Kristian Marthinussen
2005-May-30 20:44 UTC
RE: Proxy ARP working from Internet butnotfromfwand loc
Hi Alex, and thanks for your time. Probably not. The servers are only configured like they where when they where parallel to the fw. Just the default gateway, same as for the external interface on the fw. That''s what the documentation instructed to configure the servers using arp. But is it required with extra configuration on the server connected via proxy arp? Or is it some parameter in the fw that''s wrong? If the servers require additional configuration, is that a route for the 10.0.0.0/24 net via the 10.0.10.0/24 (dmz) net? ....to 10.0.10.1 kind regards, Kristian. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Alexander Wilms Sent: 30. mai 2005 20:43 To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Proxy ARP working from Internet but not from fwand loc On Monday 30 May 2005 17:01, Kristian wrote: Hi Kristian, just a quick guess: Do you have the correct route on your servers back to the 10.0.0.0/24 network? I don''t have the time now to read your post carefully. Please check your routing and maybe post your servers routing table. If it doesn''t help I will take a closer look. Alex> Hello everybody. > > I could not find an answer to my problem in the archive. (But that mayjust> be me :-) ) > > I have a problem with proxy arp and connection from loc (localnet) andfrom> the firewall. > Works fine from internet to dmz / proxy arp and vise versa. > > I have a feeling the solution is simple, but I''m no guru in Linux routing > etc. > > The problem seems to be the routing setup. > > loc - 10.0.0.0/24 > net - 194.19.34.96/27 > dmz - 10.0.10.0/24 > > There are different server on the DMZ via proxy arp and the all respondthe> same. > > One of the servers are 194.19.34.115. > > If I ping this from "loc", tcpdump on the firewall gives response like > this: 13:50:25.613750 00:0f:3d:eb:d8:a9 > 00:0d:60:33:f9:da, ethertypeIPv4> (0x0800), length 74: IP (tos 0x0, ttl 127, id 23932, offset 0, flags > [none], proto 1, length: 60) 10.0.0.50 > 194.19.34.115: icmp 40: echo > request seq 13824 > No reply > > tcpdump on 115 shows: > 13:45:16.266643 00:0f:3d:eb:d8:a9 > 00:0d:60:33:f9:da, ethertype IPv4 > (0x0800), length 74: IP (tos 0x0, ttl 127, id 24603, offset 0, flags > [none], proto 1, length: 60) 10.0.0.50 > 194.19.34.115: icmp 40: echo > request seq 14080 > > > from fw to 115 gives: > 13:52:46.143013 00:0f:3d:eb:d8:a9 > 00:0d:60:33:f9:da, ethertype IPv4 > (0x0800), length 98: IP (tos 0x0, ttl 64, id 5, offset 0, flags [DF], > proto 1, length: 84) 10.0.10.1 > 194.19.34.115: icmp 64: echo request seq5> No reply > > >From the internet it works fine: > > 13:49:51.961554 00:0d:60:33:f9:da > 00:0f:3d:eb:d8:a9, ethertype IPv4 > (0x0800), length 74: IP (tos 0x0, ttl 64, id 46328, offset 0, flags > [none], proto 1, length: 60) 194.19.34.115 > 217.8.138.87: icmp 40: echo > reply seq 0 13:49:52.961112 00:0f:3d:eb:d8:a9 > 00:0d:60:33:f9:da, > ethertype IPv4 (0x0800), length 74: IP (tos 0x0, ttl 120, id 12656, offset > 0, flags [none], proto 1, length: 60) 217.8.138.87 > 194.19.34.115: icmp > 40: echo request seq 0 > > I can also ping between server on the dmz (with internet IP), but this of > course doesn''t go through the fw/shorewall. > > Any ideas? > > It doesn''t seem to be a blocking problem. > I have put all rules /policy''s to ACCEPT to try that. > > Some configuration: > > shorewall version > 2.2.4 > > 194.19.34.126 dev eth1 scope link > 194.19.34.125 dev eth1 scope link > 255.255.255.255 dev eth2 scope link > 194.19.34.105 dev eth1 scope link > 194.19.34.100 dev eth1 scope link > 194.19.34.98 dev eth1 scope link > 194.19.34.115 dev eth1 scope link > 194.19.34.99 dev eth1 scope link > 194.19.34.96/27 dev eth0 proto kernel scope link src 194.19.34.110 > 10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.1 > 10.0.10.0/24 dev eth1 proto kernel scope link src 10.0.10.1 > 169.254.0.0/16 dev eth2 scope link > default via 194.19.34.97 dev eth0 > > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 5: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 1000 > link/ether 00:0f:3d:eb:d8:aa brd ff:ff:ff:ff:ff:ff > inet 194.19.34.110/27 brd 194.19.34.127 scope global eth0 > inet6 fe80::20f:3dff:feeb:d8aa/64 scope link > valid_lft forever preferred_lft forever > 6: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:0f:3d:eb:d8:a9 brd ff:ff:ff:ff:ff:ff > inet 10.0.10.1/24 brd 10.0.10.255 scope global eth1 > inet6 fe80::20f:3dff:feeb:d8a9/64 scope link > valid_lft forever preferred_lft forever > 7: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:11:25:aa:78:ea brd ff:ff:ff:ff:ff:ff > inet 10.0.0.1/24 brd 10.0.0.255 scope global eth2 > inet6 fe80::211:25ff:feaa:78ea/64 scope link > valid_lft forever preferred_lft forever > 8: sit0: <NOARP> mtu 1480 qdisc noop > link/sit 0.0.0.0 brd 0.0.0.0 > > > /etc/shorewall/proxyarp >###########################################################################># ## > #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT > 194.19.34.115 eth1 eth0 NO > > > /etc/shorewall/interface >###########################################################################># ## > #ZONE INTERFACE BROADCAST OPTIONS > # > net eth0 detect norfc1918 > loc eth2 detect dhcp > dmz eth1 detect > > > Kind regards, > Kristian. > > > > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Hi Alex, and thanks for your time. Probably not. The servers are only configured like they where when they where parallel to the fw. Just the default gateway, same as for the external interface on the fw. That''s what the documentation instructed to configure the servers using arp. But is it required with extra configuration on the server connected via proxy arp? Or is it some parameter in the fw that''s wrong? If the servers require additional configuration, is that a route for the 10.0.0.0/24 net via the 10.0.10.0/24 (dmz) net? ....to 10.0.10.1 kind regards, Kristian. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Alexander Wilms Sent: 30. mai 2005 20:43 To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Proxy ARP working from Internet but not from fwand loc On Monday 30 May 2005 17:01, Kristian wrote: Hi Kristian, just a quick guess: Do you have the correct route on your servers back to the 10.0.0.0/24 network? I don''t have the time now to read your post carefully. Please check your routing and maybe post your servers routing table. If it doesn''t help I will take a closer look. Alex> Hello everybody. > > I could not find an answer to my problem in the archive. (But that mayjust> be me :-) ) > > I have a problem with proxy arp and connection from loc (localnet) andfrom> the firewall. > Works fine from internet to dmz / proxy arp and vise versa. > > I have a feeling the solution is simple, but I''m no guru in Linux routing > etc. > > The problem seems to be the routing setup. > > loc - 10.0.0.0/24 > net - 194.19.34.96/27 > dmz - 10.0.10.0/24 > > There are different server on the DMZ via proxy arp and the all respondthe> same. > > One of the servers are 194.19.34.115. > > If I ping this from "loc", tcpdump on the firewall gives response like > this: 13:50:25.613750 00:0f:3d:eb:d8:a9 > 00:0d:60:33:f9:da, ethertypeIPv4> (0x0800), length 74: IP (tos 0x0, ttl 127, id 23932, offset 0, flags > [none], proto 1, length: 60) 10.0.0.50 > 194.19.34.115: icmp 40: echo > request seq 13824 > No reply > > tcpdump on 115 shows: > 13:45:16.266643 00:0f:3d:eb:d8:a9 > 00:0d:60:33:f9:da, ethertype IPv4 > (0x0800), length 74: IP (tos 0x0, ttl 127, id 24603, offset 0, flags > [none], proto 1, length: 60) 10.0.0.50 > 194.19.34.115: icmp 40: echo > request seq 14080 > > > from fw to 115 gives: > 13:52:46.143013 00:0f:3d:eb:d8:a9 > 00:0d:60:33:f9:da, ethertype IPv4 > (0x0800), length 98: IP (tos 0x0, ttl 64, id 5, offset 0, flags [DF], > proto 1, length: 84) 10.0.10.1 > 194.19.34.115: icmp 64: echo request seq5> No reply > > >From the internet it works fine: > > 13:49:51.961554 00:0d:60:33:f9:da > 00:0f:3d:eb:d8:a9, ethertype IPv4 > (0x0800), length 74: IP (tos 0x0, ttl 64, id 46328, offset 0, flags > [none], proto 1, length: 60) 194.19.34.115 > 217.8.138.87: icmp 40: echo > reply seq 0 13:49:52.961112 00:0f:3d:eb:d8:a9 > 00:0d:60:33:f9:da, > ethertype IPv4 (0x0800), length 74: IP (tos 0x0, ttl 120, id 12656, offset > 0, flags [none], proto 1, length: 60) 217.8.138.87 > 194.19.34.115: icmp > 40: echo request seq 0 > > I can also ping between server on the dmz (with internet IP), but this of > course doesn''t go through the fw/shorewall. > > Any ideas? > > It doesn''t seem to be a blocking problem. > I have put all rules /policy''s to ACCEPT to try that. > > Some configuration: > > shorewall version > 2.2.4 > > 194.19.34.126 dev eth1 scope link > 194.19.34.125 dev eth1 scope link > 255.255.255.255 dev eth2 scope link > 194.19.34.105 dev eth1 scope link > 194.19.34.100 dev eth1 scope link > 194.19.34.98 dev eth1 scope link > 194.19.34.115 dev eth1 scope link > 194.19.34.99 dev eth1 scope link > 194.19.34.96/27 dev eth0 proto kernel scope link src 194.19.34.110 > 10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.1 > 10.0.10.0/24 dev eth1 proto kernel scope link src 10.0.10.1 > 169.254.0.0/16 dev eth2 scope link > default via 194.19.34.97 dev eth0 > > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > 5: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 1000 > link/ether 00:0f:3d:eb:d8:aa brd ff:ff:ff:ff:ff:ff > inet 194.19.34.110/27 brd 194.19.34.127 scope global eth0 > inet6 fe80::20f:3dff:feeb:d8aa/64 scope link > valid_lft forever preferred_lft forever > 6: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:0f:3d:eb:d8:a9 brd ff:ff:ff:ff:ff:ff > inet 10.0.10.1/24 brd 10.0.10.255 scope global eth1 > inet6 fe80::20f:3dff:feeb:d8a9/64 scope link > valid_lft forever preferred_lft forever > 7: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:11:25:aa:78:ea brd ff:ff:ff:ff:ff:ff > inet 10.0.0.1/24 brd 10.0.0.255 scope global eth2 > inet6 fe80::211:25ff:feaa:78ea/64 scope link > valid_lft forever preferred_lft forever > 8: sit0: <NOARP> mtu 1480 qdisc noop > link/sit 0.0.0.0 brd 0.0.0.0 > > > /etc/shorewall/proxyarp >###########################################################################># ## > #ADDRESS INTERFACE EXTERNAL HAVEROUTE PERSISTENT > 194.19.34.115 eth1 eth0 NO > > > /etc/shorewall/interface >###########################################################################># ## > #ZONE INTERFACE BROADCAST OPTIONS > # > net eth0 detect norfc1918 > loc eth2 detect dhcp > dmz eth1 detect > > > Kind regards, > Kristian. > > > > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Alexander Wilms
2005-May-30 23:40 UTC
Re: Proxy ARP working from Internet butnotfromfwand loc
On Monday 30 May 2005 22:44, Kristian Marthinussen wrote:> Hi Alex, and thanks for your time. > > Probably not. > The servers are only configured like they where when they where parallel to > the fw. > Just the default gateway, same as for the external interface on the fw. > That''s what the documentation instructed to configure the servers using > arp.Yes, you are right. I was on the wrong way I think. Also take a look at Jerry Vonau''s answer. Guess he could be right with the masq entry (at least it is one possible way). But there''s something that I''m not comfortable with yet. I''ll take a closer look tomorrow. Just for my personal interest: Please post your server''s routing table using ip route ls. Alex
Hi Alex. ip route ls 194.19.34.126 dev eth1 scope link 194.19.34.125 dev eth1 scope link 255.255.255.255 dev eth2 scope link 194.19.34.105 dev eth1 scope link 194.19.34.100 dev eth1 scope link 194.19.34.98 dev eth1 scope link 194.19.34.115 dev eth1 scope link 194.19.34.99 dev eth1 scope link 194.19.34.96/27 dev eth0 proto kernel scope link src 194.19.34.110 10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.1 10.0.10.0/24 dev eth1 proto kernel scope link src 10.0.10.1 169.254.0.0/16 dev eth2 scope link default via 194.19.34.97 dev eth0 I can''t try much now. Working hours. So I will try some of the suggestions later. Kristian. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Alexander Wilms Sent: 31. mai 2005 01:41 To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Proxy ARP working from Internet butnotfromfwandloc On Monday 30 May 2005 22:44, Kristian Marthinussen wrote:> Hi Alex, and thanks for your time. > > Probably not. > The servers are only configured like they where when they where parallelto> the fw. > Just the default gateway, same as for the external interface on the fw. > That''s what the documentation instructed to configure the servers using > arp.Yes, you are right. I was on the wrong way I think. Also take a look at Jerry Vonau''s answer. Guess he could be right with the masq entry (at least it is one possible way). But there''s something that I''m not comfortable with yet. I''ll take a closer look tomorrow. Just for my personal interest: Please post your server''s routing table using ip route ls. Alex _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Alexander Wilms
2005-May-31 10:04 UTC
Re: Proxy ARP working from Internet butnotfromfwandloc
This is the routing table of the server behind firewall? Looks like the firewall''s routing table. Or am I wrong? K wrote:>Hi Alex. > >ip route ls > >194.19.34.126 dev eth1 scope link >194.19.34.125 dev eth1 scope link >255.255.255.255 dev eth2 scope link >194.19.34.105 dev eth1 scope link >194.19.34.100 dev eth1 scope link >194.19.34.98 dev eth1 scope link >194.19.34.115 dev eth1 scope link >194.19.34.99 dev eth1 scope link >194.19.34.96/27 dev eth0 proto kernel scope link src 194.19.34.110 >10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.1 >10.0.10.0/24 dev eth1 proto kernel scope link src 10.0.10.1 >169.254.0.0/16 dev eth2 scope link >default via 194.19.34.97 dev eth0 > >I can''t try much now. Working hours. So I will try some of the suggestions >later. > >Kristian. > > >-----Original Message----- >From: shorewall-users-bounces@lists.shorewall.net >[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Alexander >Wilms >Sent: 31. mai 2005 01:41 >To: Mailing List for Shorewall Users >Subject: Re: [Shorewall-users] Proxy ARP working from Internet >butnotfromfwandloc > >On Monday 30 May 2005 22:44, Kristian Marthinussen wrote: > > >>Hi Alex, and thanks for your time. >> >>Probably not. >>The servers are only configured like they where when they where parallel >> >> >to > > >>the fw. >>Just the default gateway, same as for the external interface on the fw. >>That''s what the documentation instructed to configure the servers using >>arp. >> >> > >Yes, you are right. I was on the wrong way I think. > >Also take a look at Jerry Vonau''s answer. Guess he could be right with the >masq entry (at least it is one possible way). But there''s something that I''m > >not comfortable with yet. I''ll take a closer look tomorrow. > >Just for my personal interest: Please post your server''s routing table using > >ip route ls. > >Alex >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > >
Yes, it''s the firewall. I miss understood. Here is the ip route ls for 194.19.34.115 server. (no manual changes has been done to this server) 194.19.34.96/27 dev eth0 proto kernel scope link src 194.19.34.115 172.16.0.0/24 dev eth1 proto kernel scope link src 172.16.0.15 169.254.0.0/16 dev eth1 scope link default via 194.19.34.97 dev eth0 The server also has a local networkcard - eth1 This is not on the new fw local range. (10.0.0.0/24) We don''t use 169.254.0.0/16 /Kristian. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Alexander Wilms Sent: 31. mai 2005 12:05 To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Proxy ARP working fromInternet butnotfromfwandloc This is the routing table of the server behind firewall? Looks like the firewall''s routing table. Or am I wrong? K wrote:>Hi Alex. > >ip route ls > >194.19.34.126 dev eth1 scope link >194.19.34.125 dev eth1 scope link >255.255.255.255 dev eth2 scope link >194.19.34.105 dev eth1 scope link >194.19.34.100 dev eth1 scope link >194.19.34.98 dev eth1 scope link >194.19.34.115 dev eth1 scope link >194.19.34.99 dev eth1 scope link >194.19.34.96/27 dev eth0 proto kernel scope link src 194.19.34.110 >10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.1 >10.0.10.0/24 dev eth1 proto kernel scope link src 10.0.10.1 >169.254.0.0/16 dev eth2 scope link >default via 194.19.34.97 dev eth0 > >I can''t try much now. Working hours. So I will try some of the suggestions >later. > >Kristian. > > >-----Original Message----- >From: shorewall-users-bounces@lists.shorewall.net >[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Alexander >Wilms >Sent: 31. mai 2005 01:41 >To: Mailing List for Shorewall Users >Subject: Re: [Shorewall-users] Proxy ARP working from Internet >butnotfromfwandloc > >On Monday 30 May 2005 22:44, Kristian Marthinussen wrote: > > >>Hi Alex, and thanks for your time. >> >>Probably not. >>The servers are only configured like they where when they where parallel >> >> >to > > >>the fw. >>Just the default gateway, same as for the external interface on the fw. >>That''s what the documentation instructed to configure the servers using >>arp. >> >> > >Yes, you are right. I was on the wrong way I think. > >Also take a look at Jerry Vonau''s answer. Guess he could be right with the >masq entry (at least it is one possible way). But there''s something thatI''m> >not comfortable with yet. I''ll take a closer look tomorrow. > >Just for my personal interest: Please post your server''s routing tableusing> >ip route ls. > >Alex >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users>Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > >_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Thank''s guys. (Alex and Jerry) Now all is working :-) - Changed address on the DMZ interface to the same as the external NIC with netmask 255.255.255.255 Then the firewall could connect to the dmz-proxyarp''ed servers. (To and from internet has been working all the time) - Added a new entry in the masq file for NAT/masquerading support form loc to dmz. Then access from the local network to the dmz worked. So, it doesn''t require any changing on the proxyarp''ed servers in respect to routing etc. /Kristian. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of K Sent: 31. mai 2005 12:36 To: ''Mailing List for Shorewall Users'' Subject: RE: [Shorewall-users] Proxy ARP workingfromInternet butnotfromfwandloc Yes, it''s the firewall. I miss understood. Here is the ip route ls for 194.19.34.115 server. (no manual changes has been done to this server) 194.19.34.96/27 dev eth0 proto kernel scope link src 194.19.34.115 172.16.0.0/24 dev eth1 proto kernel scope link src 172.16.0.15 169.254.0.0/16 dev eth1 scope link default via 194.19.34.97 dev eth0 The server also has a local networkcard - eth1 This is not on the new fw local range. (10.0.0.0/24) We don''t use 169.254.0.0/16 /Kristian. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Alexander Wilms Sent: 31. mai 2005 12:05 To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Proxy ARP working fromInternet butnotfromfwandloc This is the routing table of the server behind firewall? Looks like the firewall''s routing table. Or am I wrong? K wrote:>Hi Alex. > >ip route ls > >194.19.34.126 dev eth1 scope link >194.19.34.125 dev eth1 scope link >255.255.255.255 dev eth2 scope link >194.19.34.105 dev eth1 scope link >194.19.34.100 dev eth1 scope link >194.19.34.98 dev eth1 scope link >194.19.34.115 dev eth1 scope link >194.19.34.99 dev eth1 scope link >194.19.34.96/27 dev eth0 proto kernel scope link src 194.19.34.110 >10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.1 >10.0.10.0/24 dev eth1 proto kernel scope link src 10.0.10.1 >169.254.0.0/16 dev eth2 scope link >default via 194.19.34.97 dev eth0 > >I can''t try much now. Working hours. So I will try some of the suggestions >later. > >Kristian. > > >-----Original Message----- >From: shorewall-users-bounces@lists.shorewall.net >[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Alexander >Wilms >Sent: 31. mai 2005 01:41 >To: Mailing List for Shorewall Users >Subject: Re: [Shorewall-users] Proxy ARP working from Internet >butnotfromfwandloc > >On Monday 30 May 2005 22:44, Kristian Marthinussen wrote: > > >>Hi Alex, and thanks for your time. >> >>Probably not. >>The servers are only configured like they where when they where parallel >> >> >to > > >>the fw. >>Just the default gateway, same as for the external interface on the fw. >>That''s what the documentation instructed to configure the servers using >>arp. >> >> > >Yes, you are right. I was on the wrong way I think. > >Also take a look at Jerry Vonau''s answer. Guess he could be right with the >masq entry (at least it is one possible way). But there''s something thatI''m> >not comfortable with yet. I''ll take a closer look tomorrow. > >Just for my personal interest: Please post your server''s routing tableusing> >ip route ls. > >Alex >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users>Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > >_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Alexander Wilms
2005-May-31 19:16 UTC
Re: Proxy ARP workingfromInternet butnotfromfwandloc
On Tuesday 31 May 2005 19:53, K wrote:> Thank''s guys. > (Alex and Jerry) > > Now all is working :-)OK, now you were quicker than me. ;-) But: You just worked "around" the "original" problem. Let''s clear up this issue a bit. Error Scenario: Your tcpdump dump showed that the packets where forwarded correctly loc -> fw -> dmz. But packets where not send out back from dmz server. So here we have/had two possibilities why your former setup didn''t work: 1) Wrong routing by not choosing the ISP''s router as default gateway: - That''s why I asked for your server''s routing table, but your routing was correct. So here comes the second possible reason: 2) Can it be that you are running shorewall (or raw ipables) on the DMZ server? Including the rfc1918 interface option? Because in your setup before Proxy-ARP this server was parallel to the firewall? Btw., I''m very sure about that. ;-) Your workaround: By using masquerading (and changing the dmz interface ip of the shorewall box) now all packets seem to come from a public (and non-rfc1918) address. So the still used rfc1918 option doesn''t block anymore. Is it like this Kristian? Btw, credits go to a friend who saw the big picture by saying: Ehhh, maybe he is blocking traffic with another shorewall installation on the server. This server was connected to the Internet directly before. HTH, Alex
Hi Alex. I didn''t think of that. Probably true about the no rfc1918 network. The servers all run gShield firewall, and probably block these addresses. (I''m not sure) Does this mean that the old configuration should work even without masq from loc to dmz? So if I remove the firewall on the servers, change the dmz interface back to 10.0.10.0/24 and remove the masq option from loc to dmz it should work? /K -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Alexander Wilms Sent: 31. mai 2005 21:17 To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Proxy ARPworkingfromInternet butnotfromfwandloc On Tuesday 31 May 2005 19:53, K wrote:> Thank''s guys. > (Alex and Jerry) > > Now all is working :-)OK, now you were quicker than me. ;-) But: You just worked "around" the "original" problem. Let''s clear up this issue a bit. Error Scenario: Your tcpdump dump showed that the packets where forwarded correctly loc -> fw -> dmz. But packets where not send out back from dmz server. So here we have/had two possibilities why your former setup didn''t work: 1) Wrong routing by not choosing the ISP''s router as default gateway: - That''s why I asked for your server''s routing table, but your routing was correct. So here comes the second possible reason: 2) Can it be that you are running shorewall (or raw ipables) on the DMZ server? Including the rfc1918 interface option? Because in your setup before Proxy-ARP this server was parallel to the firewall? Btw., I''m very sure about that. ;-) Your workaround: By using masquerading (and changing the dmz interface ip of the shorewall box) now all packets seem to come from a public (and non-rfc1918) address. So the still used rfc1918 option doesn''t block anymore. Is it like this Kristian? Btw, credits go to a friend who saw the big picture by saying: Ehhh, maybe he is blocking traffic with another shorewall installation on the server. This server was connected to the Internet directly before. HTH, Alex _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Tuesday 31 May 2005 22:21, K wrote:> Hi Alex. > > I didn''t think of that. > Probably true about the no rfc1918 network. > The servers all run gShield firewall, and probably block these addresses. > (I''m not sure)I am :-)> > Does this mean that the old configuration should work even without masq > from loc to dmz?Yes.> > So if I remove the firewall on the servers, change the dmz interface back > to 10.0.10.0/24 and remove the masq option from loc to dmz it should work?You don''t need to change it back. See http://www.shorewall.net/ProxyARP.htm As Tom wrote: Note: I''ve used an RFC1918 IP address for eth1 - that IP address is largely irrelevant (see below). -> First diagram Later he even suggests to use the same IP for the DMZ interface that the net interface has, but with a /32 netmask (only 1 host, no network) -> Second diagram Proxy ARP causes all the packets that are sent out via default route (ISP''s router IP) to be accepted by the firewall. So only this default route is needed in this setup. Then the firewall does the correct routing. So the DMZ IP address doesn''t matter, because no packet will ever be addressed to this interface''s IP directly. Hope my explanation was understandable, Alex> > /K > > -----Original Message----- > From: shorewall-users-bounces@lists.shorewall.net > [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Alexander > Wilms > Sent: 31. mai 2005 21:17 > To: Mailing List for Shorewall Users > Subject: Re: [Shorewall-users] Proxy ARPworkingfromInternet > butnotfromfwandloc > > On Tuesday 31 May 2005 19:53, K wrote: > > Thank''s guys. > > (Alex and Jerry) > > > > Now all is working :-) > > OK, now you were quicker than me. ;-) > > But: > You just worked "around" the "original" problem. > > Let''s clear up this issue a bit. > > Error Scenario: Your tcpdump dump showed that the packets where forwarded > correctly loc -> fw -> dmz. > But packets where not send out back from dmz server. > > So here we have/had two possibilities why your former setup didn''t work: > > 1) Wrong routing by not choosing the ISP''s router as default gateway: > - That''s why I asked for your server''s routing table, but your routing was > correct. > > So here comes the second possible reason: > > 2) Can it be that you are running shorewall (or raw ipables) on the DMZ > server? Including the rfc1918 interface option? Because in your setup > before > > Proxy-ARP this server was parallel to the firewall? > Btw., I''m very sure about that. ;-) > > > Your workaround: By using masquerading (and changing the dmz interface ip > of > > the shorewall box) now all packets seem to come from a public (and > non-rfc1918) address. So the still used rfc1918 option doesn''t block > anymore. > > Is it like this Kristian? > > Btw, credits go to a friend who saw the big picture by saying: Ehhh, maybe > he > is blocking traffic with another shorewall installation on the server. This > server was connected to the Internet directly before. > > HTH, > Alex > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Hi again. Thanks very much. The explanation was understandable. I may try the old setup for curiosity. /K -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Alexander Wilms Sent: 31. mai 2005 23:12 To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] ProxyARPworkingfromInternet butnotfromfwandloc On Tuesday 31 May 2005 22:21, K wrote:> Hi Alex. > > I didn''t think of that. > Probably true about the no rfc1918 network. > The servers all run gShield firewall, and probably block these addresses. > (I''m not sure)I am :-)> > Does this mean that the old configuration should work even without masq > from loc to dmz?Yes.> > So if I remove the firewall on the servers, change the dmz interface back > to 10.0.10.0/24 and remove the masq option from loc to dmz it should work?You don''t need to change it back. See http://www.shorewall.net/ProxyARP.htm As Tom wrote: Note: I''ve used an RFC1918 IP address for eth1 - that IP address is largely irrelevant (see below). -> First diagram Later he even suggests to use the same IP for the DMZ interface that the net interface has, but with a /32 netmask (only 1 host, no network) -> Second diagram Proxy ARP causes all the packets that are sent out via default route (ISP''s router IP) to be accepted by the firewall. So only this default route is needed in this setup. Then the firewall does the correct routing. So the DMZ IP address doesn''t matter, because no packet will ever be addressed to this interface''s IP directly. Hope my explanation was understandable, Alex> > /K > > -----Original Message----- > From: shorewall-users-bounces@lists.shorewall.net > [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf OfAlexander> Wilms > Sent: 31. mai 2005 21:17 > To: Mailing List for Shorewall Users > Subject: Re: [Shorewall-users] Proxy ARPworkingfromInternet > butnotfromfwandloc > > On Tuesday 31 May 2005 19:53, K wrote: > > Thank''s guys. > > (Alex and Jerry) > > > > Now all is working :-) > > OK, now you were quicker than me. ;-) > > But: > You just worked "around" the "original" problem. > > Let''s clear up this issue a bit. > > Error Scenario: Your tcpdump dump showed that the packets where forwarded > correctly loc -> fw -> dmz. > But packets where not send out back from dmz server. > > So here we have/had two possibilities why your former setup didn''t work: > > 1) Wrong routing by not choosing the ISP''s router as default gateway: > - That''s why I asked for your server''s routing table, but your routing was > correct. > > So here comes the second possible reason: > > 2) Can it be that you are running shorewall (or raw ipables) on the DMZ > server? Including the rfc1918 interface option? Because in your setup > before > > Proxy-ARP this server was parallel to the firewall? > Btw., I''m very sure about that. ;-) > > > Your workaround: By using masquerading (and changing the dmz interface ip > of > > the shorewall box) now all packets seem to come from a public (and > non-rfc1918) address. So the still used rfc1918 option doesn''t block > anymore. > > Is it like this Kristian? > > Btw, credits go to a friend who saw the big picture by saying: Ehhh, maybe > he > is blocking traffic with another shorewall installation on the server.This> server was connected to the Internet directly before. > > HTH, > Alex > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
> On Tuesday 31 May 2005 19:53, K wrote: > > Thank''s guys. > > (Alex and Jerry) > > > > Now all is working :-) > OK, now you were quicker than me. ;-) > > But: > You just worked "around" the "original" problem.It''s not a work around, it IS the correct way IMHO, behaves the same way as if the net and dmz interface were bridged. Bridging is a much cleaner way of doing this.> Let''s clear up this issue a bit. > > Error Scenario: Your tcpdump dump showed that the packets whereforwarded> correctly loc -> fw -> dmz. > But packets where not send out back from dmz server. > > So here we have/had two possibilities why your former setup didn''twork:> > 1) Wrong routing by not choosing the ISP''s router as defaultgateway:> - That''s why I asked for your server''s routing table, but yourrouting was> correct. > > So here comes the second possible reason: > > 2) Can it be that you are running shorewall (or raw ipables) on theDMZ> server? Including the rfc1918 interface option? Because in yoursetup before> Proxy-ARP this server was parallel to the firewall? > Btw., I''m very sure about that. ;-) > > > Your workaround: By using masquerading (and changing the dmzinterface ip of> the shorewall box) now all packets seem to come from a public (and > non-rfc1918) address. So the still used rfc1918 option doesn''t blockanymore.>We would not be guessing what is in the config files, had they been posted.> Is it like this Kristian? > > Btw, credits go to a friend who saw the big picture by saying: Ehhh,maybe he> is blocking traffic with another shorewall installation on theserver. This> server was connected to the Internet directly before. > > HTH, > AlexJerry Vonau
> > We would not be guessing what is in the config files, had they been > posted. >Opps they were posted .. Jerry
On Wednesday 01 June 2005 02:12, Jerry Vonau wrote:> > On Tuesday 31 May 2005 19:53, K wrote: > > > Thank''s guys. > > > (Alex and Jerry) > > > > > > Now all is working :-) > > > > OK, now you were quicker than me. ;-) > > > > But: > > You just worked "around" the "original" problem. > > It''s not a work around, it IS the correct way IMHO, behaves the same > way as if > the net and dmz interface were bridged. Bridging is a much cleaner way > of doing this. >Hi Jerry, I used "work around" because the solution you advised was to hide the rfc1918 address by masquerading. It is an approach, but it is a work around. Because the "real" problem were the firewall rules used on the DMZ Servers, not shorewall. Kristian''s shorewall setup was correct! This was shown by the tcpdump he sent. Packets travelled all along the way till they got dropped on the DMZ server. (or as I first guessed: not send out due to a routing issue on the DMZ server, but I was wrong) Don''t get it wrong: Your solution was not wrong, just another approach. So my post was just intended to find the real setup mistake and to clear up this issue for other ProxyArp/Shorewall users here on the list. If you and I had seen the "big picture" of a second firewall running on the DMZ server - as my friend saw *directly* :-) - this thread would have been much shorter :-) Anyway, it was an interesting setup and I had fun to learn by debugging it. So long, Alex