My sincere apologies to all on this list. After looking for returning packets with tcpdump and not finding ANY I called our provider to confirm our IP assignment. The IP range that I was given by my boss was incorrect. After adjusting the ip assignments, everything is working perfectly. Thank you all for your time in troubleshooting this, and I hope to be able to return the favor at some point. As my boss once told me, the devil is in the details... -Derek -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Derek Murawsky Sent: Thursday, June 16, 2005 6:23 PM To: Mailing List for Shorewall Users Subject: RE: [Shorewall-users] Setting up a routed DMZ Alex, It''s my understanding that in a routed environment, proxy ARP should be unnecessary. My ISP has a route to the 38.116.45.144/28 network through 68.28.28.78 (my firewall''s outside IP). My firewall has a static route to that network since it''s on a directly attached Ethernet card, so it seems that all should work, correct? Also, in this setup, I should set the DMZ''d hosts to use 66.28.28.77 as their default gateway? It''s not on the same network (DMZ is 38.116.45.144/28), so will it still work? Thanks for your ideas. -Derek -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Alex Martin Sent: Thursday, June 16, 2005 5:32 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Setting up a routed DMZ Derek Murawsky wrote:>Hello all, > I''ve read the shorewall guides and browsed through the mailing >lists, but I haven''t been able to find out if the following is possible >or not using shorewall. >Our provider has given us 16 IPs + 4 in a separate range for ouruplink.>I would like to replace that router with a Linux box running shorewall >with three interfaces. I want the DMZ to be a standard, routed network >segment while the internal network is MASQd. To that end, I''ve set all >policies to allow so that there are fewer points of failure. > I thought a setup like this wouldn''t be difficult to configure, >however I cannot ping or connect into any box on the DMZ net. I do not >want to use proxy ARP, as it seems a bit wasteful in this situation >(please correct me if I''m wrong here). The desired setup is belowalong>with my configs. Thanks all for any assistance in advance. > > >If you want routed public ips in your dmz, and you do not want to specify a bunch of dnat rules, then you must use proxy arp, i believe. It is not wasteful. All proxy arp does is make the firewall respond to arp requests for ip addresses on one interface (a request from private masqed net) that are actually located on another interface (dmz) and forward the request to that interface and network. This makes the firewall look transparent to the arp requests from say loc to dmz. I am not sure what you mean by wasteful. Proxy arp does not use extra addresses as you might be thinking, it just tells the firewall to respond to arp requests on one interface to hosts that are actually on another interface, so that they may be found. So, give your dmz hosts public ips, configure the firewall to proxy arp requests to the dmz for those hosts, and then use standard rules to allow traffic beween net loc and dmz. I would recommend not modifying the default policy. The way you have it means that nothing will be logged, which is not helpful for trouble shooting. Let me know if this makes sense, if not, I can point you to or write more specific examples of configurations. Alex Martin http://www.rettc.com>Desired topology > PROVIDER > | > | Separate /30 subnet > | > ROUTER -- DMZ Net ( 14 routable IPs, 1 used as gateway (/28) ) > | > | >MASQ''d PRIVATE > IP RANGE > >Configurations below: >Eth0 192.168.1.211 (internal 192.168.1.0/24) >Eth2 38.116.45.145 (dmz net 38.116.45.144/28) >Eth4 66.28.28.78 (provider uplink 66.28.28.76/30) > >echo 1 >/proc/sys/net/ipv4/ip_forward > >Shorewall.conf is Debian 3.1 sparc64 standard >Shorewall version 2.2.3 > >Interfaces: >net eth4 detect >dmz eth2 detect >loc eth0 detect > >Zones: >dmz dmz DeMilitarized Zone >net net Outside Network >loc LocalNet Local Network > >masq: >eth4 eth0 66.28.28.78 > >policy: >loc $FW ACCEPT >net $FW ACCEPT >dmz $FW ACCEPT >net loc ACCEPT >loc net ACCEPT >dmz loc ACCEPT >loc dmz ACCEPT >dmz net ACCEPT >net dmz ACCEPT > >Rules: >ACCEPT net dmz all >ACCEPT dmz net all >ACCEPT all $FW tcp 22 >$FW all ACCEPT > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users>Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > >_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
So it turned out to be a sort of severe routing issue as traceroutes seemed to indicate. Sorry I missed the title which indicated "routed" before I went on about proxy arp. Good luck! Alex Martin http://www.rettc.com Derek Murawsky wrote:>My sincere apologies to all on this list. After looking for returning >packets with tcpdump and not finding ANY I called our provider to >confirm our IP assignment. The IP range that I was given by my boss was >incorrect. After adjusting the ip assignments, everything is working >perfectly. Thank you all for your time in troubleshooting this, and I >hope to be able to return the favor at some point. As my boss once told >me, the devil is in the details... >-Derek > >-----Original Message----- >From: shorewall-users-bounces@lists.shorewall.net >[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Derek >Murawsky >Sent: Thursday, June 16, 2005 6:23 PM >To: Mailing List for Shorewall Users >Subject: RE: [Shorewall-users] Setting up a routed DMZ > >Alex, > It''s my understanding that in a routed environment, proxy ARP >should be unnecessary. My ISP has a route to the 38.116.45.144/28 >network through 68.28.28.78 (my firewall''s outside IP). My firewall has >a static route to that network since it''s on a directly attached >Ethernet card, so it seems that all should work, correct? > Also, in this setup, I should set the DMZ''d hosts to use >66.28.28.77 as their default gateway? It''s not on the same network (DMZ >is 38.116.45.144/28), so will it still work? Thanks for your ideas. >-Derek > >-----Original Message----- >From: shorewall-users-bounces@lists.shorewall.net >[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Alex >Martin >Sent: Thursday, June 16, 2005 5:32 PM >To: Mailing List for Shorewall Users >Subject: Re: [Shorewall-users] Setting up a routed DMZ > >Derek Murawsky wrote: > > > >>Hello all, >> I''ve read the shorewall guides and browsed through the mailing >>lists, but I haven''t been able to find out if the following is possible >>or not using shorewall. >>Our provider has given us 16 IPs + 4 in a separate range for our >> >> >uplink. > > >>I would like to replace that router with a Linux box running shorewall >>with three interfaces. I want the DMZ to be a standard, routed network >>segment while the internal network is MASQd. To that end, I''ve set all >>policies to allow so that there are fewer points of failure. >> I thought a setup like this wouldn''t be difficult to configure, >>however I cannot ping or connect into any box on the DMZ net. I do not >>want to use proxy ARP, as it seems a bit wasteful in this situation >>(please correct me if I''m wrong here). The desired setup is below >> >> >along > > >>with my configs. Thanks all for any assistance in advance. >> >> >> >> >> > >If you want routed public ips in your dmz, and you do not want to >specify a bunch of dnat rules, then you must use proxy arp, i believe. >It is not wasteful. All proxy arp does is make the firewall respond to >arp requests for ip addresses on one interface (a request from private >masqed net) that are actually located on another interface (dmz) and >forward the request to that interface and network. This makes the >firewall look transparent to the arp requests from say loc to dmz. I am >not sure what you mean by wasteful. Proxy arp does not use extra >addresses as you might be thinking, it just tells the firewall to >respond to arp requests on one interface to hosts that are actually on >another interface, so that they may be found. > >So, give your dmz hosts public ips, configure the firewall to proxy arp >requests to the dmz for those hosts, and then use standard rules to >allow traffic beween net loc and dmz. > >I would recommend not modifying the default policy. The way you have it >means that nothing will be logged, which is not helpful for trouble >shooting. > >Let me know if this makes sense, if not, I can point you to or write >more specific examples of configurations. > >Alex Martin >http://www.rettc.com > > > > > > >>Desired topology >> PROVIDER >> | >> | Separate /30 subnet >> | >> ROUTER -- DMZ Net ( 14 routable IPs, 1 used as gateway (/28) ) >> | >> | >>MASQ''d PRIVATE >> IP RANGE >> >>Configurations below: >>Eth0 192.168.1.211 (internal 192.168.1.0/24) >>Eth2 38.116.45.145 (dmz net 38.116.45.144/28) >>Eth4 66.28.28.78 (provider uplink 66.28.28.76/30) >> >>echo 1 >/proc/sys/net/ipv4/ip_forward >> >>Shorewall.conf is Debian 3.1 sparc64 standard >>Shorewall version 2.2.3 >> >>Interfaces: >>net eth4 detect >>dmz eth2 detect >>loc eth0 detect >> >>Zones: >>dmz dmz DeMilitarized Zone >>net net Outside Network >>loc LocalNet Local Network >> >>masq: >>eth4 eth0 66.28.28.78 >> >>policy: >>loc $FW ACCEPT >>net $FW ACCEPT >>dmz $FW ACCEPT >>net loc ACCEPT >>loc net ACCEPT >>dmz loc ACCEPT >>loc dmz ACCEPT >>dmz net ACCEPT >>net dmz ACCEPT >> >>Rules: >>ACCEPT net dmz all >>ACCEPT dmz net all >>ACCEPT all $FW tcp 22 >>$FW all ACCEPT >> >>_______________________________________________ >>Shorewall-users mailing list >>Post: Shorewall-users@lists.shorewall.net >>Subscribe/Unsubscribe: >> >> >https://lists.shorewall.net/mailman/listinfo/shorewall-users > > >>Support: http://www.shorewall.net/support.htm >>FAQ: http://www.shorewall.net/FAQ.htm >> >> >> >> > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > >