Ryan Rich wrote:
Well, I was about to give up on this whole thing and try a different
approach... I came in this morning ready to give this one last shot and
when I booted up the leaf machine this morning everything worked!!! I
don't know if this was an ARP Cache issue like Tom mentions in the
Shorewall docs (if it was, then they have a REALLY long timeout here) or
network gremlins?!?! I was in fact going to try the arping technique that
Tom mentions on the shorewall page back on the first day I was working on
this, but figured by the time I got my env setup so I could compile with
uClibC that it would have expired from the cache anyhow. I really wish I
knew what happened that caused this for sure for future reference, as this
was one of my more frustrating experiences.
Many thanks to everyone, especially Charles, Ray and Tom. Is there a place to give donations to the leaf project? I will at least try to contribute an arping.lrp package in case that was my problem so that it may help others.
By the way, the private ip address does work as the address for eth1, but per your advice I will change this to the same addresses I used for the eth0 interface if this is a more commonly accepted practice.
If it works as a private IP, you don't have to change it, but you can create some pretty confusing traffic on the network if you don't.
Charles,
I'm sure that Ryan got the idea of using a private IP address on the DMZ interface from my documentation. I recommend using an RFC 1918 address on Proxy ARP DMZ configurations because people tend to use their distribution's GUI to do IP configuration and many of those "Wizards" become confused if there are duplicate IP addresses. I agree that for users (including Bering users) who have explicit control over IP addressing through direct editing of config files, using the external IP address is preferred (it is what I do in fact -- http://shorewall.net/myfiles.htm). The only place where the private address is used is on fw<->dmz traffic. I ran with an RFC 1918 address on my firewall's DMZ interface for several years and only changed after I installed Debian on the firewall.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED]
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
