Lars E. D. Jensen wrote: > On 27/08/07 1:07, "Tom Eastep" <[EMAIL PROTECTED]> wrote: > >> Lars E. D. Jensen wrote: >>> Hello list >>> >>> I'm trying to get Proxy ARP to work on a virtual xen network using >>> shorewall-perl 4.0.2. >>> >>> I have 1 dom0 with 4 physical NICs. >>> >>> On each dom0 NIC I've made a bridge (except for eth1, which is used for AoE >>> storage). >>> >>> Shorewall is running in a domU where: >>> DomU eth0 is created on xenbr0 >>> DomU eth1 is created on xenbr2 >>> >>> I've installed a domU, a DMZ server, where: >>> DomU eth0 is created on xenbr2 >>> >>> The DMZ server should be able to access the Internet through the Shorewall >>> domU. I have followed http://www.shorewall.net/ProxyARP.htm, but I get this >>> in the log: >>> >>> dcm-firewall kernel: Shorewall:FORWARD:DROP:IN=eth1 OUT=eth1 >>> SRC=192.168.1.20 DST=89.150.129.4 LEN=77 TOS=0x00 PREC=0x00 TTL=63 ID=63169 >>> DF PROTO=UDP SPT=32768 DPT=53 LEN=57 >>> >>> Is there something basic I'm missing here? (attached a shorewall dump also) >>> >> A check of Shorewall FAQ 17 (http://www.shorewall.net/FAQ.htm#faq17) >> would have told you that when the IN= interface is equal to the OUT= >> interface and traffic is being dropped/rejected in the FORWARD chain >> that you need the 'routeback' option on the interface (eth1). > > Now that's gone... > >> Adding that option will get rid of the message but it begs the question >> why 192.168.1.20 is routing traffic to 89.150.129.4 through the >> Shorewall box in the first place given that 192.168.1.20 is on the same >> LAN as the firewall's default gateway. > > I've followed this from ProxyARP.htm: > The lower systems (130.252.100.18 and 130.252.100.19) should have their > subnet mask and default gateway configured exactly the same way that the > Firewall system's eth0 is configured. In other words, they should be > configured just like they would be if they were parallel to the firewall > rather than behind it. > > The DMZ server 192.168.1.20 is setup with the same network config as the > firewalls eth0/192.168.1.15 that is with gateway 192.168.1.1. >
192.168.1.20 is connected to eth1 which is also where the firewall's default gateway is connected. That is NOT the configuration shown in ProxyARP.htm. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
