Hi, i''m currently working on my diploma thesis and i have some big problems to setup shorewall under Xen. For Information: I use shorewall 3.0.7 and Xen 3.0.2 on a Debian "Etch" system (2.6.16 Kernel). The network looks like this: (http://img245.imageshack.us/my.php?image=xennetzwerkdetailliert3ef.jpg). I know the tutorials "Xen and Shorewall" and "Three-Interface Firewall" but my network is a little bit different, especially the three bridges. My questions are: 1. how can i setup shorewall with three bridges (see picture shown above). 2. how can i setup shorewall with three interfaces in a xen enviroment (getting ip address for eth0 per DHCP). 3. how can i setup shorewall to work with a static ip in the internal network (SNAT, DNAT or masquerading?)? Because, for the domU''s i need a gateway with a static ip! For config-files see attached file. I don''t know how to do this ... any ideas? Thanks for help Best regards Andi __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
hgfhg gfhfgh wrote:> > I don''t know how to do this ... any ideas?Yes -- READ THE DOCUMENTATION. http://www.shorewall.net/Xen.html http://www.shorewall.net/XenMyWay.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I READ it already but i don''t understand it, because my "special" network (with three bridges) is different than yours. I can''t implement your solution into my environment! Andi __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
hgfhg gfhfgh wrote:> I READ it already but i don''t understand it, because > my "special" network (with three bridges) is > different than yours. I can''t implement your solution > into my environment! >I can see absolutely no reason for you to have more than one bridge (three interconnected bridges are logically equivalent to one bridge). What are you trying to accomplish with this configuration? By bridging everything to the Internet, you give yourself no opportunity for any type of masquerading or NAT whatsoever. To use NAT, you need to have a *router* between the Internet and your other zones rather than a rat''s nest of bridges. Again, the topology from ''XenMyWay.html'' is much more straight-forward and provides you with a firewall/router in one of the DomUs. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> hgfhg gfhfgh wrote: >> I READ it already but i don''t understand it, because >> my "special" network (with three bridges) is >> different than yours. I can''t implement your solution >> into my environment! >> > > I can see absolutely no reason for you to have more than one bridge (three > interconnected bridges are logically equivalent to one bridge). > > What are you trying to accomplish with this configuration? By bridging > everything to the Internet, you give yourself no opportunity for any type of > masquerading or NAT whatsoever. > > To use NAT, you need to have a *router* between the Internet and your other > zones rather than a rat''s nest of bridges. Again, the topology from > ''XenMyWay.html'' is much more straight-forward and provides you with a > firewall/router in one of the DomUs.And if you want to do this all in Dom0 then rather than tying the bridges together, you need to configure two additional virtual interfaces in Dom0 and connect them to the other two bridges. Internet---xenbr0------eth0 Dom0 eth1------xenbr1-----Local systems eth2 | | DMZ In other words, create the three-interface standard Shorewall configuration. In this configuration, what I recommend is to make each bridge it''s own zone (very similar to XenMyWay.html and for the same reason). The rest of the configuration is then just like http://www.shorewall.net/three-interface.htm. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> > And if you want to do this all in Dom0 then rather than tying the bridges > together, you need to configure two additional virtual interfaces in Dom0 and > connect them to the other two bridges. > > Internet---xenbr0------eth0 Dom0 eth1------xenbr1-----Local systems > eth2 > | > | > DMZ >I left out one bridge: Internet---xenbr0------eth0 Dom0 eth1------xenbr1-----Local systems eth2 | xenbr2 | DMZ -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
in the tutorial "Xen and Shorewall" you setup the zones like this: ursa xenbr0:vif0.0 dmz xenbr0:vif+ net xenbr0:peth0 but we have an additional zone (lan). Can we solve the problem like this?: ursa xenbr0:vif0.0 dmz xenbr0:vif+ lan xenbr0:vif+ net xenbr0:peth0 but how can shorewall differ between the "dmz-" and "lan-zone". I create the domU''s per hand (xm create -c ..... => not autostart) that means the "vif''s" are changing all the time. Thats why I created a bridge per zone. "net" is our school-network and from there we get an ip-address per DHCP. Andi --- Tom Eastep <teastep@shorewall.net> wrote:> hgfhg gfhfgh wrote: > > I READ it already but i don''t understand it, > because > > my "special" network (with three bridges) is > > different than yours. I can''t implement your > solution > > into my environment! > > > > I can see absolutely no reason for you to have more > than one bridge (three > interconnected bridges are logically equivalent to > one bridge). > > What are you trying to accomplish with this > configuration? By bridging > everything to the Internet, you give yourself no > opportunity for any type of > masquerading or NAT whatsoever. > > To use NAT, you need to have a *router* between the > Internet and your other > zones rather than a rat''s nest of bridges. Again, > the topology from > ''XenMyWay.html'' is much more straight-forward and > provides you with a > firewall/router in one of the DomUs. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users>__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
hgfhg gfhfgh wrote:> in the tutorial "Xen and Shorewall" you setup the > zones like this: > ursa xenbr0:vif0.0 > dmz xenbr0:vif+ > net xenbr0:peth0 > > but we have an additional zone (lan). Can we solve the > problem like this?: > > ursa xenbr0:vif0.0 > dmz xenbr0:vif+ > lan xenbr0:vif+ > net xenbr0:peth0 > > but how can shorewall differ between the "dmz-" and > "lan-zone". I create the domU''s per hand (xm create -c > ..... => not autostart) that means the "vif''s" are > changing all the time. Thats why I created a bridge > per zone. > > "net" is our school-network and from there we get an > ip-address per DHCP.Do as I suggested in my last two posts and use 3 virtual interfaces in Dom0 with each virtual interface connected to a separate switch. You then have something like: /etc/shorewall/zones fw firewall net ipv4 loc ipv4 dmz ipv4 br0 ipv4 br1 ipv4 br2 ipv4 /etc/shorewall/interfaces: net eth0 detect dhcp loc eth1 detect dmz eth2 detect br0 xenbr0 - routeback br1 xenbr1 - routeback br2 xenbr2 - routeback (Note: If you don''t want to rename the two additional virtual interfaces to eth1 and eth2 respectively then replace eth1 by veth1 and eth2 by veth2; The Xen bridging script will automatically rename veth0 to eth0). The rest of the configuration is straight out of the three-interface QuickStart Guide. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
eth1 and eth2 are the gateways for the domU''s in the "dmz" and "lan-zone", right? thanks a lot for your help tom. I try it in the next few days. Andi --- Tom Eastep <teastep@shorewall.net> wrote:> hgfhg gfhfgh wrote: > > in the tutorial "Xen and Shorewall" you setup the > > zones like this: > > ursa xenbr0:vif0.0 > > dmz xenbr0:vif+ > > net xenbr0:peth0 > > > > but we have an additional zone (lan). Can we solve > the > > problem like this?: > > > > ursa xenbr0:vif0.0 > > dmz xenbr0:vif+ > > lan xenbr0:vif+ > > net xenbr0:peth0 > > > > but how can shorewall differ between the "dmz-" > and > > "lan-zone". I create the domU''s per hand (xm > create -c > > ..... => not autostart) that means the "vif''s" are > > changing all the time. Thats why I created a > bridge > > per zone. > > > > "net" is our school-network and from there we get > an > > ip-address per DHCP. > > Do as I suggested in my last two posts and use 3 > virtual interfaces in Dom0 with > each virtual interface connected to a separate > switch. > > You then have something like: > > /etc/shorewall/zones > > fw firewall > net ipv4 > loc ipv4 > dmz ipv4 > br0 ipv4 > br1 ipv4 > br2 ipv4 > > /etc/shorewall/interfaces: > > net eth0 detect dhcp > loc eth1 detect > dmz eth2 detect > br0 xenbr0 - routeback > br1 xenbr1 - routeback > br2 xenbr2 - routeback > > (Note: If you don''t want to rename the two > additional virtual interfaces to eth1 > and eth2 respectively then replace eth1 by veth1 and > eth2 by veth2; The Xen > bridging script will automatically rename veth0 to > eth0). > > The rest of the configuration is straight out of the > three-interface QuickStart > Guide. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users>__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
hgfhg gfhfgh wrote:> eth1 and eth2 are the gateways for the domU''s in the > "dmz" and "lan-zone", right? >Yes -- as explained in the three-interface quickstart guide. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I have now succesfully created 2 dummy interfaces witch are bridget to the zones.. #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp lan dummy0 detect dmz dummy1 detect br0 xenbr0 - routeback br1 xenbr-lan - routeback br2 xenbr-dmz - routeback #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE route: Kernel IP Routentabelle Ziel Router Genmask Flags Metric Ref Use Iface 172.16.2.0 * 255.255.255.0 U 0 0 0 dummy0 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0 10.10.1.0 * 255.255.255.0 U 0 0 0 dummy1 default 192.168.1.1.loc 0.0.0.0 UG 0 0 0 eth0 masq: #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC eth0 dummy0 eth0 dummy1 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE my problems are, that I can''t get any connection or ping to the internet from my lan or dmz zone and between these two zones thanx for help --- Tom Eastep <teastep@shorewall.net> wrote:> hgfhg gfhfgh wrote: > > eth1 and eth2 are the gateways for the domU''s in > the > > "dmz" and "lan-zone", right? > > > > Yes -- as explained in the three-interface > quickstart guide. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a > sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ > https://lists.shorewall.net/teastep.pgp.key > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users>__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
now it works but i got always a message like this: Performing cross-bridge DNAT requires IP forwarding to be enabled? IP_FORWARDING=On is set in shorewall.conf kernel configuring and building is done according to: http://www.shorewall.net/kernel.htm i tried also # echo 1 > /proc/sys/net/ipv4/ip_forward Andi __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
hgfhg gfhfgh wrote:> now it works but i got always a message like this: > > Performing cross-bridge DNAT requires IP forwarding to > be enabled? > > IP_FORWARDING=On is set in shorewall.conf > > kernel configuring and building is done according to: > http://www.shorewall.net/kernel.htm > > i tried also > > # echo 1 > /proc/sys/net/ipv4/ip_forwardhttp://ebtables.sourceforge.net/ebtables-faq.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I become desperate. In dom0 everything works: - ping to lan - ping to dmz - ping to net - DNS works also - ping from lan to dmz and from lan to dom0 - ping from dmz to lan and from dmz to dom0 but I can''t get access to the internet from lan and dmz and I can''t ping my router (192.168.1.1)! i have attached some files perhaps you can take a look at it. with the script "network-bridge" i have created some bridges and connected them to eth0 and to the dummy network interfaces (dummy0 and dummy). eth0 and the dummy network interfaces are selected in the file "interfaces". thanks a lot for your help Tom greetings Andi __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
hgfhg gfhfgh wrote:> > my problems are, that I can''t get any connection or > ping to the internet from my lan or dmz zone and > between these two zones >The dump that you attached is useless -- is was taken when shorewall hadn''t even been started. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
hgfhg gfhfgh wrote:> I become desperate. > In dom0 everything works: > - ping to lan > - ping to dmz > - ping to net > - DNS works > also > - ping from lan to dmz and from lan to dom0 > - ping from dmz to lan and from dmz to dom0 > > but I can''t get access to the internet from lan and > dmz and I can''t ping my router (192.168.1.1)! > > i have attached some files perhaps you can take a look > at it.Those files look nothing like what I suggested that you do. Please go back and review what I recommended. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
sorry, i have forgotten to attach the status.txt file. while i created the file with: /sbin/shorewall dump > /tmp/status.txt i have got some output on the shell: RTNETLINK answers: Invalid argument Dump terminated> > The dump that you attached is useless -- is was > taken when shorewall hadn''t even > been started. >__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
but how can i create or activate the virtual interfaces eth1 (veth1) and eth2 (veth2)? I thought i have to deal this with dummy network interfaces.> (Note: If you don''t want to rename the two > additional virtual interfaces to eth1 > and eth2 respectively then replace eth1 by veth1 and > eth2 by veth2; The Xen > bridging script will automatically rename veth0 to > eth0). > > The rest of the configuration is straight out of the > three-interface QuickStart > Guide. > > -Tom__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Tom Eastep wrote:> hgfhg gfhfgh wrote: >> I become desperate. >> In dom0 everything works: >> - ping to lan >> - ping to dmz >> - ping to net >> - DNS works >> also >> - ping from lan to dmz and from lan to dom0 >> - ping from dmz to lan and from dmz to dom0 >> >> but I can''t get access to the internet from lan and >> dmz and I can''t ping my router (192.168.1.1)! >> >> i have attached some files perhaps you can take a look >> at it. > > Those files look nothing like what I suggested that you do. Please go back and > review what I recommended. >So one more time: a) FORGET EVERYTHING THAT YOU READ IN http://www.shorewall.net/Xen.html -- DO NOT LOOK AT THAT ARTICLE EVER AGAIN. IT DOESN''T APPLY TO YOUR SYSTEM. b) Configure Shorewall as described at http://www.shorewall.net/two-interface.htm. c) To that configuration, add: /etc/shorewall/zones: br0 ipv4 br1 ipv4 br2 ipv4 /etc/shorewall/interfaces br0 xenbr0 br1 xenbr-dmz br2 xenbr-loc Disclaimer: I don''t know if that will work; I have not tried it. It is how I would try to configure Shorewall if I was silly enough to want to run a strong firewall in Dom0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
PROBLEM: can''t ping/trace remote hosts on LAN 2 NETWORK LAYOUT (a copy is at http://vieri.homelinux.com/shorewall_problem.txt): Internet | ADSL modem/router | Shorewall Bridge (ignore) | SWITCH--------------Gentoo Shorewall---ATM line---LAN 2 ("caib" zone) LAN 1 ("loc") -----------| | DMZ ------------------------ Please note that my post only concerns "Gentoo Shorewall", not "Shorewall Bridge". LAN 1 and DMZ on same subnet 10.215.144.0/255.255.255.252 The ADSL modem/router''s local IP is 10.215.144.92. The Gentoo Shorewall gateway has a bridged interface virtual IP= 10.215.144.91 (internet+LAN1+DMZ) and the fourth interface has IP= 172.20.3.4 and is in charge of ROUTING traffic to LAN 2 (several subnets of type 10.215.0.0) from the remote ATM line endpoint (172.20.3.2). Internet : net : eth0 LAN 1 : loc : eth1 LAN 2 : caib : eth2 DMZ : dmz : eth3 FAILURE EXAMPLE: ping 10.215.5.95 (from 10.215.144.48 or from $FW 10.215.144.91) tracert 10.215.5.95 (from 10.215.144.48 in loc zone) shows that it goes straight out to 10.215.144.92 (internet) I have limited access to this system and can test it only ten minutes before 8 a.m. (i.e. before users start working). That''s why I would like to ask for your help, so I can have most issues covered before making another test. For example, the ping failure above issued from $FW is "normal" since I forgot to enable the corresponding RULE (Ping/ACCEPT $FW caib). However, I *think* the REJECT log should show eth2 or "caib" zone somewhere. Routing is probably the issue. I set a route to Lan 2 as: route add -net 10.215.0.0. netmask 255.255.0.0 gw 172.20.3.2 Gentoo-specific network settings in http://vieri.homelinux.com/network.txt If you need route -n or other info, please let me know. Shorewall config files in http://vieri.homelinux.com/shorewall307config.txt shorewall status in http://vieri.homelinux.com/status.txt Traffic to/from net, loc and dmz is fine. Help appreciated, Vieri __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Vieri Di Paola wrote:> PROBLEM: can''t ping/trace remote hosts on LAN 2> > Routing is probably the issue.Yes.> > I set a route to Lan 2 as: route add -net 10.215.0.0. > netmask 255.255.0.0 gw 172.20.3.2No you haven''t. From the status you posted: ------------------------------------------------------------------ Table main: 172.20.3.0/24 dev eth2 proto kernel scope link src 172.20.3.4 10.215.144.0/22 dev br0 proto kernel scope link src 10.215.144.91 127.0.0.0/8 dev lo scope link default via 10.215.144.92 dev br0 ------------------------------------------------------------------ Do you see any route out of eth2 for 10.215.0.0/16? I don''t. If it were there (and you had enabled ping from $FW->caib) then ping from the firewall would have probably worked. There is a different problem when you try to access the caib zone from loc or dmz. Because they are bridged to the net, loc and dmz hosts probably have their default gateway set to 10.215.144.92 just like the Shorewall box does. So a ping to 10.215.5.95 is gatewayed through 10.215.144.92 who probably sends the request off to the Internet to be dropped. So, in order for loc and dmz hosts to be able to access ''caib'', each host in those zones must have a route to 10.215.0.0/16 gatewayed via 10.215.144.91 (the Shorewall box). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
--- Tom Eastep <teastep@shorewall.net> wrote:> Vieri Di Paola wrote: > > I set a route to Lan 2 as: route add -net > 10.215.0.0. > > netmask 255.255.0.0 gw 172.20.3.2 > > No you haven''t.my fault, the route wasn''t there. Setting it solved the problem.> There is a different problem when you try to access > the caib zone from loc or > dmz. Because they are bridged to the net, loc and > dmz hosts probably have their > default gateway set to 10.215.144.92 just like the > Shorewall box does.Actually, lan clients use 10.215.144.91, i.e. the shorewall box, as gw so there haven''t been any problems today. Thank you Vieri __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Vieri Di Paola wrote:> --- Tom Eastep <teastep@shorewall.net> wrote: >> Vieri Di Paola wrote: >>> I set a route to Lan 2 as: route add -net >> 10.215.0.0. >>> netmask 255.255.0.0 gw 172.20.3.2 >> No you haven''t. > > my fault, the route wasn''t there. Setting it solved > the problem. > >> There is a different problem when you try to access >> the caib zone from loc or >> dmz. Because they are bridged to the net, loc and >> dmz hosts probably have their >> default gateway set to 10.215.144.92 just like the >> Shorewall box does. > > Actually, lan clients use 10.215.144.91, i.e. the > shorewall box, as gw so there haven''t been any > problems today.Then the Shorewall box is really acting as a router for the DMZ and LOC zones rather than a bridge (bridge for DMZ<->LOC traffic and router for everything else). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
--- Tom Eastep <teastep@shorewall.net> wrote:> >> There is a different problem when you try to > access > >> the caib zone from loc or > >> dmz. Because they are bridged to the net, loc and > >> dmz hosts probably have their > >> default gateway set to 10.215.144.92 just like > the > >> Shorewall box does. > > > > Actually, lan clients use 10.215.144.91, i.e. the > > shorewall box, as gw so there haven''t been any > > problems today. > > Then the Shorewall box is really acting as a router > for the DMZ and LOC zones > rather than a bridge (bridge for DMZ<->LOC traffic > and router for everything else).yes, I realize that using the bridge''s IP as client gateway actually redefines bridging. The only reason I did it this way was to avoid setting up a script so that each client adds a route to the caib zone. Eventually I will have users executing a "logon script" that adds this route and their default gateway will then be 10.215.144.92 (post-bridge box/router). __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642