I had to do something similar recently, and I'm still amazed at how uncommon it seems to be -- there are not many examples around.
I can't speak to Bering-specific configurations, as I have only used Shorewall on Red Hat and SuSE "minimal" installations, but I assume it is Shorewall that will take the lead in your scenario. The secret for Shorewall is the proxyarp file, since Proxy-arp must be used to do what you are looking to do. Getting the proxyarp file configured can be a bit time-consuming, as it must explicitly list each IP address for which it will proxy, plus a few other configuration parameters. To assist with this task, I created a short Perl script, that you can find here: http://www.optimumnetworks.com/PAconfig . A few other tips: 1. Assign an RFC1918 address to your internal interface, like 192.168.0.1 2. Create a host route to your default gateway, specifying the external NIC by device name, i.e.: route add -host DefGWIP dev ethX. Create the "init" file per Shorewall docs, and put your route command there. 3. Create host routes for any host NOT behind your firewall, but in the same network space as the external interface -- via the external interface. Since you are using legal addresses, your configs need to expressly indicate "these hosts are on THAT side of eth1, those hosts are on THAT side of eth0." 4. Control arp caches --- the single most blindingly frustrating hair-pulling make-you-think-you've-gone-insane part of Proxy-arp. If you can flush a device with a command, do it; if not power cycle any arp-caching devices (bridges/swithes/routers) within your control --- or be prepared to wait an undefined amount of time before all entries expire in the arp caches you can't control. ISP's upstream router on bridged DSL comes to mind... This is the part that really complicates troubleshooting, since you ALWAYS want your system up NOW, when you've rolled the dice by taking an entire subnet down. If you have a smaller piece of the network you can isolate as a test "zone," it will give you more breathing room to get comfortable with your configs, and the behavior of Proxy-arp. Resist the temptation to go back and make guesses in your configs --- since you are more likely to move from the right answer to the wrong one, due to a stuck arp entry "somewhere." 5. See http://www.optimumnetworks.com/proxyarp.txt for an example of a real Shorewall proxyarp config file. Notice I generated the entire /25 subnet, then commented out special-purpose addresses near the bottom. 6. All other Shorewall configs are standard. Good luck! Dan Optimum Networks, Inc. www.optimumnetworks.com ----- Original Message ----- From: "Jonathan Monk" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 22, 2002 3:43 AM Subject: [Leaf-user] Bering Firewall without NAT > Hi, > > I was wondering if anyone had any idea about using Bering/Shorewall without > using Masqurading or NAT. We are at a University so we already have all the > machines on our network assigned to "real" addresses. I dont really want to > change all of them to private addresses but I am having problems in > configuring Bering Shorewall to do this. > > Currently we have a gateway 134.36.22.1 and our main switch connects to that > and its all very straight forward. Our plan was to add the firewall between > the gateway and the switch i.e. > > Gateway Firewall Ext Firewall Int Switch Hosts > 134.36.22.1 134.36.22.2 134.36.22.5 * 134.36.22.??? > gw=134.36.22.1 gw=134.36.22.5 > > We also need to enable access to our webserver for ssh, www and ftp access. I > was planning on doing this either via a separate zone/hosts or via rule > exceptions in Shorewall. > > I have a pair of machines that I have connected to the firewall so I can try > things but the only way I have go anything to work was adding static routes > on the firewall and even then I couldnt get very far as I was still running > NAT. > > My test setup worked well with NAT using private addresses. Bering was > straightforward to setup in this case. (Kudos to the authors) > Unfortunately I suspect my knowledge of TCP/IP has sort of run its course at > this point and I am a bit stuck for what to try next. I was considering > trying to chuck out the NAT kernel modules and set it up as a bridge but the > example configuration also used NAT.... > > Cheers, > > Jonathan > > -- > Dr Jonathan Monk, Dundee Satellite Receiving Station > University of Dundee, Dundee, DD1 4HN > tel: 44 (0)1382 344409 fax: 44 (0)1382 345415 > e-mail [EMAIL PROTECTED] http://www.sat.dundee.ac.uk > > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > ----- Original Message ----- From: "Jonathan Monk" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, March 22, 2002 3:43 AM Subject: [Leaf-user] Bering Firewall without NAT > Hi, > > I was wondering if anyone had any idea about using Bering/Shorewall without > using Masqurading or NAT. We are at a University so we already have all the > machines on our network assigned to "real" addresses. I dont really want to > change all of them to private addresses but I am having problems in > configuring Bering Shorewall to do this. > > Currently we have a gateway 134.36.22.1 and our main switch connects to that > and its all very straight forward. Our plan was to add the firewall between > the gateway and the switch i.e. > > Gateway Firewall Ext Firewall Int Switch Hosts > 134.36.22.1 134.36.22.2 134.36.22.5 * 134.36.22.??? > gw=134.36.22.1 gw=134.36.22.5 > > We also need to enable access to our webserver for ssh, www and ftp access. I > was planning on doing this either via a separate zone/hosts or via rule > exceptions in Shorewall. > > I have a pair of machines that I have connected to the firewall so I can try > things but the only way I have go anything to work was adding static routes > on the firewall and even then I couldnt get very far as I was still running > NAT. > > My test setup worked well with NAT using private addresses. Bering was > straightforward to setup in this case. (Kudos to the authors) > Unfortunately I suspect my knowledge of TCP/IP has sort of run its course at > this point and I am a bit stuck for what to try next. I was considering > trying to chuck out the NAT kernel modules and set it up as a bridge but the > example configuration also used NAT.... > > Cheers, > > Jonathan > > -- > Dr Jonathan Monk, Dundee Satellite Receiving Station > University of Dundee, Dundee, DD1 4HN > tel: 44 (0)1382 344409 fax: 44 (0)1382 345415 > e-mail [EMAIL PROTECTED] http://www.sat.dundee.ac.uk > > > _______________________________________________ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
