Shorewall users - Oct 2005 - Re: Help requested on bridging and/or proxyarp'ing - specific questions

Hi,

Thank you Jerry for responding. I changed eth0''s netmask in the below
diagram to 255.255.255.255 as you suggested. I also realized I could
set the gateway interface (eth0) by reading the RHEL3 documentation.

internal network (66.1.1.99-126) <--->
 eth1:66.1.1.98/27:shorewall box:eth0:66.1.1.98/32 <---->
 66.1.1.97:dsl modem/router:66.1.1.64/27

I have two further questions:

Question 1. Is it correct that an entry in the hosts file specifying a
single host
does not setup a route to that host? My hosts file looks like:
#Hosts
#
#ZONE  HOST(S)    OPTIONS
loc  eth0:66.1.1.97
net  eth0:0.0.0.0/0

and my interfaces file looks like:
#Interfaces
#
##############################################################################
#ZONE  INTERFACE BROADCAST   OPTIONS
#
#- br0  66.1.1.127   proxyarp
- eth0   66.1.1.127,255.255.255.255 proxyarp
loc eth1  66.1.1.127   proxyarp

(sorry for the bad formatting - gmail isn''t forgiving of tabs).
So in other words, it appears that I might have to set the route to
66.1.1.97 outside of shorewall, correct?

Question 2: The default route shown in ''ip route show'' below
is
clearly not correct. Machines can''t get out to the internet.
Ethereal shows machine .98 not forwarding it to the gateway
machine .97. Instead .98 just keeps on arping out, asking
''who has 4.2.2.1'' for example.

66.1.1.96/27 dev eth1  scope link
169.254.0.0/16 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default dev eth0  scope link

Do I have something configured incorrectly? Or should I just fix
it outside of shorewall?

Thank you,
-Robert

----- Original Message ----- 
>
>Hi,
>
>Thank you Jerry for responding. I changed eth0''s netmask in the
below
>diagram to 255.255.255.255 as you suggested. I also realized I could
>set the gateway interface (eth0) by reading the RHEL3 documentation.
Ah, you discovered "gatewaydev" for the network file.
>
>internal network (66.1.1.99-126) <--->
>eth1:66.1.1.98/27:shorewall box:eth0:66.1.1.98/32 <---->
> 66.1.1.97:dsl modem/router:66.1.1.64/27
>
>I have two further questions:
>
>Question 1. Is it correct that an entry in the hosts file specifying a
>single host
>does not setup a route to that host? My hosts file looks like:
No, an entry in the hosts file just defines the interface as belonging to the 
listed zones, or another way, what zones are assigned to an interface. 
Now that your not using bridge, there is no point in using this file.
>#Hosts
>#
>#ZONE  HOST(S)    OPTIONS
>loc  eth0:66.1.1.97
>net  eth0:0.0.0.0/0
>
>and my interfaces file looks like:
>#Interfaces
>#
>##############################################################################
>#ZONE  INTERFACE BROADCAST   OPTIONS
>#
>#- br0  66.1.1.127   proxyarp
>- eth0   66.1.1.127,255.255.255.255 proxyarp
>loc eth1  66.1.1.127   proxyarp
255.255.255.255 is not required, if you do away with the hosts file, then net
should replace "-"
>(sorry for the bad formatting - gmail isn''t forgiving of tabs).
>So in other words, it appears that I might have to set the route to
>66.1.1.97 outside of shorewall, correct?
Yes, you should set the host route (hint, static-routes file)
>Question 2: The default route shown in ''ip route show''
below is
>clearly not correct. Machines can''t get out to the internet.
>Ethereal shows machine .98 not forwarding it to the gateway
>machine .97. Instead .98 just keeps on arping out, asking
>''who has 4.2.2.1'' for example.
>
>66.1.1.96/27 dev eth1  scope link
>169.254.0.0/16 dev eth1  scope link
>127.0.0.0/8 dev lo  scope link
>default dev eth0  scope link
>
>Do I have something configured incorrectly? Or should I just fix
>it outside of shorewall?
Looks like your missing "GATEWAY=Z.Z.Z.Z" in your ifcfg-eth0 file.

Jerry




-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.
Get Certified Today * Register for a JBoss Training Course
Free Certification Exam for All Training Attendees Through End of 2005
Visit http://www.jboss.com/services/certification for more information