >Well, I''m not going to be available for the next 12 hours (medical tests) so I want you to explain in detail to the list how this topology is supposed to work because it sure isn''t obvious from what you have told us so far. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
----- Original Message ----- From: "Barry McDermid" <bmcdermid@ipayone.com> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Thursday, March 03, 2005 21:36 Subject: RE: [Shorewall-users] Network config and troubleshooting wih Ping Tom I really do think you need that medical attention, thanks for being so tolerant and promoting your product so well. Barry McDermid IT Manager IPAYONE.COM bmcdermid@ipayone.com 1-760-602-7756 -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Thursday, March 03, 2005 7:28 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Network config and troubleshooting wih Ping Barry McDermid wrote:> No I cannot ping the upstream router from the DMZ host/server. > If you think that I should use only the 66.240.207.224 network inorder> to make Shorewall function then that''s what I''ll have to do. >THIS HAS NOTHING TO DO WITH SHOREWALL -- IT IS BASIC IP ROUTING.> So please tell me if this is correct > Ext interface 66.240.207.226/255.255.255.240 GW 66.240.207.225 > DMZ interface 66.240.207.227/255.255.255.240 GW 66.240.207.226I give up. Hopefully someone else will help you. Barry: You speak of eth2 as the "dmz interface", is eth2 plugged into the router also? Where, in this layout, are the gateways? 66.240.207.225, 209.126.225.33 are both on the router, that is connected to eth0 only? What interface(s) are the dmz(s) going to use? eth2? What is eth3 for? What address space do you want to use in the dmz(s?)? 209.126.225.32/28, 66.240.207.224/28, on seperate nics? or both on an single nic? Are you trying a subnetting or proxyarp approch to access to a dmz? Post the config files, that you touched. I can''t figure out how you want to do this, from the info you posted. I have a single /28 with a mix of proxyarp and aliased ips that is working just great. Just need to clear up just what you what to do. Jerry Vonau
Cristian Rodriguez wrote:> ... > IMHO people who wants support _must_ be member of this list.Seconded. -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
BTW -- Barry is now subscribed to the list. Jerry Vonau wrote:> Just need to clear up just what you what to do. >Which was what I was also asking for last night before I had to abandon this and leave. The presence of two gateways can mean: a) That you have two Internet connections and have policy routing rules to select between different routing tables for each connection. It seems unlikely that you would name the zone associated with one of the gateways DMZ but who knows; or b) You are transitioning from one network topology to another and are trying to test without committing to the new topology. That usually works poorly with a stateful firewall like the one generated by Shorewall because routing is often asymmetric with the firewall seeing traffic in only one direction. For example, if the web server in the DMZ doesn''t have it''s default gateway on (or through) the Shorewall box, it won''t work; or c) You are in over your head and don''t know what you are doing. So we need to know how you believe this should work before we can advise you how to make it work that way. This is especially true if policy routing is involved. -Tom Who had the worst night''s sleep in recent memory -- I can''t understand why they call it "sleep study"; rather should be named "sleepless study". And it took place in Seattle yet... -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> > > Well, you are reading obsolete documentation -- the standard action > files have been in /usr/share/shorewall for quite a while now. If you > wish to modify one of them, you copy the file to /etc/shorewall and > modify the copy. >I found the outdated doc -- it was the Ping documentation which I have corrected. See http://shorewall.net/ping.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key