On Thu, 2011-09-08 at 17:48 +0100, Dan Tomlinson wrote: > Hi all, > > I was wondering if anyone could help me with a bit of tricky shorewall > config. > > We have a slightly strange setup with the following characteristics: > > A debian squeeze gateway / firewall machine with shorewall version > 4.4.11.6-3. This machine sits between our internal LAN (network > 192.168.80.0/24 on interface br0 192.168.80.254 due to the machine > running an openvpn bridged setup) and the outside world (interface > eth0, let's say with IP address a.b.c.d). > > This firewall is providing DNAT for the hosts on the internal LAN and > the setup works fine for this purpose. > > The problem is that we also have a few hosts that need *real* external > IP addresses, which we are hoping to provide using proxyarp. We have > another IP range external to the firewall presented to the interface > eth0 (172.24.252.192/26). These machines sit behind the firewall but > must be directly accessible from outside. > > Our setup was working for both DNAT and proxyarp with the old version > of shorewall in lenny, but after a dist-upgrade, it no-longer liked > the following line in my /etc/shorewall/masq file: > > #INTERFACE SOURCE > ADDRESS PROTO PORT(S) IPSEC MARK > eth0 br0:!172.24.252.192/26 > > So I changed it to: > > eth0 br0 > > ... which worked for DNAT but the proxyarp stopped working.
Entries in /etc/shorewall/masq will not have any effect on proxy arp. It will only determine the SOURCE IP address of *outgoing* connections from hosts behind the firewall. > > Having read all the shorewall config guides I could get my hands on, I > tried various of the following: > > eth0 br0:!172.24.252.192/26 (shorewall complains > this is not valid syntax) > eth0 192.168.80.254 (works for DNAT but not > proxyarp) > eth0 192.168.80.0/24 a.b.c.d (works for DNAT > but not proxyarp) You want the last one. > > I'm at a bit of a loss as to how to get DNAT and proxyarp working > together again! I think you need to determine *why* proxy arp isn't working. Have you sniffed traffic on eth0 to see what is happening when an external hosts pings 172.24.252.193? That should be your first step. > > My /etc/shorewall/proxyarp file has lines like this in it for the > hosts needing proxyarp: > > #ADDRESS INTERFACE EXTERNAL HAVEROUTE > PERSISTENT > > 172.24.252.193 eth0 br0 No Yes > > Any advice would be greatly appreciated! I've been pulling my hair > out about this all morning and fiddling with a live firewall with > people working behind it is stressful enough! > See above. And, if you can't determine what the problem is, then please send me the output of 'shorewall dump' and I'll take a look. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
