Paolo Nesti Poggi wrote: > >> -----Oprindelig meddelelse----- >> Fra: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] vegne af Tom >> Eastep > >> The IP address that you have in the ADDRESS column of >> /etc/shorewall/masq (84.63.114.214) is not an address of any interface >> on your firewall. > > Actually I saw the 2) note about this on FAQ #15, and on a second check, I > don't know how, I concluded that my configuration of the file was correct! > > So I understand I should use example 1 or 2 from the masq file > > eth0 eth1 > eth0 eth2 > > or > > eth0 192.168.101.0/24 > eth0 192.168.102.0/24 > > that in our setup should be interchangeable.
With the proxy ARP that is going on, they are NOT interchangable; that's what I pointed out in my b) note below. > > Probably I was fooled by the fact that so it was in the old file we > currently use (gibraltar based, shorewall 1.3.2, and who knows why it > works), It will work if you: 1) Change the ADDRESS to 84.63.114.115 (the address of eth0); or 2) Add 84.63.114.214 as an address on eth0; or c) Set ADD_SNAT_ALIASES=Yes in shorewall.conf so Shorewall will add the address for you. and I thought it was following example 5 (as a "special case" of it > actually, only the second half). > >> Also: >> >> a) You appear to need the 'dhcp' option on eth2. > > Yes, that's correct! > >> b) Why are you using outgoing SNAT on the Proxy ARPed public IP >> addresses in your DMZ? > > Hmmm. Now I see it mentioned in the dump file. I guess it comes from the > wrong configuration of the /etc/shorewall/masq file you pointed out. You need to use the private network address in the SUBNET column rather than the interface name. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
