On 11/1/06, Tom Eastep <[EMAIL PROTECTED]> wrote: > > The fact that the firewall's external IP is not part of the defined Security > Policies is often the cause of the problem originally reported. I perfer to > define additional SPs to handle that traffic (see > http://www.shorewall.net/IPSEC-2.6.html for an example). > > Disclaimer: I haven't actually tried either of the following as an > alternative. > > a) Routing Approach > > Suppose that SPs are defined between 192.168.100.0/24 (the local network) and > 192.168.200.0/24 (the remote network). Furthermore suppose that the firewall's > internet interface is eth0 and the local interface is eth1 with IP address > 192.168.100.254. > > The route that is required then is: > > ip route add 192.168.200.0/24 dev eth0 src 192.168.100.254 > > Cyber Dog -- is that basically what you did? >
Yes, that's just about exactly the setup/solution. It works fine really, the route can be added automatically via /etc/network/interfaces I asked mostly out of curiosity. > b) Masq Approach > > You might also be able to finesse IPSEC with a rule in your > /etc/shorewall/masq > file: > > eth0:192.168.200.0/24 <external fw IP> 192.168.100.254 Also cool. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ [EMAIL PROTECTED] > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > Thanks- ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
