Ryan Rich wrote:
Well, I was about to give up on this whole thing and try a different approach... I came in this morning ready to give this one last shot and when I booted up the leaf machine this morning everything worked!!! I don't know if this was an ARP Cache issue like Tom mentions in the Shorewall docs (if it was, then they have a REALLY long timeout here) or network gremlins?!?! I was in fact going to try the arping technique that Tom mentions on the shorewall page back on the first day I was working on this, but figured by the time I got my env setup so I could compile with uClibC that it would have expired from the cache anyhow. I really wish I knew what happened that caused this for sure for future reference, as this was one of my more frustrating experiences.
Many thanks to everyone, especially Charles, Ray and Tom. Is there a place to give donations to the leaf project? I will at least try to contribute an arping.lrp package in case that was my problem so that it may help others.
By the way, the private ip address does work as the address for eth1, but per your advice I will change this to the same addresses I used for the eth0 interface if this is a more commonly accepted practice.
If it works as a private IP, you don't have to change it, but you can create some pretty confusing traffic on the network if you don't.
You've already got two overlapping IP ranges, and by putting a private IP on the DMZ interface you've added a third. That can cause some problems if you don't setup the DMZ systems correctly, as (for instance) if you try to talk directly from the firewall to a DMZ system, the source IP will be the private address of the DMZ interface, which the DMZ systems will expect to reach via their default gateway (rather than via a direct connection). While this is probably working now, you're relying on the fact that the DMZ systems send their packets through the firewall to reach the default gateway, and the firewall is apparently smart enough to grab the packets locally rather than send them on to the default gateway (or perhaps the default gateway has a static route to the private IP space on the firewall?).
Everything might work fine today, but break sometime in the future if you modify the network configuration (perhaps adding a masqueraded internal network, for instance).
Anyway, proxy-arp is confusing enough without throwing any more complexity than necessary into the mix!
-- Charles Steinkuehler [EMAIL PROTECTED]
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
