Hi, i saw at shorewall documentation one model to configure shorewall to working properly in two isps mode.. To build a more realist scenario i put two access point dlink dwl-2100 ap, one with the 206.124.146.254 and other with the 130.252.99.254, my providers configuration file and the masq is the same of the sample in shorewall page.... but when i try to start its i have the follow error: RTNETLINK answers: File exists RTNETLINK answers: File exists RTNETLINK answers: File exists Terminated I saw at google''s documentation that this error is associated in traffic with the same interface and i tryed to correct this using the routeback and martianlogs option in interface file... http://mailman.ds9a.nl/pipermail/lartc/2001q4/001687.html http://mailman.ds9a.nl/pipermail/lartc/2001q4/001695.html Whats wrong? -- Marcelo ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Wednesday 05 April 2006 10:55, Marcelo Leão Caffaro wrote:> Whats wrong?Please see http://www.shorewall.net/troubleshoot.htm for information about how to troubleshoot "shorewall start" errors. Please see http://www.shorewall.net/support.htm for information about how to ask for help with these problems. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
In A proxyarp setup. Can I assign multiple public ip addresses in the DMZ zone on one server with a single iface ??? Can I also assign on the same server 192.168.3.xx address on the same iface ??? Regards Harry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Wednesday 05 April 2006 13:10, Harry Lachanas wrote:> In A proxyarp setup. > Can I assign multiple public ip addresses in the DMZ zone on one server > with a single iface ???Yes.> Can I also assign on the same server 192.168.3.xx address on the same > iface ???Yes, but I don''t recommend it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Another thing that bugs me about this proxy arp ( Think I am forced to do it ). Is the fact that The ISP provided me with 16+1 address, one for the external pppoe interface of the adsl-modem router 212.202.xx.xx and the group of 16 are 62.103.82.xx/28 for use as servers. Any special care in the config except propably a routing roule on the adsl modem router ???>On Wednesday 05 April 2006 13:10, Harry Lachanas wrote: > > >>In A proxyarp setup. >>Can I assign multiple public ip addresses in the DMZ zone on one server >>with a single iface ??? >> >> > >Yes. > > > >>Can I also assign on the same server 192.168.3.xx address on the same >>iface ??? >> >> > >Yes, but I don''t recommend it. > >-Tom > >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Wednesday 05 April 2006 13:58, Harry Lachanas wrote:> Another thing that bugs me about this proxy arp ( Think I am forced to > do it ). > Is the fact that The ISP provided me with 16+1 address, > one for the external pppoe interface of the adsl-modem router > 212.202.xx.xx and the group of 16 are 62.103.82.xx/28 for use as servers. > Any special care in the config except propably a routing roule on the > adsl modem router ???Only special care is that Proxy ARP is unnecessary in that environment. Just set up your DMZ using the /28 as described in the ''Routed'' section of the Shorewall Setup Guide. -Tom PS -- and you will need a route in the adsl modem/router that routes the /28 via your firewall''s external IP address. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wednesday 05 April 2006 14:02, Tom Eastep wrote:> On Wednesday 05 April 2006 13:58, Harry Lachanas wrote: > > Another thing that bugs me about this proxy arp ( Think I am forced to > > do it ). > > Is the fact that The ISP provided me with 16+1 address, > > one for the external pppoe interface of the adsl-modem router > > 212.202.xx.xx and the group of 16 are 62.103.82.xx/28 for use as servers. > > Any special care in the config except propably a routing roule on the > > adsl modem router ??? > > Only special care is that Proxy ARP is unnecessary in that environment. > Just set up your DMZ using the /28 as described in the ''Routed'' section of > the Shorewall Setup Guide. > > -Tom > > PS -- and you will need a route in the adsl modem/router that routes the > /28 via your firewall''s external IP address.Let me back up a minute. If you configure the /28 as the "local" network in your adsl modem/router then you can use proxy ARP. But if you configure that router to have an RFC 1918 local network then you can simply use routing as I mentioned in the post script to my message above to route the /28 to your firewall. From there, it can be routed to your DMZ. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
So ..... ISP ---212.202.xx.xx [ modem -router]10.0.11.1 ---- 10.0.11.2[-eth0 - FIREWALL - (DMZ) -eth2] 62.103.xx.1/28 ---- 62.103.xx.2/28[ DMZ MAIL SERVER] is your suggestion I suppose with NO masq enty for the dmz zone. Harry.>On Wednesday 05 April 2006 13:58, Harry Lachanas wrote: > > >>Another thing that bugs me about this proxy arp ( Think I am forced to >>do it ). >>Is the fact that The ISP provided me with 16+1 address, >>one for the external pppoe interface of the adsl-modem router >>212.202.xx.xx and the group of 16 are 62.103.82.xx/28 for use as servers. >>Any special care in the config except propably a routing roule on the >>adsl modem router ??? >> >> > >Only special care is that Proxy ARP is unnecessary in that environment. Just >set up your DMZ using the /28 as described in the ''Routed'' section of the >Shorewall Setup Guide. > >-Tom > >PS -- and you will need a route in the adsl modem/router that routes the /28 >via your firewall''s external IP address. > >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Wednesday 05 April 2006 14:33, Harry Lachanas wrote:> So ..... > ISP ---212.202.xx.xx [ modem -router]10.0.11.1 ---- 10.0.11.2[-eth0 - > FIREWALL - (DMZ) -eth2] 62.103.xx.1/28 ---- 62.103.xx.2/28[ DMZ MAIL > SERVER] > is your suggestion I suppose with NO masq enty for the dmz zone. >Yes, that''s correct. And of course the modem-router has a route to the /28 via 10.0.11.2. The default gateway of the FIREWALL is 10.0.11.1 while the default gateway for the DMZ server(s) is 62.103.xx.1. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key