On Fri, 2007-08-17 at 08:42 +0200, Johannes Graumann wrote: > Tom Eastep wrote: > > Yes -- this is a connection problem. > > Thanks, So I did as the trouble shootung page requests: > - first ssh 10.31.0.69 (works) > - second ssh 10.4.0.38 (fails)
You ssh'ed from where? The firewall? And what does "fails" mean? Timeout? Connection Refused? Keyboard burst into flames? > - /sbin/shorewall dump > /tmp/status.txt && bzip2 /tmp/status.txt > > File is attached. any hints are greatly appreciated! From the dump, it looks like you have a providers file that looks something like this: #PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ICA 1 1 main eth1 141.61.79.1 loose eth0 LAN 2 2 main eth0 10.31.0.1 loose eth1 There are a number of things wrong with this: a) You don't want the 'loose' option. b) You do want the 'balance' option. c) You don't want to copy eth1 routes to the ICA routing table. d) You don't want to copy eth0 routes to the LAN routing table. e) You DO want to copy vmnet0 and vmnet8 routes to both routing tables. So you need a providers file more on the order of: #PROVIDER NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ICA 1 1 main eth1 141.61.79.1 balance vmnet0,vmnet8 LAN 2 2 main eth0 10.31.0.1 balance vmnet0,vmnet8 You are also missing the entries in /etc/shorewall/masq recommended by the MultiISP documentation (http://www.shorewall.net/3.0/MultiISP.html). See the paragraph that begins "Regardless of whether you have masqueraded hosts or not,...". Now about the test you performed. I suspect that 10.4.0.38 is only accessible via eth0 but your main routing table doesn't reflect that. So you must add routes via 10.31.0.1 to those non-local networks that are only accessible through eth0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
