http://www.shorewall.net/shorewall_setup_guide.htm has "arping -U -I eth0 66.58.99.83 # for example" The arping in Debian 6 lacks the -U option. It invokes an update of the arp cache? In this proxyarp example, would "arping -U -I eth0 192.0.2.177" be more consistent? Can anyone tell me how to invoke an update in Debian? Thanks, ... Peter E. -- Telephone 1 360 450 2132. bcc: peasthope at shaw.ca Shop pages http://carnot.yi.org/ accessible as long as the old drives survive. Personal pages http://members.shaw.ca/peasthope/ . ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1
My Shorewall firewall has interfaces on it, 2 public, 1 DMZ and 1 private. The 2nd of the 2 public interfaces are something I''m trying to get online right now. It connects directly to an outside service that we use here and will never go past that to the internet. However, it is using real IP addresses. I turned up the 2nd interface and set up the routes to use that new connection. From the firewall I can ping the addresses just fine (and the traceroute shows the right path). On a computer from the inside (private NIC) the firewall tries to NAT and send the connection out the original interface. After thinking about it, this does make some sense. My questions are two fold. First, can I NAT an interface based on destination(can I even have multiple nat interfaces)? Or if not, how can I get this connection to work? Best regards, Scott ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1
On Wed, 2011-09-14 at 12:47 +0000, Johnson, SE wrote:> My Shorewall firewall has interfaces on it, 2 public, 1 DMZ and 1 private. > > The 2nd of the 2 public interfaces are something I''m trying to get online right now. It connects directly to an outside service that we use here and will never go past that to the internet. However, it is using real IP addresses. > > I turned up the 2nd interface and set up the routes to use that new connection. From the firewall I can ping the addresses just fine (and the traceroute shows the right path). > > On a computer from the inside (private NIC) the firewall tries to NAT and send the connection out the original interface. After thinking about it, this does make some sense. > > My questions are two fold. First, can I NAT an interface based on destination(can I even have multiple nat interfaces)? Or if not, how can I get this connection to work?http://www.shorewall.net/MultiISP.html -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1
On Wed, 2011-09-14 at 08:25 -0800, peasthope@shaw.ca wrote:> From: peasthope@shaw.ca > Date: Tue, 13 Sep 2011 20:04:03 -0800 > > The arping in Debian 6 lacks the -U option. > > http://www.shorewall.net/ProxyARP.htm warns about the two > arpings in Debian; the arping in iputils-arping has the -U option. > Sorry for the distraction. > > I still wonder about the example address in shorewall_setup_guide.htm > being 66.58.99.83 rather than 192.0.2.177 and similarly in ProxyARP.htm.That part of both documents is a direct quote from Bradey Honsinger -- he used 66.58.99.83 in his example. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1
From: peasthope@shaw.ca Date: Tue, 13 Sep 2011 20:04:03 -0800> The arping in Debian 6 lacks the -U option.http://www.shorewall.net/ProxyARP.htm warns about the two arpings in Debian; the arping in iputils-arping has the -U option. Sorry for the distraction. I still wonder about the example address in shorewall_setup_guide.htm being 66.58.99.83 rather than 192.0.2.177 and similarly in ProxyARP.htm. Regards, ... Peter E. -- Telephone 1 360 450 2132. bcc: peasthope at shaw.ca Shop pages http://carnot.yi.org/ accessible as long as the old drives survive. Personal pages http://members.shaw.ca/peasthope/ . ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1
From: Tom Eastep <teastep@shorewall.net> Date: Wed, 14 Sep 2011 08:38:11 -0700> That part of both documents is a direct quote from Bradey Honsinger ...Right oh. (My warped mind would rather adjust to your example.) Incidentally, there are two spelling errors in the last section of ProxyARP.htm. "Begiinning" and "discoverey". Thanks for the top-notch documentation, ... Peter E. -- Telephone 1 360 450 2132. bcc: peasthope at shaw.ca Shop pages http://carnot.yi.org/ accessible as long as the old drives survive. Personal pages http://members.shaw.ca/peasthope/ . ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1
I was reading this page... is it possible to force all communication to a specific range to go through one nic and the rest going through the first connection? -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Wednesday, September 14, 2011 8:18 AM To: Shorewall Users Subject: Re: [Shorewall-users] Multiple public connections On Wed, 2011-09-14 at 12:47 +0000, Johnson, SE wrote:> My Shorewall firewall has interfaces on it, 2 public, 1 DMZ and 1 private. > > The 2nd of the 2 public interfaces are something I''m trying to get online right now. It connects directly to an outside service that we use here and will never go past that to the internet. However, it is using real IP addresses. > > I turned up the 2nd interface and set up the routes to use that new connection. From the firewall I can ping the addresses just fine (and the traceroute shows the right path). > > On a computer from the inside (private NIC) the firewall tries to NAT and send the connection out the original interface. After thinking about it, this does make some sense. > > My questions are two fold. First, can I NAT an interface based on destination(can I even have multiple nat interfaces)? Or if not, how can I get this connection to work?http://www.shorewall.net/MultiISP.html -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1
On Wed, 2011-09-14 at 19:44 +0000, Johnson, SE wrote:> I was reading this page... is it possible to force all communication to a specific range to go through one nic and the rest going through the first connection?Please don''t top-post. You can accomplish your goal by adding suitable entries in /etc/shorewall/route_rules/ -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1
El 14/09/11 17:35, Tom Eastep escribió:> On Wed, 2011-09-14 at 19:44 +0000, Johnson, SE wrote: >> I was reading this page... is it possible to force all communication to a specific range to go through one nic and the rest going through the first connection? > Please don''t top-post. > > You can accomplish your goal by adding suitable entries > in /etc/shorewall/route_rules/ > > -Tom >I give you a example of what i have working /etc/shorewall/providers : spd3 1 1 main dsl3 - track,balance=3 eth6,eth5 ddc 5 5 main eth7 200.51.46.49 track,balance=1 eth6,eth5 /etc/shorewall/tcrules : #From LAN-1 to Provider market 5 5:P 192.168.150.0/24 0.0.0.0/0 tcp 53,443,1863,1023,9187,22,465,995,3306,10000:10030,7001,6891:6900,1503,3389,5061,5050,5100,8081,26000,8000,8081,8086 5:P 192.168.150.0/24 0.0.0.0/0 udp 9,53,7001,5000,5004,9989,32861,63601 #From LAN-2 to Provider market 1 1:P 10.10.50.0/24 0.0.0.0/0 tcp 25 #From Firewall to Provider market 5 5 $FW 0.0.0.0/0 tcp 25,53,5200 5 $FW 0.0.0.0/0 udp 53,5198,5199 All what you need is in here http://shorewall.net/Documentation_Index.html Regards. ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA Learn about the latest advances in developing for the BlackBerry® mobile platform with sessions, labs & more. See new tools and technologies. Register for BlackBerry® DevCon today! http://p.sf.net/sfu/rim-devcon-copy1