I don't quite understand your trouble description, and the reason I don't is a nice example of why I try to discourage posters from editing reports to conceal non-secret material like IP addresses.
You report the log entry for a failed ping as: > Shorewall:rfc1918:DROP:IN=eth0 OUT=eth0 SRC=<static_nat_host> >DST=<non-internal_network_host> ... But what is Shorewall *actually* reporting where you substituted "<static_nat_host>" ... the host's actual (private) IP address or the public IP address that the router is static-NAT'ing to the private address? I'd guess the second, since the router also thinks eth0 is both the source and the destination interface. But guessing wastes time. At 06:43 PM 5/17/02 -0500, Brian Credeur wrote: >Hi, > >I have a LEAF Bering 1.0-rc1 system (Shorewall 1.2.8) and have 5 static >external IP addresses to use. One IP is the primary of the firewall, I >am using proxy arp for three of the IP's (DMZ network servers), and >static NAT for the last IP (internal network system). This is a similar >setup to the newer example network in the Shorewall documentation. > >Everyting, seems to work just fine, with one exception. After a long >period of idleness I find that I cannot connect to external and DMZ >hosts from the statically NAT'd system, though it can connect to >internal network hosts just fine. All other connections work as >configured (DMZ<->internal, internal (masq'd) <->Internet, ...), so >appears to be an issue specific to the static NAT. > >When the problem occurs I cannot make any TCP connections to the >Internet, for example, from the static NAT'd PC. Also, if I ping an >Internet host, from it the packets are dropped by the firewall: > Shorewall:rfc1918:DROP:IN=eth0 OUT=eth0 SRC=<static_nat_host> >DST=<non-internal_network_host> ... > >If I tracert (Windows tracroute, using ICMP) from this static_nat_host >to the same non-internal_network_host, the tracert works and then >everything works fine, thereafter, until I don't use the system for a >while (ex: turn it off, go to sleep, come back in the morning). > >Just a guess: Is this an ARP issue with Shorwall? > >Your suggestions would be appreciated. -- ------------------------------------"Never tell me the odds!"--- Ray Olszewski -- Han Solo Palo Alto, CA [EMAIL PROTECTED] ---------------------------------------------------------------- _______________________________________________________________ Hundreds of nodes, one monster rendering program. Now that's a super model! Visit http://clustering.foundries.sf.net/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
