1 small question i have 4 network cards on my firewall eth0 inet eth1 internel network eth2 customer network eth3 freeswan vpn is there a way that i can connect the eth2 and eth1 network together so that i can access the servers off eth1 from eth2? Marshal McInnis Tech / Web Designs 1-205-344-4455 Ext 208
Marshal McInnis wrote:> 1 small question i have 4 network cards on my firewall > > eth0 inet > eth1 internel network > eth2 customer network > eth3 freeswan vpn > > is there a way that i can connect the eth2 and eth1 network together so > that i can access the servers off eth1 from eth2? >The answer to this question is yes. In order to be able to help you further though, we need a lot more details. a) Network addresses involved. b) Routing tables on the hosts in the "internal" and "customer" networks. c) Is there a Shorewall question in here somewhere? If so, please tell us how you have configured Shorewall currently. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
ACCEPT fw inet tcp 53
ACCEPT fw inet udp 53
ACCEPT loc inet tcp 53
ACCEPT loc inet udp 53
ACCEPT loc inet all
ACCEPT inet loc all
DNAT inet loc:10.10.0.4 tcp 443
DNAT inet loc:10.10.0.4 tcp 80
DNAT inet loc:10.10.0.4 tcp 21
DNAT inet loc:10.10.0.4 tcp 25,110
DNAT inet loc:10.10.0.4 tcp 123
DNAT inet loc:10.10.0.4 tcp 1723
DNAT inet loc:10.10.0.4 tcp 3389
DNAT inet loc:10.10.0.4 tcp 4125
DNAT inet loc:10.10.0.4 tcp 1723
DNAT inet loc:10.10.0.4 47 -
eth0 inet addr:209.159.32.162 Bcast:209.159.32.175
Mask:255.255.255.240
eth1 inet addr:10.10.0.1 Bcast:10.10.0.255
Mask:255.255.255.0
eth2 inet addr:10.11.0.1 Bcast:10.11.0.255
Mask:255.255.255.0
-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom
Eastep
Sent: Friday, March 18, 2005 11:25 AM
To: Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] Fowarding through networks
Marshal McInnis wrote:> 1 small question i have 4 network cards on my firewall
>
> eth0 inet
> eth1 internel network
> eth2 customer network
> eth3 freeswan vpn
>
> is there a way that i can connect the eth2 and eth1 network together
> so that i can access the servers off eth1 from eth2?
>
The answer to this question is yes. In order to be able to help you
further though, we need a lot more details.
a) Network addresses involved.
b) Routing tables on the hosts in the "internal" and
"customer"
networks.
c) Is there a Shorewall question in here somewhere? If so, please tell
us how you have configured Shorewall currently.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm
Marshal McInnis wrote:> ACCEPT fw inet tcp 53 > ACCEPT fw inet udp 53 > ACCEPT loc inet tcp 53 > ACCEPT loc inet udp 53 > ACCEPT loc inet all > ACCEPT inet loc all > DNAT inet loc:10.10.0.4 tcp 443 > DNAT inet loc:10.10.0.4 tcp 80 > DNAT inet loc:10.10.0.4 tcp 21 > DNAT inet loc:10.10.0.4 tcp 25,110 > DNAT inet loc:10.10.0.4 tcp 123 > DNAT inet loc:10.10.0.4 tcp 1723 > DNAT inet loc:10.10.0.4 tcp 3389 > DNAT inet loc:10.10.0.4 tcp 4125 > DNAT inet loc:10.10.0.4 tcp 1723 > DNAT inet loc:10.10.0.4 47 - >Shorewall has 29 configuration files. Typical users modify at least 4 of them. YOU HAVE SHOWN US ONE!> eth0 inet addr:209.159.32.162 Bcast:209.159.32.175 > Mask:255.255.255.240 > eth1 inet addr:10.10.0.1 Bcast:10.10.0.255 > Mask:255.255.255.0 > eth2 inet addr:10.11.0.1 Bcast:10.11.0.255 > Mask:255.255.255.0 >The above is interesting but incomplete. Is your firewall the default gateway for both the 10.10.0.0/24 and 10.11.0.0/24 networks? If not, then this goes back the the same question that I asked you to start with: *What do the routing tables look like on the hosts in the two networks? In other words, do these hosts know how to route traffic to the other network?* Marshal, a router cannot route packets that are never sent to it. And a firewall can never allow connections that it is never asked to rule on. So things must be configured so that traffic between the two networks goes through your Shorewall router/firewall -- *it doesn''t happen by magic*. Masquerade/SNAT and DNAT rules can make up for lack of proper routing but WE NEED TO KNOW if your routing is adequate before we can advise you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Yes the routor is on 10.10.0.1 and 10.11.0.1 its also on 10.12.0.1 and its all routs ok I just want it to transfer trafic from the 10.10.0.1 ftp server to 10.11.0.1 network -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Friday, March 18, 2005 5:18 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Fowarding through networks Marshal McInnis wrote:> ACCEPT fw inet tcp 53 > ACCEPT fw inet udp 53 > ACCEPT loc inet tcp 53 > ACCEPT loc inet udp 53 > ACCEPT loc inet all > ACCEPT inet loc all > DNAT inet loc:10.10.0.4 tcp 443 > DNAT inet loc:10.10.0.4 tcp 80 > DNAT inet loc:10.10.0.4 tcp 21 > DNAT inet loc:10.10.0.4 tcp 25,110 > DNAT inet loc:10.10.0.4 tcp 123 > DNAT inet loc:10.10.0.4 tcp 1723 > DNAT inet loc:10.10.0.4 tcp 3389 > DNAT inet loc:10.10.0.4 tcp 4125 > DNAT inet loc:10.10.0.4 tcp 1723 > DNAT inet loc:10.10.0.4 47 - >Shorewall has 29 configuration files. Typical users modify at least 4 of them. YOU HAVE SHOWN US ONE!> eth0 inet addr:209.159.32.162 Bcast:209.159.32.175 > Mask:255.255.255.240 > eth1 inet addr:10.10.0.1 Bcast:10.10.0.255 > Mask:255.255.255.0 > eth2 inet addr:10.11.0.1 Bcast:10.11.0.255 > Mask:255.255.255.0 >The above is interesting but incomplete. Is your firewall the default gateway for both the 10.10.0.0/24 and 10.11.0.0/24 networks? If not, then this goes back the the same question that I asked you to start with: *What do the routing tables look like on the hosts in the two networks? In other words, do these hosts know how to route traffic to the other network?* Marshal, a router cannot route packets that are never sent to it. And a firewall can never allow connections that it is never asked to rule on. So things must be configured so that traffic between the two networks goes through your Shorewall router/firewall -- *it doesn''t happen by magic*. Masquerade/SNAT and DNAT rules can make up for lack of proper routing but WE NEED TO KNOW if your routing is adequate before we can advise you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Marshal McInnis wrote:> Yes the routor is on 10.10.0.1 and 10.11.0.1 its also on 10.12.0.1 and > its all routs ok I just want it to transfer trafic from the 10.10.0.1 > ftp server to 10.11.0.1 networkI give up -- -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>Marshal McInnis wrote: > > >>Yes the routor is on 10.10.0.1 and 10.11.0.1 its also on 10.12.0.1 and >>its all routs ok I just want it to transfer trafic from the 10.10.0.1 >>ftp server to 10.11.0.1 network >> >> > >I give up -- > >-Tom > >Rightly so. That is is not a proper nor a descriptive sentence, I do not know how you imagine that anyone might understand you. Marshal, if you want help, you need to answer questions. If you still want some help, do this: http://www.shorewall.net/support.htm Please read it all, and submit all information asked for (it says THIS IS IMPORTANT), then someone can give you the answer you seek. Alex Martin http://www.rettc.com