Shorewall users - Aug 2005 - Shorewall+routing+SuSE

I am in the middle of re-working my home network to get closer to what Tom 
shows in my myfiles.htm on a SuSE box.  I know it is off topic, but is the

/etc/sysconfig/network/routes

file anywhere for Tom''s SuSE configuration ?  Or, Tom, would you be 
willing to share it?  I''m sure it''s something stupid
I''m doing - but I
know I''m in trouble when I start swearing at it in German...

What I have

eth0  xx.xx.xx.122   to DSL modem  xx.xx.xx.121  (Real routeable IP)
eth1  xx.xx.xx.122   to DMZ  xx.xx.xx.123        (Real routeable IP)
eth2  192.xx.xx.xx   to Local switch and Local network box(es)
eth3  192.xx.yy.xx   to Linksys Wireless

eth2  works fine except for routing to the mail/webserver in the DMZ
      (one of the symptoms of why I know I''m in trouble)

eth3  currently NOT connected

I have also do NOT have routing from the DMZ machine to anything past my 
firewall.

Bottom line - No, shorewall clear does NOT give me the desired 
results/routing, so I am NOT accusing shorewall of not working...I''m
just
asking for a working "routes" file/example from someone with a SuSE
box...

Ducking and Thanking in Advance

Bill

Bill.Light@kp.org wrote:
>
> Bottom line - No, shorewall clear does NOT give me the desired
> results/routing, so I am NOT accusing shorewall of not
working...I''m
> just asking for a working "routes" file/example from someone with
a SuSE
> box...
>
> Ducking and Thanking in Advance
Sorry -- but my firewall runs under Debian Sarge, not SuSE.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Bill.Light@kp.org wrote:
> eth2  works fine except for routing to the mail/webserver in the DMZ
>       (one of the symptoms of why I know I''m in trouble)
>
> eth3  currently NOT connected
>
> I have also do NOT have routing from the DMZ machine to anything past my
> firewall.
What default Gateway do you have configured on the DMZ machine?

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

eth0  xx.xx.xx.123    default route  xx.xx.xx.122

so route -n  shows

xx.xx.xx.122      0.0.0.0         255.255.255.255  UH  0  0  eth0
0.0.0.0           xx.xx.xx.122    0.0.0.0          UG  0  0  eth0

and it seems the only way I got that working was with the 

REMOTE_IPADDR= ''xx.xx.xx.122''     I can''t seem to
leave it blank and let
shorewall (also running on that box)  "detect"

I''m temporarily cheating with another NIC in that box that will be used
for an AXIS webcam I picked up off eBay




Tom Eastep <teastep@shorewall.net> 
Sent by: shorewall-users-admin@lists.sourceforge.net
08/18/05 02:46 PM
Please respond to
shorewall-users@lists.sourceforge.net


To
shorewall-users@lists.sourceforge.net
cc

Subject
Re: [Shorewall-users] Shorewall+routing+SuSE






Bill.Light@kp.org wrote:
> eth2  works fine except for routing to the mail/webserver in the DMZ
>       (one of the symptoms of why I know I''m in trouble)
>
> eth3  currently NOT connected
>
> I have also do NOT have routing from the DMZ machine to anything past my
> firewall.
What default Gateway do you have configured on the DMZ machine?

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

We''re you asking for a reason, Tom ?

Or should I just go away and back to by "SuSE Linux Routing" Google 
reading ?

==========================================================================



eth0  xx.xx.xx.123    default route  xx.xx.xx.122 

so route -n  shows 

xx.xx.xx.122      0.0.0.0         255.255.255.255  UH  0  0  eth0 
0.0.0.0           xx.xx.xx.122    0.0.0.0          UG  0  0  eth0 

and it seems the only way I got that working was with the 

REMOTE_IPADDR= ''xx.xx.xx.122''     I can''t seem to
leave it blank and let
shorewall (also running on that box)  "detect" 

I''m temporarily cheating with another NIC in that box that will be used
for an AXIS webcam I picked up off eBay 



Tom Eastep <teastep@shorewall.net> 
Sent by: shorewall-users-admin@lists.sourceforge.net 
08/18/05 02:46 PM 

Please respond to
shorewall-users@lists.sourceforge.net


To
shorewall-users@lists.sourceforge.net 
cc

Subject
Re: [Shorewall-users] Shorewall+routing+SuSE








Bill.Light@kp.org wrote:
> eth2  works fine except for routing to the mail/webserver in the DMZ
>       (one of the symptoms of why I know I''m in trouble)
>
> eth3  currently NOT connected
>
> I have also do NOT have routing from the DMZ machine to anything past my
> firewall.
What default Gateway do you have configured on the DMZ machine?

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Bill.Light@kp.org wrote:
>
> We''re you asking for a reason, Tom ?
I wondered if it was correct, is all.

FWIW, here''s what the routing looked like when my config looked like
myfiles.htm:

gateway:/etc/shorewall# ip route ls
192.168.1.1 dev eth2  scope link
206.124.146.177 dev eth1  scope link
192.168.2.2 dev tun0  proto kernel  scope link  src 192.168.2.1
192.168.3.0/24 dev eth0  proto kernel  scope link  src 192.168.3.254
192.168.2.0/24 via 192.168.2.2 dev tun0
192.168.1.0/24 dev eth3  proto kernel  scope link  src 192.168.1.254
206.124.146.0/24 dev eth2  proto kernel  scope link  src 206.124.146.176
224.0.0.0/4 dev eth3  scope link
default via 206.124.146.254 dev eth2
gateway:/etc/shorewall#

You can disregard the ''tun0'' routes as they are for OpenVPN.

The routing table on my server in the DMZ looks like this:

[root@lists 2.5]# ip route ls
206.124.146.0/24 dev eth0  proto kernel  scope link  src 206.124.146.177
169.254.0.0/16 dev eth0  scope link
default via 206.124.146.254 dev eth0
[root@lists 2.5]#
> Or should I just go away and back to by "SuSE Linux Routing"
Google reading ?
I think that you need to stop approaching this as a SuSE-specific problem.
Focus on getting the output of "ip route ls" correct (and the settings
of
/proc/sys/net/ipv4/conf/*/proxy_arp correct), not on getting
/etc/sysconfig/network/routes correct -- the latter will be correct only
when the former is and the Yast2 GUI for configuring routes is really
straight-forward.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key