In reading the general info provided with shorewall http://www.shorewall.net/shorewall_setup_guide.htm
I see a discussion of a situation that is nice to see explained so that it can be noted away in some dark recess for future reference. I presume that the problem maay arise in more than one scenario -- but here's one: """ A word of warning is in order here. ISPs typically configure their routers with a long ARP cache timeout. If you move a system from parallel to your firewall to behind your firewall with Proxy ARP, it will probably be HOURS before that system can communicate with the internet. There are a couple of things that you can try:... """ This doc goes on to discuss "gratuitous” ARP packet", "arping -U" which you can read for yourself, if interested. He also includes a neat way to check whether a router might be caching the wrong MAC. setup tcpdump via tcpdump -nei eth0 icmp then (say) from the problematic host ping -nc1 <ethernet accessible router> and check the tcpdump output If the tcpdump shows an echo reply to the wrong MAC, then the problem is with the arp cache on the router. Experienced net admins probably already know this, but I thought it was a nice little faq-let. Regards, ..jim, -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
