------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Vieri Di Paola wrote:> >Very brief problem report! :-) -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
--- On Fri, 3/26/10, Tom Eastep <teastep@shorewall.net> wrote:> Very brief problem report! :-)Sorry, Fridays are Fridays. Here''s what I wanted to report: I configured a shorewall system as a bridge with an IP address. The bridge is a firewall in between two LANs (say, loc and net). There''s a router within "loc" connecting to a remote network (at IP address 10.215.144.6). Almost all client systems have custom routes to send packets appropriately to this router in the "loc" zone. The default gateway is the shorewall bridge which then sends the packets to another router/gateway in the "net" zone (I''m using the "bridge" as a "gateway"). The shorewall bridge has the same routing rules set to the router in the "loc" zone because it sometimes needs to access that remote network (see routing table). Everything was working fine until I stumbled on a video-conferencing machine that cannot set routes (its web config only allows setting a default gateway which is now set to the shorewall bridge IP address). If the routing table is correct on the shorewall bridge/gateway then I think that a host with just that default gateway should route its way to the remote network via the router in the "loc" zone. My bridge setup is as in the guide: http://www.shorewall.net/3.0/NewBridge.html I''m attaching the shorewall dump (old SW version). The network is like this (BRIDGE* is the system I''m reporting on): <ISPs>---<GW>--[net zone]--<BRIDGE*>--[loc zone]--<Router 1>---<network 1> \--<Router 2>---<network 2> If I ping from a "loc" host to another host behind a "loc" router (eg. router 1) then I get arp who-has messages on both the bridge/gateway and the "loc" router. Can I setup shorewall on the gateway/bridge so that clients do not need to define routes? I hope I was clear enough. Thanks for your help, Vieri ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
--- On Mon, 3/29/10, Vieri Di Paola <vieridipaola@yahoo.com> wrote:> I''m attaching the shorewall dump (old SW version).Forgot to attach... ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Vieri Di Paola wrote:> > > I''m attaching the shorewall dump (old SW version). >Dump? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
--- On Mon, 3/29/10, Tom Eastep <teastep@shorewall.net> wrote:> > I''m attaching the shorewall dump (old SW version). > > > > Dump? >quote: Your mail to ''Shorewall-users'' with the subject Re: [Shorewall-users] bridge and routing Is being held until the list moderator can review it for approval. The reason it is being held: Message body is too big: 171767 bytes with a limit of 50 KB So I''ll place it on a web server asap. ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
--- On Mon, 3/29/10, Vieri Di Paola <vieridipaola@yahoo.com> wrote:> So I''ll place it on a web server asap.shorewall dump: http://213.96.91.201/temp/status.txt.gz ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Vieri Di Paola wrote:> > Can I setup shorewall on the gateway/bridge so that clients do not need to define routes?I see no reason why it should not work now, provided that your firewall rules are allowing the traffic (which it appears to be). See http://www.shorewall.net/3.0/Multiple_Zones.html. That article uses a routed firewall rather than a bridged one but that''s immaterial. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
Vieri Di Paola wrote:>I configured a shorewall system as a bridge with an IP address. The >bridge is a firewall in between two LANs (say, loc and net). There''s >a router within "loc" connecting to a remote network (at IP address >10.215.144.6). Almost all client systems have custom routes to send >packets appropriately to this router in the "loc" zone. The default >gateway is the shorewall bridge which then sends the packets to >another router/gateway in the "net" zone (I''m using the "bridge" as >a "gateway"). > >The shorewall bridge has the same routing rules set to the router in >the "loc" zone because it sometimes needs to access that remote >network (see routing table). > >Everything was working fine until I stumbled on a video-conferencing >machine that cannot set routes (its web config only allows setting a >default gateway which is now set to the shorewall bridge IP >address). If the routing table is correct on the shorewall >bridge/gateway then I think that a host with just that default >gateway should route its way to the remote network via the router in >the "loc" zone. > >My bridge setup is as in the guide: > >http://www.shorewall.net/3.0/NewBridge.html > >I''m attaching the shorewall dump (old SW version). > >The network is like this (BRIDGE* is the system I''m reporting on): > ><ISPs>---<GW>--[net zone]--<BRIDGE*>--[loc zone]--<Router 1>---<network 1> > \--<Router 2>---<network 2> > >If I ping from a "loc" host to another host behind a "loc" router >(eg. router 1) then I get arp who-has messages on both the >bridge/gateway and the "loc" router. > >Can I setup shorewall on the gateway/bridge so that clients do not >need to define routes? > >I hope I was clear enough.Well almost. Firstly, I don''t see why you have the shorewall box set as the default gateway - it isn''t a gateway for any traffic and so you are forcing most traffic to be handled twice. Basically, you do not need to set routes on ANY client as long as your network routers are correctly configured - if they aren''t then fix that, if they don''t support it, bin them and get something that qualifies as a router ! So, on the router labelled as <GW>, configure routes to network 1 and network 2 via their Router 1 and Router 2 respectively. On Router 1, configure a default route via GW, and a router to network 2 via Router 2 (and vice versa for Router 2. On your bridge, configure a default route via GW, and routes to networks 1&2 via their routers. Enable routeback on the interfaces or it will drop packets which it needs to send out via the same port. These are all static routes, no need for any dynamic routing for a network of this size - it gets different (and more ''interesting'') when you''ve multiple sites with multiple frame relay, leased line, and ISDN links and you need it to reconfigure itself when something dies. In general, I would configure the clients to use GW as their default route. That way, the majority of their traffic does not have to be redirected. If you set BRIDGE as the default gateway, then your shorewall machine has to redirect every new connection to a new IP which is a waste of effort really. The only exception is if you have clients where the majority of their traffic is with devices in other local networks - then it may make sense to use router 1 or 2 as the default gateway. When I say majority of traffic, then that is connections to unique IPs - each router will send a redirect when a client needs to use a different route, and the client will cache that in it''s routing table. You might find http://linux-ip.net/html/routing-icmp.html makes useful reading. And you''ll need to make sure you don''t block ICMP-Redirect messages - it will still work if you do, but the router(s) will have to redirect every packet of a connection rather than just the first as the client won''t get the message to send them elsewhere. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
--- On Tue, 3/30/10, Simon Hobson <linux@thehobsons.co.uk> wrote:> Firstly, I don''t see why you have the shorewall box set as > the > default gateway - it isn''t a gateway for any traffic and so > you are > forcing most traffic to be handled twice.I know I should set the default gateway as what I labeled as <GW>. Will change the settings asap. However, routing, although inefficient, should work.> Basically, you do not need to set routes on ANY client as > long as > your network routers are correctly configured - if they > aren''t then > fix that, if they don''t support it, bin themWell, I just found out that what I labeled as <Router 1> is a Windows 2000 SP4. I setup a Linux shorewall system as <Router 3> and everything works fine with clients that do not set any routes except the default <BRIDGE>. So I guess I either need to fix the W2K router config or replace it with Linux w/ shorewall (if they let me, that is). Thanks for the feedback. Vieri ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev