Ryan Rich wrote:
Ok,
First I want to thanks everyone for their responses so far! I will stop being ambigious, since it seems to make things more complicated and I think where i work probably has the whole 138.23.0.0/16 block anyways so that secret is already out... My address are on the 138.23.75.0 and 138.23.76.0 subnets.
I have been trying to narrow down the problem with the machine that was
unreachable in the dmz, so I removed the multiple addresses from the eth0
interface on the leaf box and currently only have 1 machine in the dmz. Currently for testing I am using the following setup...
LEAF eth0=138.23.75.52 mask 255.255.255.0 LEAF eth1=192.168.1.1 Machine in dmz=138.23.75.60 mask 255.255.255.0
The leaf box is able to ping the machine in the dmz and the machine in the
dmz can ping the leaf box. So everything between these two machines seems
great. Route shows up for 138.23.75.60 via eth1. However, when I try to
ping the machine in the dmz from another machine, there is no luck
(shorewall has been set to allow pings and there is nothing in the log). Also the machine in the dmz can ping nothing outside of the leaf box.
Now, if I give the same machine in the dmz the address I used for the machine that did work before (138.23.76.112 mask 255.255.255.0) everything works beautifully! The 138.23.76.112 address in the dmz works if the LEAF eth0 interface is assigned an address in the 138.23.75 or the 138.23.76 subnet too, so I guess that is not an issue after all.
So right now I am baffled. If I plug the machine in the dmz directly into the network with the 138.23.75.60 address it works fine. Am I going mad, or is there something that would cause this behavior?
You might be going mad (hard to tell from a couple of e-mails!), but there's almost certainly something causing the observed behavior.
I can't tell you exactly what given the nearly complete lack of diagnostic information, but I'll try to get you headed in the right direction. First, let's get some details out of the way:
- It sounds like you only have an upstream (eth0) and dmz (eth1) interface on your Bering box...is that correct?
- You have two subnets connected to the upstream interface of your firewall: 138.23.75.0/24 and 138.23.76.0/24, correct?
- You want to put externally visible IP's from both subnet ranges on a proxy-arp DMZ connected to eth1 of your firewall, correct?
OK, assuming all of the above is accurate, you need to setup the following:
- eth0 should be configured with: * An IP address on both subnets * A local route to each subnet * A default route to your upstream gateway * Proxy-arp enabled
- eth1 should be configured with: * An IP address on both subnets (different IP's than used for eth0) * A host route for each public IP to make visible upstream * Proxy-arp enabled
You can verify this setup (and report diagnostics to the list) with the following commands:
ip addr list
ip route list
for i in /proc/sys/net/ipv4/conf/*/proxy_arp ; do
echo $i: ; cat $i ; doneOnce this is setup correctly, and you have no firewall rules in place (either totally disable firewalling, or allow any-to-any in shorewall), you should be able to communicate between DMZ systems and the internet (or the network on the upstream side of the firewall).
NOTES:
- You can setup eth0 and eth1 manually, using /etc/network/interfaces, or whatever suits your fancy. It's probably easiest to test by setting up manually, but make sure you dump the config (using the above diagnostic commands) once you get everything working, so you can then add extentions to ifup/ifdown to match.
- DMZ systems can use either the IP of the DMZ interface of your firewall, or the same default gateway as the firewall itself.
-- Charles Steinkuehler [EMAIL PROTECTED]
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
