Hi Folks, Fast question : I have this method working here : Router - 200.10.10.1- (Have on it classes - 200.10.10.x / 200.10.11.x / 200.10.12.x / 200.10.13.x and 200.10.14.x) | Switch 1 (Lot´s of servers using real ip´s) | Firewall Shorewall with proxyarp on it using eth0(out on Switch 1) and eth1(in on Switch 2) | Switch 2 (Fiber´s connected that leave my signal to lot´s of peoples using real ips) So everyone then come from my firewall to internet and over internet from my firewall to my clients. With that i can control who use what , when and if the client is online or not (using arp -a | grep ipaddress) I use shorewall last version , kernel 2.6.9-10 and iptables 1.3.2 Works fine, but i notice that some users just lost theirs connections and after reboot come back to internet again. Taking out my firewall with just the switchs and router everything goes fine and no one lost theirs connections .. My Question is . Can i make for sure this : Router | Switch 1 | Firewall with shorewall using on eth1(Clients side) Bridge (BR0) but using on shorewall proxyarp mode i mean the file proxyarp. (That i have now with my ip´s on use) Can i use this method and with bridge mode my users never again has the lost of connection . Sorry my english Carlos. ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
Carlos Arnt wrote:> Hi Folks, > > Fast question : > > I have this method working here : > > Router - 200.10.10.1- (Have on it classes - 200.10.10.x / 200.10.11.x / 200.10.12.x / 200.10.13.x and 200.10.14.x) > | > Switch 1 (Lot´s of servers using real ip´s) > | > Firewall Shorewall with proxyarp on it using eth0(out on Switch 1) and eth1(in on Switch 2) > | > Switch 2 (Fiber´s connected that leave my signal to lot´s of peoples using real ips) > > So everyone then come from my firewall to internet and over internet from my firewall to my clients. > With that i can control who use what , when and if the client is online or not (using arp -a | grep ipaddress) > > I use shorewall last version , kernel 2.6.9-10 and iptables 1.3.2 > > Works fine, but i notice that some users just lost theirs connections and after reboot come back to internet again. > > Taking out my firewall with just the switchs and router everything goes fine and no one lost theirs connections .. >I recommend that you attempt to find out why this is failing. I suspect that your connection tracking table is filling up -- you should see messages in your log if that''s what is happening. That problem is easily corrected (instructions have been posted on the list a number of times). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hello, i have a shorewall firewall installed in one machine and i need know how i do to make with shorewall the following scenario: One lan with only machine with mac address set in shorewall can access the internet or email (pop and smtp). If one new user plug the notebook in lan, this user cannot access. The shorewall to this? tks Marcelo ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
On Fri, 22 Jul 2005 13:44:23 -0700, Tom Eastep wrote:> Carlos Arnt wrote: >> Hi Folks, >> >> Fast question : >> >> I have this method working here : >> >> Router - 200.10.10.1- (Have on it classes - 200.10.10.x / >> 200.10.11.x / 200.10.12.x / 200.10.13.x and 200.10.14.x) >> | >> Switch 1 (Lot´s of servers using real ip´s) >> | >> Firewall Shorewall with proxyarp on it using eth0(out on Switch >> 1) and eth1(in on Switch 2) >> | >> Switch 2 (Fiber´s connected that leave my signal to lot´s of >> peoples using real ips) >> >> So everyone then come from my firewall to internet and over >> internet from my firewall to my clients. >> With that i can control who use what , when and if the client is >> online or not (using arp -a | grep ipaddress) >> >> I use shorewall last version , kernel 2.6.9-10 and iptables 1.3.2 >> >> Works fine, but i notice that some users just lost theirs >> connections and after reboot come back to internet again. >> >> Taking out my firewall with just the switchs and router >> everything goes fine and no one lost theirs connections .. >> > > I recommend that you attempt to find out why this is failing. I > suspect that your connection tracking table is filling up -- you > should see messages in your log if that''s what is happening. That > problem is easily corrected (instructions have been posted on the > list a number of times). > > -TomThat´s great Tom, Can you help-me out ? What kind of message i must see in my log ? Search for what in list " connection tracking table" ? Why sometimes my router become crazy when i´m using Shorewall with proxyarp ? (Lucent Xedia 1000) (The error icon turn on) Thanks for helping out Carlos ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
Carlos Arnt wrote:> > What kind of message i must see in my log ?Nov 18 13:48:15 caroxo kernel: ip_conntrack: table full, dropping packet.> Search for what in list " connection tracking table" ?ip_conntrack_max> > Why sometimes my router become crazy when i´m using Shorewall with proxyarp ? > (Lucent Xedia 1000) (The error icon turn on)I have no idea what that it means for the error icon to turn on on that box. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> Hello, i have a shorewall firewall installed in one machine and i needknow> how i do to make with shorewall the following scenario: > > One lan with only machine with mac address set in shorewall can accessthe> internet or email (pop and smtp). > > If one new user plug the notebook in lan, this user cannot access. > > The shorewall to this? >Depends on how you have edited your config files. Please post your config files, that you have edited. Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
Marcelo Leão Caffaro wrote:> Hello, i have a shorewall firewall installed in one machine and i need > know how i do to make with shorewall the following scenario: > > One lan with only machine with mac address set in shorewall can access > the internet or email (pop and smtp). > > If one new user plug the notebook in lan, this user cannot access. > > The shorewall to this? > > tks > Marcelo >yes please RTM : http://www.shorewall.net/MAC_Validation.html but keep in mind..MAC address can be easily spoofed.
Cristian Rodriguez wrote:> Marcelo Leão Caffaro wrote: >> Hello, i have a shorewall firewall installed in one machine and i need >> know how i do to make with shorewall the following scenario: >> >> One lan with only machine with mac address set in shorewall can access >> the internet or email (pop and smtp). >> >> If one new user plug the notebook in lan, this user cannot access. >> >> The shorewall to this? >> >> tks >> Marcelo >> > yes please RTM : > > http://www.shorewall.net/MAC_Validation.html > > > but keep in mind..MAC address can be easily spoofed. >Another approach is to change the loc->net policy to REJECT (it''s normally ACCEPT) then add this rule: ACCEPT loc:<MAC Address> net where <MAC Address> is in Shorewall format (see http://shorewall.net/configuration_file_basics.htm). In that way, only the one MAC address is allowed any access to the Internet. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I have a network configured as follows (Mandrake MNF 10.1/Shorewall 2.0.8): +-- 68.x.x.{3,7} 68.x.x.3 | 68.x.x.7 -- shorewall -- hub + 68.x.x.26 | +-- 192.168.x.x There is proxyarp for the 68.x.x.{3,7} addresses, and NAT for the 192.168.x.x network. All internal addresses are in the lan zone, all external access in the wan zone. Everthing works fine between lan->wan, wan->lan:68.x.x.{3,7}, fw- >lan, fw->wan (I have rules for allowing dns, http, etc. for all of these), but lan->lan doesn''t work, even though I have tried rules like: ACCEPT lan lan tcp 0:65535 or ACCEPT lan lan:68.x.x.7 tcp http - When I ping one of these from a 192.x.x.x machine, I get a packet dump. I''m probably missing something simple as I had a configuration like this with an older version of MNF that worked. Any help would be greatly appreciated! ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> I have a network configured as follows (Mandrake MNF 10.1/Shorewall > 2.0.8): > > +-- 68.x.x.{3,7} > 68.x.x.3 | > 68.x.x.7 -- shorewall -- hub + > 68.x.x.26 | > +-- 192.168.x.x > > There is proxyarp for the 68.x.x.{3,7} addresses, and NAT for the > 192.168.x.x network. All internal addresses are in the lan zone, all > external access in the wan zone. > Everthing works fine between lan->wan, wan->lan:68.x.x.{3,7}, fw- > >lan, fw->wan (I have rules for allowing dns, http, etc. for all of > these), but lan->lan doesn''t work, even though I have tried rules like: > > ACCEPT lan lan tcp 0:65535 > > or > > ACCEPT lan lan:68.x.x.7 tcp http - > > When I ping one of these from a 192.x.x.x machine, I get a packet > dump. I''m probably missing something simple as I had a configuration > like this with an older version of MNF that worked. > > Any help would be greatly appreciated! >Can you post your config files please Jerry ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
On Jul 26, 2005, at 8:02 AM, Gavin Thomas Nicol wrote:> I have a network configured as follows (Mandrake MNF 10.1/Shorewall > 2.0.8): > > +-- 68.x.x.{3,7} > 68.x.x.3 | > 68.x.x.7 -- shorewall -- hub + > 68.x.x.26 | > +-- 192.168.x.x > > There is proxyarp for the 68.x.x.{3,7} addresses, and NAT for the > 192.168.x.x network. All internal addresses are in the lan zone, > all external access in the wan zone. > Everthing works fine between lan->wan, wan->lan:68.x.x.{3,7}, fw- > >lan, fw->wan (I have rules for allowing dns, http, etc. for all of > these), but lan->lan doesn''t work, even though I have tried rules > like:FWIW. I figured this out: I was missing the routeback option on the local network interface. The earlier Mandrake MNF shorewall didn''t require this. ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click