Ryan Rich wrote:
This is where I am getting confused I guess.... obviously 138.23.aa/24 and 138.23.bb/24 would normally be on physically separate networks, but in my case they are not. I suppose someone had a reason for this, but I don't know why.
I have gone through the shorewall documentation and read about aliasing, but I don't see anything that is similiar to my situation. Does anyone have any suggestions on how to go about making this work or is it just too wierd to have a network like this?
There's no way to do what you want unless both networks appear on both sides of your firewall (and all hosts on the LAN segments on both sides of the firewall have an address falling in both networks).
ARP is only used when communicating with a host in your own network.
Now if I setup my LEAF box to have the addresses (this is where this gets weird I guess, since normally they would be on physically separate networks) 138.23.aa.xx netmask 255.255.255.0 (eth0) and 138.23.bb.xx netmask 255.255.255.0 (eth0:0) can I not proxy arp for addresses in both subnets on my dmz?
I haven't done this myself, but your situation should be possible to implement with Proxy-Arp.
The first thing to realize is that proxy-arp is *PURELY* a function of the routing tables in the kernel (and having the appropriate proxy-arp enable bit set in /proc). Firewall rules don't come into play at all with the basic operation of proxy-arp...think of proxy-arp as part of configuring the interface (ie: done with /etc/network/interfaces) rather than part of shorewall and your firewall rules.
You need to start with the unusual configuration of dual network segments on both your external and DMZ interfaces (/etc/network/interfaces, and possibly some 'helper' scritps).
Then make sure your routing table directs packets for machines on your DMZ to the DMZ interface, and all other traffic to the external interface. Typically this is done with a route for the whole network to the external IF, and more specific routes to the DMZ IF for your server(s) IP(s).
Then enable proxy-arp and test connectivity (you can enable proxy-arp manually, with extentions to /etc/network/interfaces, or via shorewall, but if you use shorewall, make sure your firewall rules aren't geting in the way of testing basic connectivity, ie: allow anything to anything).
Once all this is working properly (with no firewall rules in place), you can try to get shorewall setup to deal with the dual networks on the same wire issue. Again, I haven't done this myself, and it's a fairly odd setup, but I think it should be possible (shorewall's pretty darn flexible!!!).
-- Charles Steinkuehler [EMAIL PROTECTED]
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
