I know that I can solve my firewall problem using two firewall
machines. I''d like to avoid that since I''m going to only need
one
once we make the transition from one ISP to another.
Here''s what we''ve got
+----------+ +-----------+
| ISP-ABLE | | ISP-BAKER |
+----------+ +-----------+
| 216.X/27 | 206.X/27
| |
+--------------+---------------+
|
+----------------+
| Shorewall Host |
+----------------+
| 10.X/22
|
+--------------+--------------+
| |
+-----+ +------+
| FTP | | SMTP |
+-----+ +------+
As we are moving from one ISP to another, we''d like to offer (in this
case) the FTP and SMTP services on either network. The original ABLE
DNAT works fine.
# === ftp.X.com:21 - FTP
DNAT net loc:10.0.0.84 tcp 21 - \
216.X.197
DNAT net loc:10.0.0.84 tcp 21 - \
206.X.37
I''ve added a routing rule so that packets leaving the firewall are
routed according to the source address.
# ip rules
0: from all lookup local
15000: from 206.X.32/27 lookup baker
32766: from all lookup main
32767: from all lookup default
and the baker table has the proper default route. ETH0 is the local
network and ETH1 is the internet interface.
# ip route ls table baker
default via 206.X.33 dev eth1
So, I''ve verified that I can ping addresses on each network from
another place on the Internet. The shorewall machine can connect to a
remote host using an address on either network, by ping and by ssh.
I''ve also verified that TCP connect replies are not making it from the
shorewall host to the requesting machine. tcpdump shows that
shorewall is attempting to send to the correct destination, but the
packets don''t arrive.
What I suspect is that the TCP replies for BAKER requests are being
routed through the ABLE network which seems to be performing ingress
filtering.
The question is this:
Should this work?
or
Should I shut up and configure a second shorewall machine?
Cheers.
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache''s Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
On Thu, Sep 22, 2005 at 01:50:33PM -0700, Marc Singer wrote:> > I know that I can solve my firewall problem using two firewall > machines. I''d like to avoid that since I''m going to only need one > once we make the transition from one ISP to another.I had read and searched through the documentation, but didn''t find the section on multiple ISPs. A google search turned it up. So, it looks like this ought to work OK. I''ll see if there is something to chang that makes this operate properly. ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache''s Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php