[Shorewall-users] Public IP Block Switch over

Wed, 26 Sep 2007 12:49:25 -0700 

I'm new to Shorewall and having some difficulty switching the access for a
newly assigned public IP block.  This switch is from a class c to class a
block.  The ISP has both blocks active on our connection to lesson the
disruption during the switch over.

We currently use Shorewall 3.2.4 and our setup is as follows.

Internet -> Firewall       --- Lan

                                    --- DMZ

Zones are:

net        eth2

loc        eth1

dmz      eth0

I also have multiple virtual interfaces on eth2 using  IP's from the public
block for DNAT connetions.

The first thing I did during was changed the virtual interface IP's used for
DNAT to IP's in the new block. Everything here works as expected after this
change.

The second change I made didn't work out so well.  We have two systems in
the DMZ which use one to one NAT.  I added two more entries to the list for
the new IPs  so that when I had the DNS records changed it would translate
both the old and new IP while the switch made it to all DNS servers.  I
never got to change the DNS records because through the night the firewall
stopped allowing connections to these systems. I removed the two entries and
everything started working again. Should this not work since it just
translates the address used from outside to the one I want on the inside?

The next thing I tried didn't work either.  I changed the main interface IP
used for the net zone to one in the new IP block.  This didn't display any
immediate problems either but I did find it strange that it would display
the only IP left on one of my virtual interfaces from the old class C block
when I would check the IP I was connecting from at dnsstuff.  I figured that
this should be the new IP I had on eth2 for the net zone.  This is another
case were through the night the access stopped working from outside again.  I
changed the interface back and all worked as advertised.

I figure I'm missing something basic here but I can't pin point it.  Could
someone please shed some light on this for me?
TIA

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to