Lars E. D. Jensen wrote: > Hello list > > I'm trying to get Proxy ARP to work on a virtual xen network using > shorewall-perl 4.0.2. > > I have 1 dom0 with 4 physical NICs. > > On each dom0 NIC I've made a bridge (except for eth1, which is used for AoE > storage). > > Shorewall is running in a domU where: > DomU eth0 is created on xenbr0 > DomU eth1 is created on xenbr2 > > I've installed a domU, a DMZ server, where: > DomU eth0 is created on xenbr2 > > The DMZ server should be able to access the Internet through the Shorewall > domU. I have followed http://www.shorewall.net/ProxyARP.htm, but I get this > in the log: > > dcm-firewall kernel: Shorewall:FORWARD:DROP:IN=eth1 OUT=eth1 > SRC=192.168.1.20 DST=89.150.129.4 LEN=77 TOS=0x00 PREC=0x00 TTL=63 ID=63169 > DF PROTO=UDP SPT=32768 DPT=53 LEN=57 > > Is there something basic I'm missing here? (attached a shorewall dump also) >
A check of Shorewall FAQ 17 (http://www.shorewall.net/FAQ.htm#faq17) would have told you that when the IN= interface is equal to the OUT= interface and traffic is being dropped/rejected in the FORWARD chain that you need the 'routeback' option on the interface (eth1). Adding that option will get rid of the message but it begs the question why 192.168.1.20 is routing traffic to 89.150.129.4 through the Shorewall box in the first place given that 192.168.1.20 is on the same LAN as the firewall's default gateway. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
