Tom Eastep wrote:
> J M wrote:
>
>> However if I come in from the internet to the web site, I see nothing,
>> and if I look in the log I see this:
>>
>> Shorewall:FORWARD:REJECT: IN=eth1 OUT=eth1 MAC=00 SRC=x.x.x.x
>> DST=198.162.214.243 LEN=60 TOS=00 PREC=0x00 TTL=59 ID=44361 CE DF
>> PROTO=TCP SPT=14259 DPT=80 SEQ=2177425409
>>
>> If I ping I see a similar rejection.
>>
>> What surprises me here, is that IN and OUT are both eth1 and thats the
>> obvious reason it is being REJECTed.
>>
>>
>> Why do I get eth1 on both IN and OUT?
>
> Your routing is screwed up.
In particular, Proxy ARP is very hard to get right with multi-ISP (remember
all of the warnings at the top of the multi-ISP article indicating that the
reader really needs to understand this stuff in order to use it?).
You have two options:
a) Rather than specifying 'No' in the HAVEROUTE column of
/etc/shorewall/proxyarp, you should add the host routes to the DMZ servers
as part of your distribution's configuration of eth0.120. That way, it will
be copied to the routing table corresponding to eth1 as a result of
'eth0.120' (or eth0.*) appearing in the COPY column of the providers file.
That's the approach that I take when I'm testing Multi-ISP.
or)
b) Add a route rule that directs all traffic to the DMZ servers to use the
main routing table.
One thing which I missed was adding the dmz interface to my
/etc/shorewall/providers file. I believe this was the only error. I restarted
shorewall, and everything appears to work as advertised.
The only thing I notice now, is that on a reboot of the firewall, the rules
dont seem to apply, I get ton of REJECT packets for example (in the shorewall
log), when I try to ping the host from the firewall. However if I simply do a
"shorewall restart" then everything works again. I'm working on that one..
Regards,
John
____________________________________________________________________________________
Be a better Heartthrob. Get better relationship answers from someone who knows.
Yahoo! Answers - Check it out.
http://answers.yahoo.com/dir/?link=list&sid=396545433-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
