----- Original Message -----
From: "Mike Lander" <[EMAIL PROTECTED]>
To: "Shorewall Users" <[email protected]>
Sent: Thursday, August 30, 2007 1:47 PM
Subject: Re: [Shorewall-users] Multi-Isp Masqerade ?
::: Mike Lander wrote:
::: > Mike Lander wrote:
::: >
::: >> : /etc/shorewall/masq
::: >> : eth0 10.194.79.181 66.224.62.120
::: >> : eth1 66.224.62.120 10.194.79.181
::: >> : eth0 eth1 66.224.62.120
::: >> : eth1 eth0 10.194.79.181
::: >
::: > The last two entries appear to me to be totally silly.
::: >
::: > Please stop and think a minute about what those entries are asking the
::: > firewall to do. The first one says that "any traffic from a host with
a
::: > route out of eth1 that is being forwarded out of eth0 should have its
::: > source
::: > address rewritten to 66.224.62.120". Why would any traffic be taking
:: that
::: > path at all? The second rule is similar...
::: >
::: > Am I missing something?
::: >
::: > -Tom
::: >
::: > Well in the mulit-Isp setup this is the convention
::: > to take with two isp two nics FQip
::: > That is why I am confused on how to masq
::: > from loc to the net with one nic FQip 66.224.62.120
::: > and the other fowarding to the gw 10.194.79.254
::: > on the internal lan. My thought about the lan
::: > is not to masq at all, any ideas?
::: > But you answer sure make me think about
::: > it more clear.
:::
::: If there is a local LAN here, which interface is it connected to? All
you
::: have shown us is eth0 and eth1 which appear to go to the two providers.
::: Please don't tell me that 'the LAN' is also accessed through one of
those
::: interfaces....
:::
::: -Tom
::: --
::: Well I thought I could access both T-1's in this config in my previous
::: post, the admin led me to believe.
::: But as it turns out both these ISP's (two full T-1's are in seperate
::: buildings)
::: and connected by one run of Fiber. So Jerry seemed optimistic this
config
::: would work as his does.
::: I have two nics in a test enviroment with the same setup at my place.
:::
::: eth0 66.224.62.120/27--gw 66.224.62.97
::: eth1 10.194.79.181- gw 10.194.79.254
::: I will send dump if you like.
:::
::: Mike
:::
::: Here is the dump
:: Thanks
:: Mike
:::
: Now I am thinking that does not make sense
: at all my thought is the traffic coming from
: the natted gateway is already masqeraded/
: just masqerade the eth1 to eth0 traffic
: so maybe its simple as below
: /etc/shorewall masqerade
: eth0 eth1
:
: Does that make sense?
: Mike
:
:
Tom,
I dont know if you recall but you helped me with the same
location years ago here is a post from the past between the lines
__________________________________________
On Sat, 15 Nov 2003, Mike Lander wrote:
> My mistake sorry, I got the networks wrong
> I need to add a static route for networks and hosts between
> 63.90.86.0~63.90.86.255 with gateway 10.5.198.238
> would this be correct?
> route add 63.90.86.0 255.0.0.0 gw 10.5.198.238
>
No; your netmask is incorrect -- check
http://www.shorewall.net/shorewall_setup_guide.htm#Addressing
(it would be good to bookmark that one for future reference).
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
___________________________________________
I am pulling that firewall and building that as well with Suse.
So I will have a shorewall box in both buildings, is there
a way that both shorewall boxes could loadbalance this?
With the two T-1's in seperate buildings?
Mike
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
