Shorewall users - Jul 2005 - install weirdness

Hi All,

Well, I installed the new Debian based Shorewall firewall last night to 
replace our older firewall running under slackware and here are the 
results. Failure.  Errgggh

The two internal interfaces came up no problem,  I could talk to both 
the dmz and loc, loc1 zones. But talking to the internet was a big no 
go.  I checked the current firewall setup to make sure I had the right 
info and as far as I can see (I''m not a slackware user) they are set up
the same. Both the new and the old firewalls have the same 192.168.0.2 
interface, both can ping the internet router at 192.168.0.1 but packets 
cannot get beyond that.  I even installed the network card from old 
firewalls net interface on the new box just incase the router was doing 
something strange with mac addresses.  I guess I need to go back and 
relook at the slackware configuration.  Is there anything you guys might 
suggest?  BTW the new shorewall rules are MUCH easier to follow then 
existing convoluted ip.firewall script that is in place now.  I forgot 
to add ssh from the firewall to the loc1 interface (thanks for the 
nested zones Tom) and it took about 4 seconds to figure out what was 
wrong and fix it.  Outstanding package:)

Thanks for listening to my half awake rant.
Sean


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

> Well, I installed the new Debian based Shorewall firewall last night to
> replace our older firewall running under slackware and here are the
> results. Failure.  Errgggh
>
> The two internal interfaces came up no problem,  I could talk to both
> the dmz and loc, loc1 zones. But talking to the internet was a big no
> go.  I checked the current firewall setup to make sure I had the right
> info and as far as I can see (I''m not a slackware user) they are
set up
> the same. Both the new and the old firewalls have the same 192.168.0.2
> interface, both can ping the internet router at 192.168.0.1 but packets
> cannot get beyond that.  I even installed the network card from old
> firewalls net interface on the new box just incase the router was doing
> something strange with mac addresses.  I guess I need to go back and
> relook at the slackware configuration.  Is there anything you guys might
> suggest?  BTW the new shorewall rules are MUCH easier to follow then
> existing convoluted ip.firewall script that is in place now.  I forgot
> to add ssh from the firewall to the loc1 interface (thanks for the
> nested zones Tom) and it took about 4 seconds to figure out what was
> wrong and fix it.  Outstanding package:)
>
> Thanks for listening to my half awake rant.
> Sean
Sounds like your missing a default route.

Jerry



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

Sean Roe wrote:
> Hi All,
>
> Well, I installed the new Debian based Shorewall firewall last night 
> to replace our older firewall running under slackware and here are the 
> results. Failure.  Errgggh
>
> The two internal interfaces came up no problem,  I could talk to both 
> the dmz and loc, loc1 zones. But talking to the internet was a big no 
> go.  I checked the current firewall setup to make sure I had the right 
> info and as far as I can see (I''m not a slackware user) they are
set
> up the same. Both the new and the old firewalls have the same 
> 192.168.0.2 interface, both can ping the internet router at 
> 192.168.0.1 but packets cannot get beyond that.  I even installed the 
> network card from old firewalls net interface on the new box just 
> incase the router was doing something strange with mac addresses.  I 
> guess I need to go back and relook at the slackware configuration.  Is 
> there anything you guys might suggest?  BTW the new shorewall rules 
> are MUCH easier to follow then existing convoluted ip.firewall script 
> that is in place now.  I forgot to add ssh from the firewall to the 
> loc1 interface (thanks for the nested zones Tom) and it took about 4 
> seconds to figure out what was wrong and fix it.  Outstanding package:)
>
> Thanks for listening to my half awake rant.
> Sean
While in the midst of preperations for hari-kari I noticed this little 
bit from the existing ip.firewall script

for loop in $ip_array
 do
      int="$ip_int."`echo $loop|cut -d: -f2`;
      #ext="$ip_ext."`echo $loop|cut -d: -f1`;
      ext=`echo $loop|cut -d: -f1`;
      /sbin/ip addr add $ext dev eth0
      $iptables -t nat -A PREROUTING -i eth0 -d $ext -j DNAT --to $int;
      $iptables -t nat -A POSTROUTING -s $int -j SNAT --to $ext;
 done
      /sbin/ip addr add 66.235.241.62 dev eth0;

##$iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE

$iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth0 -j SNAT 
--to-source 66
.235.241.62

Is this root of my issue?

Sean



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

Sean Roe wrote:

Clipped for stupidity reduction.
> Sean Roe wrote:
> for loop in $ip_array
> do
>      int="$ip_int."`echo $loop|cut -d: -f2`;
>      #ext="$ip_ext."`echo $loop|cut -d: -f1`;
>      ext=`echo $loop|cut -d: -f1`;
>      /sbin/ip addr add $ext dev eth0
>      $iptables -t nat -A PREROUTING -i eth0 -d $ext -j DNAT --to $int;
>      $iptables -t nat -A POSTROUTING -s $int -j SNAT --to $ext;
> done
I assume that the above is equivillant to making entries in the nat file?
>      /sbin/ip addr add 66.235.241.62 dev eth0;
>
I need to add this interface (eth0 is the external interface) where is 
the best place?
>
> $iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth0 -j SNAT 
> --to-source 66
> .235.241.62
>
Where should the equivallent shorewall entry be made?
> Is this root of my issue?
>
No, personal stupidity is the root cause :)

Thanks,
Sean


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

> I assume that the above is equivillant to making entries in the nat file?
>
> >      /sbin/ip addr add 66.235.241.62 dev eth0;
> >
> I need to add this interface (eth0 is the external interface) where is
> the best place?
>
> >
> > $iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth0 -j SNAT
> > --to-source 66
> > .235.241.62
> >
> Where should the equivallent shorewall entry be made?
>
> > Is this root of my issue?
> >
> No, personal stupidity is the root cause :)
Lets have a quick look at some stuff, can you post the output of
"ip route show" and "ip addr show"

Jerry



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

Jerry Vonau wrote:
>  
>
>>I assume that the above is equivillant to making entries in the nat
file?
>>
>>    
>>
>>>     /sbin/ip addr add 66.235.241.62 dev eth0;
>>>
>>>      
>>>
>>I need to add this interface (eth0 is the external interface) where is
>>the best place?
>>
>>    
>>
>>>$iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth0 -j SNAT
>>>--to-source 66
>>>.235.241.62
>>>
>>>      
>>>
>>Where should the equivallent shorewall entry be made?
>>
>>    
>>
>>>Is this root of my issue?
>>>
>>>      
>>>
>>No, personal stupidity is the root cause :)
>>    
>>
>
>Lets have a quick look at some stuff, can you post the output of
>"ip route show" and "ip addr show"
>
>Jerry
>
>  
>
on the current firewall:
ip route show
192.168.3.100/30 via 192.168.5.2 dev eth2
192.168.5.0/30 dev eth2  proto kernel  scope link  src 192.168.5.1
192.168.3.0/30 via 192.168.5.2 dev eth2
192.168.4.0/24 via 192.168.5.2 dev eth2
192.168.2.0/24 dev eth1  proto kernel  scope link  src 192.168.2.1
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.1
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.2
192.168.12.0/24 via 192.168.5.2 dev eth2
192.168.11.0/24 via 192.168.5.2 dev eth2
127.0.0.0/8 dev lo  scope link
default via 192.168.0.1 dev eth0  metric 1

there are some extraneous entries in the above:  all the 
192.168.[2,3,11,12].xx entries are gone away (not used anymore).
ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:02:b3:41:24:bc brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.2/24 brd 192.168.0.255 scope global eth0
    inet 66.235.241.3/32 scope global eth0
    inet 66.235.241.5/32 scope global eth0
    inet 66.235.241.6/32 scope global eth0
    inet 66.235.241.7/32 scope global eth0
    inet 66.235.241.9/32 scope global eth0
    inet 66.235.241.10/32 scope global eth0
    inet 66.235.241.11/32 scope global eth0
    inet 66.235.241.12/32 scope global eth0
    inet 66.235.241.13/32 scope global eth0
    inet 66.235.241.14/32 scope global eth0
    inet 66.235.241.18/32 scope global eth0
    inet 66.235.241.20/32 scope global eth0
    inet 66.235.241.21/32 scope global eth0
    inet 66.235.241.22/32 scope global eth0
    inet 66.235.241.24/32 scope global eth0
    inet 66.235.241.25/32 scope global eth0
    inet 66.235.241.31/32 scope global eth0
    inet 66.235.241.32/32 scope global eth0
    inet 66.235.241.40/32 scope global eth0
    inet 66.235.241.41/32 scope global eth0
    inet 66.235.241.42/32 scope global eth0
    inet 66.235.241.43/32 scope global eth0
    inet 66.235.241.44/32 scope global eth0
    inet 66.235.241.45/32 scope global eth0
    inet 66.235.241.50/32 scope global eth0
    inet 66.235.241.61/32 scope global eth0
    inet 66.235.242.11/32 scope global eth0
    inet 66.235.242.12/32 scope global eth0
    inet 66.235.242.13/32 scope global eth0
    inet 66.235.242.14/32 scope global eth0
    inet 66.235.242.15/32 scope global eth0
    inet 66.235.242.18/32 scope global eth0
    inet 66.235.242.20/32 scope global eth0
    inet 66.235.242.21/32 scope global eth0
    inet 66.235.242.22/32 scope global eth0
    inet 66.235.242.23/32 scope global eth0
    inet 66.235.242.24/32 scope global eth0
    inet 66.235.242.25/32 scope global eth0
    inet 66.235.242.26/32 scope global eth0
    inet 66.235.242.27/32 scope global eth0
    inet 66.235.242.28/32 scope global eth0
    inet 66.235.242.29/32 scope global eth0
    inet 66.235.242.30/32 scope global eth0
    inet 66.235.242.31/32 scope global eth0
    inet 66.235.242.32/32 scope global eth0
    inet 66.235.242.33/32 scope global eth0
    inet 66.235.242.34/32 scope global eth0
    inet 66.235.242.35/32 scope global eth0
    inet 66.235.242.36/32 scope global eth0
    inet 66.235.242.37/32 scope global eth0
    inet 66.235.242.38/32 scope global eth0
    inet 66.235.242.39/32 scope global eth0
    inet 66.235.242.40/32 scope global eth0
    inet 66.235.242.51/32 scope global eth0
    inet 66.235.242.58/32 scope global eth0
    inet 66.235.243.10/32 scope global eth0
    inet 66.235.243.11/32 scope global eth0
    inet 66.235.243.12/32 scope global eth0
    inet 66.235.243.13/32 scope global eth0
    inet 66.235.243.14/32 scope global eth0
    inet 66.235.243.15/32 scope global eth0
    inet 66.235.243.19/32 scope global eth0
    inet 66.235.244.5/32 scope global eth0
    inet 66.235.244.6/32 scope global eth0
    inet 66.235.244.8/32 scope global eth0
    inet 66.235.244.10/32 scope global eth0
    inet 66.235.244.11/32 scope global eth0
    inet 66.235.244.12/32 scope global eth0
    inet 66.235.244.13/32 scope global eth0
    inet 66.235.244.14/32 scope global eth0
    inet 66.235.244.15/32 scope global eth0
    inet 66.235.244.16/32 scope global eth0
    inet 66.235.244.17/32 scope global eth0
    inet 66.235.244.18/32 scope global eth0
    inet 66.235.244.19/32 scope global eth0
    inet 206.83.193.225/32 scope global eth0
    inet 206.83.193.226/32 scope global eth0
    inet 206.83.193.227/32 scope global eth0
    inet 206.83.193.228/32 scope global eth0
    inet 206.83.193.229/32 scope global eth0
    inet 206.83.193.230/32 scope global eth0
    inet 206.83.193.231/32 scope global eth0
    inet 206.83.193.232/32 scope global eth0
    inet 206.83.193.234/32 scope global eth0
    inet 206.83.195.33/32 scope global eth0
    inet 206.83.195.34/32 scope global eth0
    inet 206.83.195.35/32 scope global eth0
    inet 206.83.195.36/32 scope global eth0
    inet 206.83.195.37/32 scope global eth0
    inet 206.83.195.38/32 scope global eth0
    inet 206.83.195.39/32 scope global eth0
    inet 206.83.195.40/32 scope global eth0
    inet 206.83.195.41/32 scope global eth0
    inet 206.83.195.42/32 scope global eth0
    inet 206.83.195.44/32 scope global eth0
    inet 206.83.199.17/32 scope global eth0
    inet 206.83.199.18/32 scope global eth0
    inet 206.83.199.19/32 scope global eth0
    inet 206.83.199.20/32 scope global eth0
    inet 206.83.199.21/32 scope global eth0
    inet 206.83.199.22/32 scope global eth0
    inet 206.83.199.23/32 scope global eth0
    inet 206.83.199.24/32 scope global eth0
    inet 206.83.199.25/32 scope global eth0
    inet 206.83.199.26/32 scope global eth0
    inet 206.83.199.28/32 scope global eth0
    inet 206.83.200.17/32 scope global eth0
    inet 206.83.200.18/32 scope global eth0
    inet 206.83.200.19/32 scope global eth0
    inet 206.83.200.20/32 scope global eth0
    inet 206.83.200.21/32 scope global eth0
    inet 206.83.200.22/32 scope global eth0
    inet 206.83.200.23/32 scope global eth0
    inet 206.83.200.24/32 scope global eth0
    inet 206.83.200.25/32 scope global eth0
    inet 206.83.200.26/32 scope global eth0
    inet 206.83.200.28/32 scope global eth0
    inet 206.83.201.17/32 scope global eth0
    inet 206.83.201.18/32 scope global eth0
    inet 206.83.201.19/32 scope global eth0
    inet 206.83.201.20/32 scope global eth0
    inet 206.83.201.21/32 scope global eth0
    inet 206.83.201.22/32 scope global eth0
    inet 206.83.201.23/32 scope global eth0
    inet 206.83.201.24/32 scope global eth0
    inet 206.83.201.25/32 scope global eth0
    inet 206.83.201.26/32 scope global eth0
    inet 206.83.201.28/32 scope global eth0
    inet 206.83.202.17/32 scope global eth0
    inet 206.83.202.18/32 scope global eth0
    inet 206.83.202.19/32 scope global eth0
    inet 206.83.202.20/32 scope global eth0
    inet 206.83.202.21/32 scope global eth0
    inet 206.83.202.22/32 scope global eth0
    inet 206.83.202.23/32 scope global eth0
    inet 206.83.202.24/32 scope global eth0
    inet 206.83.202.25/32 scope global eth0
    inet 206.83.202.28/32 scope global eth0
    inet 206.83.203.17/32 scope global eth0
    inet 206.83.203.18/32 scope global eth0
    inet 206.83.203.19/32 scope global eth0
    inet 206.83.203.20/32 scope global eth0
    inet 206.83.203.21/32 scope global eth0
    inet 206.83.203.22/32 scope global eth0
    inet 206.83.203.23/32 scope global eth0
    inet 206.83.203.24/32 scope global eth0
    inet 206.83.203.25/32 scope global eth0
    inet 206.83.203.26/32 scope global eth0
    inet 206.83.203.28/32 scope global eth0
    inet 206.83.204.17/32 scope global eth0
    inet 206.83.204.18/32 scope global eth0
    inet 206.83.204.19/32 scope global eth0
    inet 206.83.204.20/32 scope global eth0
    inet 206.83.204.21/32 scope global eth0
    inet 206.83.204.22/32 scope global eth0
    inet 206.83.204.23/32 scope global eth0
    inet 206.83.204.24/32 scope global eth0
    inet 206.83.204.28/32 scope global eth0
    inet 66.235.241.62/32 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:90:27:ad:45:2f brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
    inet 192.168.2.1/24 brd 192.168.2.255 scope global eth1:2
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:90:27:ad:45:a3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.5.1/30 brd 192.168.5.3 scope global eth2


New Firewall:
ip addr show:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:d0:09:d2:c4:ce brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.2/24 brd 192.168.0.255 scope global eth0
    inet 66.235.241.3/32 scope global eth0
    inet 66.235.241.5/32 scope global eth0
    inet 66.235.241.6/32 scope global eth0
    inet 66.235.241.7/32 scope global eth0
    inet 66.235.241.9/32 scope global eth0
    inet 66.235.241.10/32 scope global eth0
    inet 66.235.241.11/32 scope global eth0
    inet 66.235.241.12/32 scope global eth0
    inet 66.235.241.13/32 scope global eth0
    inet 66.235.241.14/32 scope global eth0
    inet 66.235.241.18/32 scope global eth0
    inet 66.235.241.20/32 scope global eth0
    inet 66.235.241.21/32 scope global eth0
    inet 66.235.241.22/32 scope global eth0
    inet 66.235.241.24/32 scope global eth0
    inet 66.235.241.25/32 scope global eth0
    inet 66.235.241.31/32 scope global eth0
    inet 66.235.241.32/32 scope global eth0
    inet 66.235.241.40/32 scope global eth0
    inet 66.235.241.41/32 scope global eth0
    inet 66.235.241.42/32 scope global eth0
    inet 66.235.241.43/32 scope global eth0
    inet 66.235.241.44/32 scope global eth0
    inet 66.235.241.45/32 scope global eth0
    inet 66.235.241.50/32 scope global eth0
    inet 66.235.241.61/32 scope global eth0
    inet 66.235.242.11/32 scope global eth0
    inet 66.235.242.12/32 scope global eth0
    inet 66.235.242.13/32 scope global eth0
    inet 66.235.242.14/32 scope global eth0
    inet 66.235.242.15/32 scope global eth0
    inet 66.235.242.18/32 scope global eth0
    inet 66.235.242.20/32 scope global eth0
    inet 66.235.242.21/32 scope global eth0
    inet 66.235.242.22/32 scope global eth0
    inet 66.235.242.23/32 scope global eth0
    inet 66.235.242.24/32 scope global eth0
    inet 66.235.242.25/32 scope global eth0
    inet 66.235.242.26/32 scope global eth0
    inet 66.235.242.27/32 scope global eth0
    inet 66.235.242.28/32 scope global eth0
    inet 66.235.242.29/32 scope global eth0
    inet 66.235.242.30/32 scope global eth0
    inet 66.235.242.31/32 scope global eth0
    inet 66.235.242.32/32 scope global eth0
    inet 66.235.242.33/32 scope global eth0
    inet 66.235.242.34/32 scope global eth0
    inet 66.235.242.35/32 scope global eth0
    inet 66.235.242.36/32 scope global eth0
    inet 66.235.242.37/32 scope global eth0
    inet 66.235.242.38/32 scope global eth0
    inet 66.235.242.39/32 scope global eth0
    inet 66.235.242.40/32 scope global eth0
    inet 66.235.242.51/32 scope global eth0
    inet 66.235.242.58/32 scope global eth0
    inet 66.235.243.10/32 scope global eth0
    inet 66.235.243.11/32 scope global eth0
    inet 66.235.243.12/32 scope global eth0
    inet 66.235.243.13/32 scope global eth0
    inet 66.235.243.14/32 scope global eth0
    inet 66.235.243.15/32 scope global eth0
    inet 66.235.243.19/32 scope global eth0
    inet 66.235.244.5/32 scope global eth0
    inet 66.235.244.6/32 scope global eth0
    inet 66.235.244.8/32 scope global eth0
    inet 66.235.244.10/32 scope global eth0
    inet 66.235.244.11/32 scope global eth0
    inet 66.235.244.12/32 scope global eth0
    inet 66.235.244.13/32 scope global eth0
    inet 66.235.244.14/32 scope global eth0
    inet 66.235.244.15/32 scope global eth0
    inet 66.235.244.16/32 scope global eth0
    inet 66.235.244.17/32 scope global eth0
    inet 66.235.244.18/32 scope global eth0
    inet 66.235.244.19/32 scope global eth0
    inet 206.83.193.225/32 scope global eth0
    inet 206.83.193.226/32 scope global eth0
    inet 206.83.193.227/32 scope global eth0
    inet 206.83.193.228/32 scope global eth0
    inet 206.83.193.229/32 scope global eth0
    inet 206.83.193.230/32 scope global eth0
    inet 206.83.193.231/32 scope global eth0
    inet 206.83.193.232/32 scope global eth0
    inet 206.83.193.234/32 scope global eth0
    inet 206.83.195.33/32 scope global eth0
    inet 206.83.195.34/32 scope global eth0
    inet 206.83.195.35/32 scope global eth0
    inet 206.83.195.36/32 scope global eth0
    inet 206.83.195.37/32 scope global eth0
    inet 206.83.195.38/32 scope global eth0
    inet 206.83.195.39/32 scope global eth0
    inet 206.83.195.40/32 scope global eth0
    inet 206.83.195.41/32 scope global eth0
    inet 206.83.195.42/32 scope global eth0
    inet 206.83.195.44/32 scope global eth0
    inet 206.83.199.17/32 scope global eth0
    inet 206.83.199.18/32 scope global eth0
    inet 206.83.199.19/32 scope global eth0
    inet 206.83.199.20/32 scope global eth0
    inet 206.83.199.21/32 scope global eth0
    inet 206.83.199.22/32 scope global eth0
    inet 206.83.199.23/32 scope global eth0
    inet 206.83.199.24/32 scope global eth0
    inet 206.83.199.25/32 scope global eth0
    inet 206.83.199.26/32 scope global eth0
    inet 206.83.199.28/32 scope global eth0
    inet 206.83.200.17/32 scope global eth0
    inet 206.83.200.18/32 scope global eth0
    inet 206.83.200.19/32 scope global eth0
    inet 206.83.200.20/32 scope global eth0
    inet 206.83.200.21/32 scope global eth0
    inet 206.83.200.22/32 scope global eth0
    inet 206.83.200.23/32 scope global eth0
    inet 206.83.200.24/32 scope global eth0
    inet 206.83.200.25/32 scope global eth0
    inet 206.83.200.26/32 scope global eth0
    inet 206.83.200.28/32 scope global eth0
    inet 206.83.201.17/32 scope global eth0
    inet 206.83.201.18/32 scope global eth0
    inet 206.83.201.19/32 scope global eth0
    inet 206.83.201.20/32 scope global eth0
    inet 206.83.201.21/32 scope global eth0
    inet 206.83.201.22/32 scope global eth0
    inet 206.83.201.23/32 scope global eth0
    inet 206.83.201.24/32 scope global eth0
    inet 206.83.201.25/32 scope global eth0
    inet 206.83.201.26/32 scope global eth0
    inet 206.83.201.28/32 scope global eth0
    inet 206.83.202.17/32 scope global eth0
    inet 206.83.202.18/32 scope global eth0
    inet 206.83.202.19/32 scope global eth0
    inet 206.83.202.20/32 scope global eth0
    inet 206.83.202.21/32 scope global eth0
    inet 206.83.202.22/32 scope global eth0
    inet 206.83.202.23/32 scope global eth0
    inet 206.83.202.24/32 scope global eth0
    inet 206.83.202.25/32 scope global eth0
    inet 206.83.202.28/32 scope global eth0
    inet 206.83.203.17/32 scope global eth0
    inet 206.83.203.18/32 scope global eth0
    inet 206.83.203.19/32 scope global eth0
    inet 206.83.203.20/32 scope global eth0
    inet 206.83.203.21/32 scope global eth0
    inet 206.83.203.22/32 scope global eth0
    inet 206.83.203.23/32 scope global eth0
    inet 206.83.203.24/32 scope global eth0
    inet 206.83.203.25/32 scope global eth0
    inet 206.83.203.26/32 scope global eth0
    inet 206.83.203.28/32 scope global eth0
    inet 206.83.204.17/32 scope global eth0
    inet 206.83.204.18/32 scope global eth0
    inet 206.83.204.19/32 scope global eth0
    inet 206.83.204.20/32 scope global eth0
    inet 206.83.204.21/32 scope global eth0
    inet 206.83.204.22/32 scope global eth0
    inet 206.83.204.23/32 scope global eth0
    inet 206.83.204.24/32 scope global eth0
    inet 206.83.204.28/32 scope global eth0
    inet 66.235.241.62/32 scope global eth0:0
    inet6 fe80::2d0:9ff:fed2:c4ce/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:c0:49:63:53:29 brd ff:ff:ff:ff:ff:ff
    inet 192.168.5.1/30 brd 192.168.5.255 scope global eth1
    inet6 fe80::2c0:49ff:fe63:5329/64 scope link
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:e0:29:24:84:8d brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth2
    inet6 fe80::2e0:29ff:fe24:848d/64 scope link
       valid_lft forever preferred_lft forever
5: sit0: <NOARP> mtu 1480 qdisc noop
    link/sit 0.0.0.0 brd 0.0.0.0
fw02:~#

ip route show:
192.168.5.0/30 dev eth1  proto kernel  scope link  src 192.168.5.1
192.168.1.0/24 dev eth2  proto kernel  scope link  src 192.168.1.1
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.2
default via 192.168.5.2 dev eth1
default via 192.168.0.1 dev eth0

This is after I included the masq file:
###############################################################################
#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) 
IPSEC
eth0:0                  192.168.0.0/16  66.235.241.62
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

Sean Roe wrote:
> <clipped for exceedingly long post>
> ip route show:
> 192.168.5.0/30 dev eth1  proto kernel  scope link  src 192.168.5.1
> 192.168.1.0/24 dev eth2  proto kernel  scope link  src 192.168.1.1
> 192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.2
> default via 192.168.5.2 dev eth1
> default via 192.168.0.1 dev eth0
>
Stupid question # 326 today,
Why does it keep adding the default route "default via 192.168.5.2 dev
eth1"

Thanks,
Sean


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

> > ip route show:
> > 192.168.5.0/30 dev eth1  proto kernel  scope link  src 192.168.5.1
> > 192.168.1.0/24 dev eth2  proto kernel  scope link  src 192.168.1.1
> > 192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.2
> > default via 192.168.5.2 dev eth1
> > default via 192.168.0.1 dev eth0
> >
> Stupid question # 326 today,
> Why does it keep adding the default route "default via 192.168.5.2 dev
eth1"
>
How are you configuring the interfaces?

Jerry



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

> on the current firewall:
> ip route show
> 192.168.3.100/30 via 192.168.5.2 dev eth2
> 192.168.5.0/30 dev eth2  proto kernel  scope link  src 192.168.5.1
> 192.168.3.0/30 via 192.168.5.2 dev eth2
> 192.168.4.0/24 via 192.168.5.2 dev eth2
> 192.168.2.0/24 dev eth1  proto kernel  scope link  src 192.168.2.1
> 192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.1
> 192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.2
> 192.168.12.0/24 via 192.168.5.2 dev eth2
> 192.168.11.0/24 via 192.168.5.2 dev eth2
> 127.0.0.0/8 dev lo  scope link
> default via 192.168.0.1 dev eth0  metric 1
>
> there are some extraneous entries in the above:  all the
> 192.168.[2,3,11,12].xx entries are gone away (not used anymore).
Oh boy, on the old firewall what does "cat /etc/iproute2/rt_tables"
output?

Can you post all the config files you changed?

Jerry



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

Jerry Vonau wrote:
>>>ip route show:
>>>192.168.5.0/30 dev eth1  proto kernel  scope link  src 192.168.5.1
>>>192.168.1.0/24 dev eth2  proto kernel  scope link  src 192.168.1.1
>>>192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.2
>>>default via 192.168.5.2 dev eth1
>>>default via 192.168.0.1 dev eth0
>>>
>>>      
>>>
>>Stupid question # 326 today,
>>Why does it keep adding the default route "default via 192.168.5.2
dev
>>    
>>
>eth1"
>  
>
>
>How are you configuring the interfaces?
>
>Jerry
>
>  
>
Just through /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
        address 192.168.0.2
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1
        dns-nameservers 207.246.52.15
        dns-search adoption.com


auto eth1
iface eth1 inet static
        address 192.168.5.1
        netmask 255.255.255.252
        network 192.168.5.0
        gateway 192.168.5.2
        dns-nameservers 192.168.1.5
        dns-search adoption.com

auto eth2
iface eth2 inet static
        address 192.168.1.1
        netmask 255.255.255.0
        network 192.168.5.0
        broadcast 192.168.1.255
        gateway 192.168.5.2
        dns-nameservers 192.168.1.5
        dns-search adoption.com
#       up /sbin/ip addr add 192.168.2.1/24 brd 192.168.2.255 dev eth2 
label eth2:0

P.S.  why doesnt the line above work?  Its commented out right now but 
even when its not, it wont come up



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

Jerry Vonau wrote:
>>on the current firewall:
>>ip route show
>>192.168.3.100/30 via 192.168.5.2 dev eth2
>>192.168.5.0/30 dev eth2  proto kernel  scope link  src 192.168.5.1
>>192.168.3.0/30 via 192.168.5.2 dev eth2
>>192.168.4.0/24 via 192.168.5.2 dev eth2
>>192.168.2.0/24 dev eth1  proto kernel  scope link  src 192.168.2.1
>>192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.1
>>192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.2
>>192.168.12.0/24 via 192.168.5.2 dev eth2
>>192.168.11.0/24 via 192.168.5.2 dev eth2
>>127.0.0.0/8 dev lo  scope link
>>default via 192.168.0.1 dev eth0  metric 1
>>
>>there are some extraneous entries in the above:  all the
>>192.168.[2,3,11,12].xx entries are gone away (not used anymore).
>>    
>>
>
>Oh boy, on the old firewall what does "cat
/etc/iproute2/rt_tables" output?
>  
>
cat /etc/iproute2/rt_tables
#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep
>Can you post all the config files you changed?
>  
>
On the new server?  completly different setup old=slackware, 
new=debian,shorewall Id be happy to, just need to know which ones.  I 
posted yesturday my config (except for the masq entry from today)

Sean



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

> >>>ip route show:
> >>>192.168.5.0/30 dev eth1  proto kernel  scope link  src
192.168.5.1
> >>>192.168.1.0/24 dev eth2  proto kernel  scope link  src
192.168.1.1
> >>>192.168.0.0/24 dev eth0  proto kernel  scope link  src
192.168.0.2
> >>>default via 192.168.5.2 dev eth1
> >>>default via 192.168.0.1 dev eth0
> >>>
> >>>
> >>>
> >>Stupid question # 326 today,
> >>Why does it keep adding the default route "default via
192.168.5.2 dev
> >>
> >>
> >eth1"
<snip>
> auto eth1
> iface eth1 inet static
>         address 192.168.5.1
>         netmask 255.255.255.252
>         network 192.168.5.0
>         gateway 192.168.5.2
>         dns-nameservers 192.168.1.5
>         dns-search adoption.com
>
Your telling it to with the gateway entry.
> auto eth2
> iface eth2 inet static
>         address 192.168.1.1
>         netmask 255.255.255.0
>         network 192.168.5.0
>         broadcast 192.168.1.255
>         gateway 192.168.5.2
>         dns-nameservers 192.168.1.5
>         dns-search adoption.com
> #       up /sbin/ip addr add 192.168.2.1/24 brd 192.168.2.255 dev eth2
> label eth2:0
>
> P.S.  why doesnt the line above work?  Its commented out right now but
> even when its not, it wont come up
I checked the syntax here with:
/sbin/ip addr add 192.168.2.1/24 brd 192.168.2.255 dev eth1 label eth1:0
and I get:
eth1:0    Link encap:Ethernet  HWaddr 00:60:08:C0:25:89
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          Interrupt:12 Base address:0x6600

So, I''m not sure

Jerry







-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

>>auto eth1
>>iface eth1 inet static
>>        address 192.168.5.1
>>        netmask 255.255.255.252
>>        network 192.168.5.0
>>        gateway 192.168.5.2
>>        dns-nameservers 192.168.1.5
>>        dns-search adoption.com
>>
>>    
>>
>
>Your telling it to with the gateway entry.
>
>  
>
>>auto eth2
>>iface eth2 inet static
>>        address 192.168.1.1
>>        netmask 255.255.255.0
>>        network 192.168.5.0
>>        broadcast 192.168.1.255
>>        gateway 192.168.5.2
>>        dns-nameservers 192.168.1.5
>>        dns-search adoption.com
>>#       up /sbin/ip addr add 192.168.2.1/24 brd 192.168.2.255 dev eth2
>>label eth2:0
>>
>>P.S.  why doesnt the line above work?  Its commented out right now but
>>even when its not, it wont come up
>>    
>>
>
>I checked the syntax here with:
>/sbin/ip addr add 192.168.2.1/24 brd 192.168.2.255 dev eth1 label eth1:0
>and I get:
>eth1:0    Link encap:Ethernet  HWaddr 00:60:08:C0:25:89
>          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
>          UP BROADCAST MULTICAST  MTU:1500  Metric:1
>          Interrupt:12 Base address:0x6600
>
>So, I''m not sure
>
>Jerry
>  
>
Weird....me too.  Oh well thats not a deal killer.  Thanks for the 
gateway entry thing.  Did you take a look at the other stuff I posted?  
I think the masq entry will get me in the ballpark.

Sean


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

> >>>ip route show:
> >>>192.168.5.0/30 dev eth1  proto kernel  scope link  src
192.168.5.1
> >>>192.168.1.0/24 dev eth2  proto kernel  scope link  src
192.168.1.1
> >>>192.168.0.0/24 dev eth0  proto kernel  scope link  src
192.168.0.2
> >>>default via 192.168.5.2 dev eth1
> >>>default via 192.168.0.1 dev eth0
> >>>
> >>>
> >>>
> >>Stupid question # 326 today,
> >>Why does it keep adding the default route "default via
192.168.5.2 dev
> >>
> >>
> >eth1"
> >
> >
> >
> >How are you configuring the interfaces?
> >
> >Jerry
> >
> >
> >
> Just through /etc/network/interfaces
> # The loopback network interface
> auto lo
> iface lo inet loopback
>
> # The primary network interface
> auto eth0
> iface eth0 inet static
>         address 192.168.0.2
>         netmask 255.255.255.0
>         network 192.168.0.0
>         broadcast 192.168.0.255
>         gateway 192.168.0.1
>         dns-nameservers 207.246.52.15
>         dns-search adoption.com
This is your external interface right? I think your current script
reconfigures this interface, can you post the script as an attachmnet?

Jerry







-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

----- Original Message -----
From: "Sean Roe" <sean@adoptionmedia.com>
To: <shorewall-users@lists.sourceforge.net>
Sent: Wednesday, July 20, 2005 13:38
Subject: Re: [Shorewall-users] install weirdness

> Jerry Vonau wrote:
>
> >>on the current firewall:
> >>ip route show
> >>192.168.3.100/30 via 192.168.5.2 dev eth2
> >>192.168.5.0/30 dev eth2  proto kernel  scope link  src 192.168.5.1
> >>192.168.3.0/30 via 192.168.5.2 dev eth2
> >>192.168.4.0/24 via 192.168.5.2 dev eth2
> >>192.168.2.0/24 dev eth1  proto kernel  scope link  src 192.168.2.1
> >>192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.1
> >>192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.2
> >>192.168.12.0/24 via 192.168.5.2 dev eth2
> >>192.168.11.0/24 via 192.168.5.2 dev eth2
> >>127.0.0.0/8 dev lo  scope link
> >>default via 192.168.0.1 dev eth0  metric 1
> >>
> >>there are some extraneous entries in the above:  all the
> >>192.168.[2,3,11,12].xx entries are gone away (not used anymore).
> >>
> >>
> >
> >Oh boy, on the old firewall what does "cat
/etc/iproute2/rt_tables"
output?
> >
> >
> cat /etc/iproute2/rt_tables
> #
> # reserved values
> #
> 255     local
> 254     main
> 253     default
> 0       unspec
> #
> # local
> #
> #1      inr.ruhep
>
This is from the old, currently running box?
Jerry




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

Jerry Vonau wrote:
>----- Original Message -----
>From: "Sean Roe" <sean@adoptionmedia.com>
>To: <shorewall-users@lists.sourceforge.net>
>Sent: Wednesday, July 20, 2005 13:38
>Subject: Re: [Shorewall-users] install weirdness
>
>
>  
>
>>Jerry Vonau wrote:
>>
>>    
>>
>>>>on the current firewall:
>>>>ip route show
>>>>192.168.3.100/30 via 192.168.5.2 dev eth2
>>>>192.168.5.0/30 dev eth2  proto kernel  scope link  src
192.168.5.1
>>>>192.168.3.0/30 via 192.168.5.2 dev eth2
>>>>192.168.4.0/24 via 192.168.5.2 dev eth2
>>>>192.168.2.0/24 dev eth1  proto kernel  scope link  src
192.168.2.1
>>>>192.168.1.0/24 dev eth1  proto kernel  scope link  src
192.168.1.1
>>>>192.168.0.0/24 dev eth0  proto kernel  scope link  src
192.168.0.2
>>>>192.168.12.0/24 via 192.168.5.2 dev eth2
>>>>192.168.11.0/24 via 192.168.5.2 dev eth2
>>>>127.0.0.0/8 dev lo  scope link
>>>>default via 192.168.0.1 dev eth0  metric 1
>>>>
>>>>there are some extraneous entries in the above:  all the
>>>>192.168.[2,3,11,12].xx entries are gone away (not used anymore).
>>>>
>>>>
>>>>        
>>>>
>>>Oh boy, on the old firewall what does "cat
/etc/iproute2/rt_tables"
>>>      
>>>
>output?
>  
>
>>>      
>>>
>>cat /etc/iproute2/rt_tables
>>#
>># reserved values
>>#
>>255     local
>>254     main
>>253     default
>>0       unspec
>>#
>># local
>>#
>>#1      inr.ruhep
>>
>>    
>>
>
>This is from the old, currently running box?
>Jerry
>  
>
Yes sir it is.

Thanks,
Sean


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

Jerry Vonau wrote:
>>>>>ip route show:
>>>>>192.168.5.0/30 dev eth1  proto kernel  scope link  src
192.168.5.1
>>>>>192.168.1.0/24 dev eth2  proto kernel  scope link  src
192.168.1.1
>>>>>192.168.0.0/24 dev eth0  proto kernel  scope link  src
192.168.0.2
>>>>>default via 192.168.5.2 dev eth1
>>>>>default via 192.168.0.1 dev eth0
>>>>>
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>Stupid question # 326 today,
>>>>Why does it keep adding the default route "default via
192.168.5.2 dev
>>>>
>>>>
>>>>        
>>>>
>>>eth1"
>>>
>>>
>>>
>>>How are you configuring the interfaces?
>>>
>>>Jerry
>>>
>>>
>>>
>>>      
>>>
>>Just through /etc/network/interfaces
>># The loopback network interface
>>auto lo
>>iface lo inet loopback
>>
>># The primary network interface
>>auto eth0
>>iface eth0 inet static
>>        address 192.168.0.2
>>        netmask 255.255.255.0
>>        network 192.168.0.0
>>        broadcast 192.168.0.255
>>        gateway 192.168.0.1
>>        dns-nameservers 207.246.52.15
>>        dns-search adoption.com
>>    
>>
>
>This is your external interface right? I think your current script
>reconfigures this interface, can you post the script as an attachmnet?
>
>Jerry
>  
>
I believe you are right....here is the part of the script on the old box 
that deals with it (ip.firewall):

#!/bin/sh
#
# generated by ./quicktables-2.3 on 2003.12.30.31
#

# set a few variables
echo ""
echo "  setting global variables"
echo ""
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables="/usr/sbin/iptables"

. /etc/rc.d/rc.firewall.ip
. /etc/rc.d/rc.firewall.webip

if [ "$1" == "stop" ] || [ "$1" ==
"restart" ];
 then
  echo ""
  echo "        Setting all Tables to ACCEPT";
  $iptables -P INPUT ACCEPT
  $iptables -P FORWARD ACCEPT
  $iptables -P OUTPUT ACCEPT
  $iptables -t nat -P PREROUTING ACCEPT
  $iptables -t nat -P POSTROUTING ACCEPT
  $iptables -t nat -P OUTPUT ACCEPT

  echo ""
  echo "        Flushing all iptables";
  $iptables -t nat --flush
  $iptables --flush

  echo
  echo "        Un-Setting ip addr";
  for loop in $ip_array
   do
      # int="$ip_int."`echo $loop|cut -d: -f2`;
      #ext="$ip_ext."`echo $loop|cut -d: -f1`;
      ext=`echo $loop|cut -d: -f1`;
      /sbin/ip addr del $ext dev eth0;
   done
      /sbin/ip addr del 66.235.241.62 dev eth0;
  echo ""
  echo "        Done - Exiting";
  if [ "$1" == "stop" ]; then exit 0; fi
 fi

# adjust /proc
echo "  applying general security settings to /proc filesystem"
echo ""
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > 
/proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > 
/proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > 
/proc/sys/net/ipv4/ip_forward; fi

# load some modules
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_irc.o 
]; then modprobe ip_nat_irc; fi
if [ -e /lib/modules/`uname 
-r`/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ]; then modprobe 
ip_conntrack_irc; fi
if [ -e /lib/modules/`uname 
-r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe 
ip_conntrack_ftp; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o 
]; then modprobe ip_nat_ftp; fi

# flush any existing chains and set default policies
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT

# setup nat
echo "  applying nat rules"
echo ""
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A FORWARD -i eth2 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
$iptables -A OUTPUT -o eth2 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

for loop in $ip_array
 do
      int="$ip_int."`echo $loop|cut -d: -f2`;
      #ext="$ip_ext."`echo $loop|cut -d: -f1`;
      ext=`echo $loop|cut -d: -f1`;
      /sbin/ip addr add $ext dev eth0
      $iptables -t nat -A PREROUTING -i eth0 -d $ext -j DNAT --to $int;
      $iptables -t nat -A POSTROUTING -s $int -j SNAT --to $ext;
 done
      /sbin/ip addr add 66.235.241.62 dev eth0;

##$iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE

$iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth0 -j SNAT 
--to-source 66.235.241.62

# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT





-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

> > >>>ip route show:
> > >>>192.168.5.0/30 dev eth1  proto kernel  scope link  src
192.168.5.1
> > >>>192.168.1.0/24 dev eth2  proto kernel  scope link  src
192.168.1.1
> > >>>192.168.0.0/24 dev eth0  proto kernel  scope link  src
192.168.0.2
> > >>>default via 192.168.5.2 dev eth1
> > >>>default via 192.168.0.1 dev eth0
> > >>>
> > >>>
> > >>>
> > >>Stupid question # 326 today,
> > >>Why does it keep adding the default route "default via
192.168.5.2
dev
> > >>
> > >>
> > >eth1"
> > >
> > >
> > >
> > >How are you configuring the interfaces?
> > >
> > >Jerry
> > >
> > >
> > >
> > Just through /etc/network/interfaces
> > # The loopback network interface
> > auto lo
> > iface lo inet loopback
> >
> > # The primary network interface
> > auto eth0
> > iface eth0 inet static
> >         address 192.168.0.2
> >         netmask 255.255.255.0
> >         network 192.168.0.0
> >         broadcast 192.168.0.255
> >         gateway 192.168.0.1
> >         dns-nameservers 207.246.52.15
> >         dns-search adoption.com
>
> This is your external interface right? I think your current script
> reconfigures this interface, can you post the script as an attachmnet?
Tracing route to 206.83.195.35 over a maximum of 30 hops

  1     1 ms   <10 ms     1 ms  10.3.0.106
  2    53 ms    30 ms    29 ms  24.78.220.1
  3    25 ms    29 ms    30 ms  64.59.178.194
  4    24 ms    29 ms    29 ms  66.163.73.130
  5    43 ms    46 ms    47 ms  66.163.76.174
  6    60 ms    59 ms    60 ms  66.163.76.2
  7    61 ms    59 ms    59 ms  66.163.64.22
  8    60 ms    65 ms    65 ms  64.200.89.93
  9    77 ms    71 ms    71 ms  64.200.210.237
 10    85 ms    89 ms    89 ms  64.200.240.77
 11   105 ms   108 ms   107 ms  64.200.210.106
 12   119 ms   119 ms   119 ms  65.77.92.30
 13   116 ms   119 ms   119 ms  65.77.92.70
 14   109 ms   107 ms   107 ms  66.235.224.82
 15     *        *        *     Request timed out.

Think that old script is broken, check this out:

Tracing route to 66.235.241.63 over a maximum of 30 hops

  1     1 ms     1 ms     1 ms  10.3.0.106
  2    55 ms    23 ms    29 ms  24.78.220.1
  3    29 ms    29 ms    29 ms  64.59.178.194
  4    24 ms    30 ms    29 ms  66.163.73.130
  5    43 ms    47 ms    47 ms  66.163.76.174
  6    64 ms    59 ms    59 ms  66.163.76.122
  7    60 ms    64 ms    59 ms  66.163.64.22
  8    60 ms    59 ms    65 ms  64.200.89.1
  9    71 ms    71 ms    71 ms  64.200.210.237
 10   114 ms    89 ms    89 ms  64.200.240.77
 11   105 ms   107 ms   107 ms  64.200.210.106
 12   119 ms   119 ms   119 ms  65.77.92.30
 13   117 ms   119 ms   119 ms  65.77.92.70
 14   108 ms   107 ms   107 ms  66.235.224.82
 15   128 ms   107 ms   106 ms  192.168.0.2
 16     *        *        *     Request timed out.
 17

192.168.0.2 should not appear out on the internet.


Looks like you have a routed enviroment, can you discribe your ip address
allotment in greater detail please.

Jerry





-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

> >>Just through /etc/network/interfaces
> >># The loopback network interface
> >>auto lo
> >>iface lo inet loopback
> >>
> >># The primary network interface
> >>auto eth0
> >>iface eth0 inet static
> >>        address 192.168.0.2
> >>        netmask 255.255.255.0
> >>        network 192.168.0.0
> >>        broadcast 192.168.0.255
> >>        gateway 192.168.0.1
> >>        dns-nameservers 207.246.52.15
> >>        dns-search adoption.com
> >>
> >>
> >
> >This is your external interface right? I think your current script
> >reconfigures this interface, can you post the script as an attachmnet?
> >
> >Jerry
> >
> >
> I believe you are right....here is the part of the script on the old box
> that deals with it (ip.firewall):
>
> #!/bin/sh
> #
> # generated by ./quicktables-2.3 on 2003.12.30.31
> #
>
> # set a few variables
> echo ""
> echo "  setting global variables"
> echo ""
> export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
> iptables="/usr/sbin/iptables"
>
> . /etc/rc.d/rc.firewall.ip
> . /etc/rc.d/rc.firewall.webip
Can you post these:
/etc/rc.d/rc.firewall.ip
/etc/rc.d/rc.firewall.webip
I''m looking for the $ip_array variable and some ip route commands

Jerry





-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

Jerry Vonau wrote:
>>>>>>ip route show:
>>>>>>192.168.5.0/30 dev eth1  proto kernel  scope link  src
192.168.5.1
>>>>>>192.168.1.0/24 dev eth2  proto kernel  scope link  src
192.168.1.1
>>>>>>192.168.0.0/24 dev eth0  proto kernel  scope link  src
192.168.0.2
>>>>>>default via 192.168.5.2 dev eth1
>>>>>>default via 192.168.0.1 dev eth0
>>>>>>
>>>>>>
>>>>>>
>>>>>>            
>>>>>>
>>>>>Stupid question # 326 today,
>>>>>Why does it keep adding the default route "default via
192.168.5.2
>>>>>          
>>>>>
>dev
>  
>
>>>>>          
>>>>>
>>>>eth1"
>>>>
>>>>
>>>>
>>>>How are you configuring the interfaces?
>>>>
>>>>Jerry
>>>>
>>>>
>>>>
>>>>        
>>>>
>>>Just through /etc/network/interfaces
>>># The loopback network interface
>>>auto lo
>>>iface lo inet loopback
>>>
>>># The primary network interface
>>>auto eth0
>>>iface eth0 inet static
>>>        address 192.168.0.2
>>>        netmask 255.255.255.0
>>>        network 192.168.0.0
>>>        broadcast 192.168.0.255
>>>        gateway 192.168.0.1
>>>        dns-nameservers 207.246.52.15
>>>        dns-search adoption.com
>>>      
>>>
>>This is your external interface right? I think your current script
>>reconfigures this interface, can you post the script as an attachmnet?
>>    
>>
>
>Tracing route to 206.83.195.35 over a maximum of 30 hops
>
>  1     1 ms   <10 ms     1 ms  10.3.0.106
>  2    53 ms    30 ms    29 ms  24.78.220.1
>  3    25 ms    29 ms    30 ms  64.59.178.194
>  4    24 ms    29 ms    29 ms  66.163.73.130
>  5    43 ms    46 ms    47 ms  66.163.76.174
>  6    60 ms    59 ms    60 ms  66.163.76.2
>  7    61 ms    59 ms    59 ms  66.163.64.22
>  8    60 ms    65 ms    65 ms  64.200.89.93
>  9    77 ms    71 ms    71 ms  64.200.210.237
> 10    85 ms    89 ms    89 ms  64.200.240.77
> 11   105 ms   108 ms   107 ms  64.200.210.106
> 12   119 ms   119 ms   119 ms  65.77.92.30
> 13   116 ms   119 ms   119 ms  65.77.92.70
> 14   109 ms   107 ms   107 ms  66.235.224.82
> 15     *        *        *     Request timed out.
>
>Think that old script is broken, check this out:
>
>Tracing route to 66.235.241.63 over a maximum of 30 hops
>
>  1     1 ms     1 ms     1 ms  10.3.0.106
>  2    55 ms    23 ms    29 ms  24.78.220.1
>  3    29 ms    29 ms    29 ms  64.59.178.194
>  4    24 ms    30 ms    29 ms  66.163.73.130
>  5    43 ms    47 ms    47 ms  66.163.76.174
>  6    64 ms    59 ms    59 ms  66.163.76.122
>  7    60 ms    64 ms    59 ms  66.163.64.22
>  8    60 ms    59 ms    65 ms  64.200.89.1
>  9    71 ms    71 ms    71 ms  64.200.210.237
> 10   114 ms    89 ms    89 ms  64.200.240.77
> 11   105 ms   107 ms   107 ms  64.200.210.106
> 12   119 ms   119 ms   119 ms  65.77.92.30
> 13   117 ms   119 ms   119 ms  65.77.92.70
> 14   108 ms   107 ms   107 ms  66.235.224.82
> 15   128 ms   107 ms   106 ms  192.168.0.2
> 16     *        *        *     Request timed out.
> 17
>
>192.168.0.2 should not appear out on the internet.
>
>
>Looks like you have a routed enviroment, can you discribe your ip address
>allotment in greater detail please.
>
>Jerry
>  
>
I inheritted this mess when I became the sysadmin here so I don''t have 
alot of details as to our enviroment yet, but they want this replaced so 
I''m trying to make it stuff work correctly.  We have a couple of /28 
addresses that get routed to us. we have:

206.83.193.224/28
206.83.195.32/28
206.83.199.16/28
206.83.200.16/28
206.83.201.16/28
206.83.202.16/28
206.83.203.16/28
206.83.204.16/28
66.235.241.0/26
66.235.242.0/26
66.235.243.0/26

Not all of them seemed to be set up in the old script.  as for 192.168.0.2
address you are right.  That is our current firewall box address.

Its a mess.

Thanks, 
Sean
66.235.244.0/26




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

Jerry Vonau wrote:
>>>>Just through /etc/network/interfaces
>>>># The loopback network interface
>>>>auto lo
>>>>iface lo inet loopback
>>>>
>>>># The primary network interface
>>>>auto eth0
>>>>iface eth0 inet static
>>>>       address 192.168.0.2
>>>>       netmask 255.255.255.0
>>>>       network 192.168.0.0
>>>>       broadcast 192.168.0.255
>>>>       gateway 192.168.0.1
>>>>       dns-nameservers 207.246.52.15
>>>>       dns-search adoption.com
>>>>
>>>>
>>>>        
>>>>
>>>This is your external interface right? I think your current script
>>>reconfigures this interface, can you post the script as an
attachmnet?
>>>
>>>Jerry
>>>
>>>
>>>      
>>>
>>I believe you are right....here is the part of the script on the old box
>>that deals with it (ip.firewall):
>>
>>#!/bin/sh
>>#
>># generated by ./quicktables-2.3 on 2003.12.30.31
>>#
>>
>># set a few variables
>>echo ""
>>echo "  setting global variables"
>>echo ""
>>export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
>>iptables="/usr/sbin/iptables"
>>
>>. /etc/rc.d/rc.firewall.ip
>>. /etc/rc.d/rc.firewall.webip
>>    
>>
>
>Can you post these:
>/etc/rc.d/rc.firewall.ip
>/etc/rc.d/rc.firewall.webip
>I''m looking for the $ip_array variable and some ip route commands
>
>Jerry
>
>
>  
>
head from rc.firewall.ip

## This file sets the ip arrays & variables
#ip_ext="";
ip_int="192.168";
ip_array="";
ip_array="$ip_array 66.235.241.3:1.250";
ip_array="$ip_array 66.235.241.5:1.5";
ip_array="$ip_array 66.235.241.6:1.6";
ip_array="$ip_array 66.235.241.7:4.5";
ip_array="$ip_array 66.235.241.9:1.254";
ip_array="$ip_array 66.235.241.10:2.10";
ip_array="$ip_array 66.235.241.11:1.101";
ip_array="$ip_array 66.235.241.12:1.102";
ip_array="$ip_array 66.235.241.13:1.103";
ip_array="$ip_array 66.235.241.14:1.104";
ip_array="$ip_array 66.235.241.18:1.18";
ip_array="$ip_array 66.235.241.20:1.20";
ip_array="$ip_array 66.235.241.21:1.201";
ip_array="$ip_array 66.235.241.22:1.200";
...
pretty much a 1 to 1 array thing. And rc.firewall.webip:
#Sets up the web IP''s to be firewalled from everything but port 80
ip_web_array="";
ip_web_array="$ip_web_array 192.168.2.10";
ip_web_array="$ip_web_array 192.168.1.10";
ip_web_array="$ip_web_array 192.168.2.20";
ip_web_array="$ip_web_array 192.168.2.21";
ip_web_array="$ip_web_array 192.168.2.22";
ip_web_array="$ip_web_array 192.168.2.24";
ip_web_array="$ip_web_array 192.168.2.25";
ip_web_array="$ip_web_array 192.168.2.26";
ip_web_array="$ip_web_array 192.168.2.27";
ip_web_array="$ip_web_array 192.168.2.28";
ip_web_array="$ip_web_array 192.168.2.29";
ip_web_array="$ip_web_array 192.168.2.30";
ip_web_array="$ip_web_array 192.168.2.31";
ip_web_array="$ip_web_array 192.168.2.32";
ip_web_array="$ip_web_array 192.168.2.33";
ip_web_array="$ip_web_array 192.168.2.34";
ip_web_array="$ip_web_array 192.168.2.35";

I grepped for route in the ip.firewall and got nothing...it all looks 
like its just forwarded.

Sean






-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

> >Looks like you have a routed enviroment, can you discribe your ip
address
> >allotment in greater detail please.
> >
> >Jerry
> >
> >
> I inheritted this mess when I became the sysadmin here so I don''t
have
> alot of details as to our enviroment yet, but they want this replaced so
> I''m trying to make it stuff work correctly.  We have a couple of
/28
> addresses that get routed to us. we have:
>
> 206.83.193.224/28
> 206.83.195.32/28
> 206.83.199.16/28
> 206.83.200.16/28
> 206.83.201.16/28
> 206.83.202.16/28
> 206.83.203.16/28
> 206.83.204.16/28
> 66.235.241.0/26
> 66.235.242.0/26
> 66.235.243.0/26
>
> Not all of them seemed to be set up in the old script.  as for
192.168.0.2 address you are right.  That is our current firewall box
address.
>
> Its a mess.
>
> Thanks,
> Sean
> 66.235.244.0/26
Which subnets are you using?
Can you confirm which ip your isp is routing everything though?
Looks to be 66.235.241.62, just want to be sure.

Jerry






-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

>>206.83.203.16/28
>>206.83.204.16/28
>>66.235.241.0/26
>>66.235.242.0/26
>>66.235.243.0/26
>>
>>Not all of them seemed to be set up in the old script.  as for
>>    
>>
>192.168.0.2 address you are right.  That is our current firewall box
>address.
>  
>
>>Its a mess.
>>
>>Thanks,
>>Sean
>>66.235.244.0/26
>>    
>>
>
>Which subnets are you using?
>Can you confirm which ip your isp is routing everything though?
>Looks to be 66.235.241.62, just want to be sure.
>
>Jerry
>  
>
Thats the only oddball listed in the script as a standalone.  I am not 
really sure how to test it beyond that.

Sean


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

> >Which subnets are you using?
> >Can you confirm which ip your isp is routing everything though?
> >Looks to be 66.235.241.62, just want to be sure.
> >
> >Jerry
> >
> >
> Thats the only oddball listed in the script as a standalone.  I am not
> really sure how to test it beyond that.
>
It''s the only one that traceroute can get to correctly, with that in
mind,
I''d
configure your externel interface with that ipaddress, but I''m un-sure
of
what subnetmask to use with it, best to call your isp for confirmation.
Get that info then, we can proceed.

Jerry



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

Jerry Vonau wrote:
>>>Which subnets are you using?
>>>Can you confirm which ip your isp is routing everything though?
>>>Looks to be 66.235.241.62, just want to be sure.
>>>
>>>Jerry
>>>
>>>
>>>      
>>>
>>Thats the only oddball listed in the script as a standalone.  I am not
>>really sure how to test it beyond that.
>>
>>    
>>
>
>It''s the only one that traceroute can get to correctly, with that
in mind,
>I''d
>configure your externel interface with that ipaddress, but I''m
un-sure of
>what subnetmask to use with it, best to call your isp for confirmation.
>Get that info then, we can proceed.
>
>Jerry
>
>
>
>  
>
Hi Jerry et al,

I just a confirmation from the guys at our colo that all our traffic is 
routed through the 66.235.224.82 interface.

Thanks,
Sean



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

> >>>Which subnets are you using?
> >>>Can you confirm which ip your isp is routing everything though?
> >>>Looks to be 66.235.241.62, just want to be sure.
> >>>
> >>>Jerry
> >>>
> >>>
> >>>
> >>>
> >>Thats the only oddball listed in the script as a standalone.  I am
not
> >>really sure how to test it beyond that.
> >>
> >>
> >>
> >
> >It''s the only one that traceroute can get to correctly, with
that in
mind,
> >I''d
> >configure your externel interface with that ipaddress, but I''m
un-sure
of
> >what subnetmask to use with it, best to call your isp for confirmation.
> >Get that info then, we can proceed.
> >
> >Jerry
> >
> >
> >
> >
> >
> Hi Jerry et al,
>
> I just a confirmation from the guys at our colo that all our traffic is
> routed through the 66.235.224.82 interface.
>
Maybe on their end, that is your providers router address,
it has an open telnet port by the way.

Tracing route to masq.adoptionmedia.com [66.235.241.62]
<snip>
14   110 ms   107 ms   107 ms  ip-66-235-224-82.sterlingnetwork.net
[66.235.224.82]
15   118 ms   119 ms   119 ms  masq.adoptionmedia.com [66.235.241.62]

The question is what ip address does your provider send your traffic to and
what subnetmask should you be using with that address, so you can configure
your external interface accordingly

Jerry






-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

Jerry Vonau wrote:
>>>>>Which subnets are you using?
>>>>>Can you confirm which ip your isp is routing everything
though?
>>>>>Looks to be 66.235.241.62, just want to be sure.
>>>>>
>>>>>Jerry
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>Thats the only oddball listed in the script as a standalone.  I
am not
>>>>really sure how to test it beyond that.
>>>>
>>>>
>>>>
>>>>        
>>>>
>>>It''s the only one that traceroute can get to correctly,
with that in
>>>      
>>>
>mind,
>  
>
>>>I''d
>>>configure your externel interface with that ipaddress, but
I''m un-sure
>>>      
>>>
>of
>  
>
>>>what subnetmask to use with it, best to call your isp for
confirmation.
>>>Get that info then, we can proceed.
>>>
>>>Jerry
>>>
>>>
>>>
>>>
>>>
>>>      
>>>
>>Hi Jerry et al,
>>
>>I just a confirmation from the guys at our colo that all our traffic is
>>routed through the 66.235.224.82 interface.
>>
>>    
>>
>
>Maybe on their end, that is your providers router address,
>it has an open telnet port by the way.
>
>Tracing route to masq.adoptionmedia.com [66.235.241.62]
><snip>
>14   110 ms   107 ms   107 ms  ip-66-235-224-82.sterlingnetwork.net
>[66.235.224.82]
>15   118 ms   119 ms   119 ms  masq.adoptionmedia.com [66.235.241.62]
>
>The question is what ip address does your provider send your traffic to and
>what subnetmask should you be using with that address, so you can configure
>your external interface accordingly
>
>Jerry
>
>  
>
Okay I just got off the phone with our ISP and heres what I got from 
him.  everything get sent to 66.235.241.82 interface.  Thats the outside 
interface for our cisco 3600.  from the cisco to the current firewall  
is  192.168.0.2 .  I got into the cisco (found the password!)
here is the info from it:

clock timezone MST -7
ip subnet-zero
ip name-server 66.235.241.5
ip name-server 66.235.241.6
!
!
!
!
interface FastEthernet0/0
 description connected to Cisco1548
 ip address 66.235.224.82 255.255.255.252
 no ip directed-broadcast
 speed 100
 full-duplex
!
interface FastEthernet1/0
 description connected to Switch
 ip address 192.168.0.1 255.255.255.0
 no ip directed-broadcast
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 66.235.224.81
ip route 66.235.241.0 255.255.255.192 192.168.0.2
ip route 66.235.242.0 255.255.255.192 192.168.0.2
ip route 66.235.243.0 255.255.255.192 192.168.0.2
ip route 66.235.244.0 255.255.255.192 192.168.0.2
ip route 192.168.0.0 255.255.0.0 192.168.0.2
ip route 206.83.193.224 255.255.255.240 192.168.0.2
ip route 206.83.195.32 255.255.255.240 192.168.0.2
ip route 206.83.199.16 255.255.255.240 192.168.0.2
ip route 206.83.200.16 255.255.255.240 192.168.0.2
ip route 206.83.201.16 255.255.255.240 192.168.0.2
ip route 206.83.202.16 255.255.255.240 192.168.0.2
ip route 206.83.203.16 255.255.255.240 192.168.0.2
ip route 206.83.204.16 255.255.255.240 192.168.0.2
no ip http server

Does this help?

Sean


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

> >The question is what ip address does your provider send your traffic to
and
> >what subnetmask should you be using with that address, so you can
configure
> >your external interface accordingly
> >
> >Jerry
> >
> >
> >
> Okay I just got off the phone with our ISP and heres what I got from
> him.  everything get sent to 66.235.241.82 interface.  Thats the outside
> interface for our cisco 3600.  from the cisco to the current firewall
> is  192.168.0.2 .  I got into the cisco (found the password!)
> here is the info from it:
>
> clock timezone MST -7
> ip subnet-zero
> ip name-server 66.235.241.5
> ip name-server 66.235.241.6
> !
> !
> !
> !
> interface FastEthernet0/0
>  description connected to Cisco1548
>  ip address 66.235.224.82 255.255.255.252
>  no ip directed-broadcast
>  speed 100
>  full-duplex
> !
> interface FastEthernet1/0
>  description connected to Switch
>  ip address 192.168.0.1 255.255.255.0
>  no ip directed-broadcast
>  duplex auto
>  speed auto
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 66.235.224.81
> ip route 66.235.241.0 255.255.255.192 192.168.0.2
> ip route 66.235.242.0 255.255.255.192 192.168.0.2
> ip route 66.235.243.0 255.255.255.192 192.168.0.2
> ip route 66.235.244.0 255.255.255.192 192.168.0.2
> ip route 192.168.0.0 255.255.0.0 192.168.0.2
> ip route 206.83.193.224 255.255.255.240 192.168.0.2
> ip route 206.83.195.32 255.255.255.240 192.168.0.2
> ip route 206.83.199.16 255.255.255.240 192.168.0.2
> ip route 206.83.200.16 255.255.255.240 192.168.0.2
> ip route 206.83.201.16 255.255.255.240 192.168.0.2
> ip route 206.83.202.16 255.255.255.240 192.168.0.2
> ip route 206.83.203.16 255.255.255.240 192.168.0.2
> ip route 206.83.204.16 255.255.255.240 192.168.0.2
> no ip http server
>
> Does this help?
This is *really OT* for the shorewall list. Is the router yours or
your isp? I''ll guess yours, as you have the password. I''m
aware
you inheirated this mess, your current firewall was configured to
(kind of) workaround what appears to be IMHO a misconfigured
cisco. I''m not a CCNA, so I''m not going to go out on a limb
and
say it is. If there is a CCNA listening, could you confirm for Sean
that it is (not) misconfigured and/or point out the right way of doing
this. FWIW, the way I see it, you have 3 options:
1) reconfigure the cisco, to get rid of the private addresses
2) replace the router, with the shorewall box.
3) hire someone who can do 1 or 2

Jerry










-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

>>no ip http server
>>
>>Does this help?
>>    
>>
>
>This is *really OT* for the shorewall list. Is the router yours or
>your isp? I''ll guess yours, as you have the password. I''m
aware
>you inheirated this mess, your current firewall was configured to
>(kind of) workaround what appears to be IMHO a misconfigured
>cisco. I''m not a CCNA, so I''m not going to go out on a
limb and
>say it is. If there is a CCNA listening, could you confirm for Sean
>that it is (not) misconfigured and/or point out the right way of doing
>this. FWIW, the way I see it, you have 3 options:
>1) reconfigure the cisco, to get rid of the private addresses
>2) replace the router, with the shorewall box.
>3) hire someone who can do 1 or 2
>
>Jerry
>
>  
>
Here is my idea:
Kill the cisco, and go direct to shorewall box.  have the external 
interface listen on 66.235.241.82 and route accordingly

Comments?

Sean


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

> >This is *really OT* for the shorewall list. Is the router yours or
> >your isp? I''ll guess yours, as you have the password.
I''m aware
> >you inheirated this mess, your current firewall was configured to
> >(kind of) workaround what appears to be IMHO a misconfigured
> >cisco. I''m not a CCNA, so I''m not going to go out on
a limb and
> >say it is. If there is a CCNA listening, could you confirm for Sean
> >that it is (not) misconfigured and/or point out the right way of doing
> >this. FWIW, the way I see it, you have 3 options:
> >1) reconfigure the cisco, to get rid of the private addresses
> >2) replace the router, with the shorewall box.
> >3) hire someone who can do 1 or 2
> >
> >Jerry
> >
> >  
> >
> Here is my idea:
> Kill the cisco, and go direct to shorewall box.  have the external 
> interface listen on 66.235.241.82 and route accordingly
> 
> Comments?
> 
At least you have the correct network setting from the cisco to go on now.
Jerry






-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

>>Here is my idea:
>>Kill the cisco, and go direct to shorewall box.  have the external 
>>interface listen on 66.235.241.82 and route accordingly
>>
>>Comments?
>>
>>    
>>
>At least you have the correct network setting from the cisco to go on now.
>Jerry
>
>  
>
I''ll try this config tonight and report back afterwards !!

Sean


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

Sean Roe wrote:
> ...
> Here is my idea:
> Kill the cisco, and go direct to shorewall box.  have the external
> interface listen on 66.235.241.82 and route accordingly
Yes, death to Cisco!

(Oh, wait - that was supposed to be on the shorewall-zealots mailing
list - sorry.  ;-)

--
Paul Gear, Manager IT Operations, Redlands College
38 Anson Road, Wellington Point 4160, Australia
(Please send attachments in portable formats such as PDF, HTML, or
OpenOffice.)
--
The information contained in this message is copyright by Redlands
College.  Any use for direct sales or marketing purposes is expressly
forbidden.  This message does not represent the views of Redlands
College.