Shorewall users - Dec 2006 - routing problem

hi,
     Please see the following text diagram:
   
  10.0.15.0/24 --> 10.0.15.1 (f0/1) cisco router (f0/0) 192.168.0.5 <--
192.168.0.0/24 --> 192.168.0.1 firewall --> internet

  I have some problem after added a static route 
  in shorewall in /etc/sysconfig/network-scripts/route-eth0, the syntax is:
   
  10.0.15.0/24 via 192.168.0.5
   
  in 192.168.0.0/24 computers cannot ping or access to 10.0.15.0/24 computers, 
  the cisco 2550 router inside no access-list to block any traffic.
   
      So I was tried one computer in 192.168.0.0/24 to configured the default
gateway to 192.168.0.5 that can ping 10.0.15.0/24 computers.
   
      Now only Shorewall can ping 10.0.15.0/24 network, also 10.0.15.0/24 
  network also can ping Shorewall.
   
      My question is the 192.168.0.0/24 computers can only add one
  192.168.0.1 default gateway to internet, no need add the 192.168.0.5 gateway ?
  
Thanks

 _______________________________________
 YM - 離線訊息
 就算你沒有上網，你的朋友仍可以留下訊息給你，當你上網時就能立即看到，任何說話都冇走失。
 http://messenger.yahoo.com.hk

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Wilson Kwok wrote:
>     My question is the 192.168.0.0/24 computers can only add one
> 192.168.0.1 default gateway to internet, no need add the 192.168.0.5
> gateway ?
This configuration is covered at
http://www.shorewall.net/Multiple_Zones.html

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Hi Tom Eastep,
   
      I followed your URL to setup the Nested Zones, but still cannot ping 
  between network, my configure is:
   
  hosts:
  loc1    eth0:10.0.15.0/24
   
  zones:
  loc1    ipv4

  policy:
  loc             loc1            ACCEPT
loc1            loc             ACCEPT
   
  interfaces:
  loc     eth0            detect          tcpflags,detectnets,nosmurfs

What wrong in my setting?
   
   
  Thanks
  

Tom Eastep <teastep@shorewall.net> 說：
  Wilson Kwok wrote:
> My question is the 192.168.0.0/24 computers can only add one
> 192.168.0.1 default gateway to internet, no need add the 192.168.0.5
> gateway ?
This configuration is covered at
http://www.shorewall.net/Multiple_Zones.html

-Tom
-- 
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


 _______________________________________
 YM - 離線訊息
 就算你沒有上網，你的朋友仍可以留下訊息給你，當你上網時就能立即看到，任何說話都冇走失。
 http://messenger.yahoo.com.hk

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Wilson Kwok wrote:
> my configure is:
>  
> hosts:
> loc1    eth0:10.0.15.0/24
>  
> zones:
> loc1    ipv4
> policy:
> loc             loc1            ACCEPT
> loc1            loc             ACCEPT
>  
> interfaces:
> loc     eth0            detect          tcpflags,detectnets,nosmurfs
> 
> What wrong in my setting?
>  
Wilson,

I doubt that you needed two zones at all -- most likely, you were just missing
the ''routeback'' option on eth0 in /etc/shorewall/interfaces.

With two zones, the most likely problem is that you have declared loc1 after loc
in /etc/shorewall/zones. The best way to define a subzone is:

	loc1:loc	ipv4

That way, you will get an error if you get the order of the zones wrong.

If that isn''t the problem, then please submit a full problem report as
described
at http://www.shorewall.net/support.htm (how many times have I typed those words
to you? seems like 1,0000s).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Thank for your reply , I added the routeback eth0, now can ping between 
   
  network.
   
   
  Thanks !

Tom Eastep <teastep@shorewall.net> 說：
  Wilson Kwok wrote:
> my configure is:
> 
> hosts:
> loc1 eth0:10.0.15.0/24
> 
> zones:
> loc1 ipv4
> policy:
> loc loc1 ACCEPT
> loc1 loc ACCEPT
> 
> interfaces:
> loc eth0 detect tcpflags,detectnets,nosmurfs
> 
> What wrong in my setting?
> 
Wilson,

I doubt that you needed two zones at all -- most likely, you were just missing
the ''routeback'' option on eth0 in /etc/shorewall/interfaces.

With two zones, the most likely problem is that you have declared loc1 after loc
in /etc/shorewall/zones. The best way to define a subzone is:

loc1:loc ipv4

That way, you will get an error if you get the order of the zones wrong.

If that isn''t the problem, then please submit a full problem report as
described
at http://www.shorewall.net/support.htm (how many times have I typed those words
to you? seems like 1,0000s).

-Tom
-- 
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


 _______________________________________
 YM - 離線訊息
 就算你沒有上網，你的朋友仍可以留下訊息給你，當你上網時就能立即看到，任何說話都冇走失。
 http://messenger.yahoo.com.hk

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Hi,
   
    In 10.0.15.0/24 network has a client reported to me cannot access to
internet,
   
  so I removed the routeback and others to default .
   

Wilson Kwok <leiw324@yahoo.com.hk> 說：
    Thank for your reply , I added the routeback eth0, now can ping between 
   
  network.
   
   
  Thanks !

Tom Eastep <teastep@shorewall.net> 說：
  Wilson Kwok wrote:
> my configure is:
> 
> hosts:
> loc1 eth0:10.0.15.0/24
> 
> zones:
> loc1 ipv4
> policy:
> loc loc1 ACCEPT
> loc1 loc ACCEPT
> 
> interfaces:
> loc eth0 detect tcpflags,detectnets,nosmurfs
> 
> What wrong in my setting?
> 
Wilson,

I doubt that you needed two zones at all -- most likely, you were just missing
the ''routeback'' option on eth0 in /etc/shorewall/interfaces.

With two zones, the most likely problem is that you have declared loc1 after loc
in /etc/shorewall/zones. The best way to define a subzone is:

loc1:loc ipv4

That way, you will get an error if you get the order of the zones wrong.

If that isn''t the problem, then please submit a full problem report as
described
at http://www.shorewall.net/support.htm (how many times have I typed those words
to you? seems like 1,0000s).

-Tom
-- 
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

  _______________________________________
YM - 離線訊息
就算你沒有上網，你的朋友仍可以留下訊息給你，當你上網時就能立即看到，任何說話都冇走失。
http://messenger.yahoo.com.hk-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



 _______________________________________
 YM - 離線訊息
 就算你沒有上網，你的朋友仍可以留下訊息給你，當你上網時就能立即看到，任何說話都冇走失。
 http://messenger.yahoo.com.hk

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Wilson Kwok wrote:
> Hi,
>  
>   In 10.0.15.0/24 network has a client reported to me cannot access to
> internet,
>  
> so I removed the routeback and others to default .
Is there a question there?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Hi,
   
     I really don''t know what happen , I just know after added the
routeback that
   
  can ping between two network, but 10.0.15.0/24 cannot access to internet,
   
  here is the cisco router route infomation:
   
  10.0.0.0/24 is subnetted, 1 subnets 
C 10.0.15.0 is directly connected, FastEthernet0/1 
C 192.168.0.0/24 is directly connected, FastEthernet0/0 
S* 0.0.0.0/0 [1/0] via 192.168.0.1 

  But I think the cisco route is correctly, because this route used very long
time.
   
   
  

Tom Eastep <teastep@avvanta.com> 說：
  Wilson Kwok wrote:
> Hi,
> 
> In 10.0.15.0/24 network has a client reported to me cannot access to
> internet,
> 
> so I removed the routeback and others to default .
Is there a question there?

-Tom
-- 
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


 _______________________________________
 YM - 離線訊息
 就算你沒有上網，你的朋友仍可以留下訊息給你，當你上網時就能立即看到，任何說話都冇走失。
 http://messenger.yahoo.com.hk

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV