Dave Boltz wrote: > I'm new to Shorewall and having some difficulty switching the access for > a newly assigned public IP block. This switch is from a class c to > class a block. The ISP has both blocks active on our connection to > lesson the disruption during the switch over. > > We currently use Shorewall 3.2.4 and our setup is as follows. > > Internet -> Firewall --- Lan > > --- DMZ > > Zones are: > > net eth2 > > loc eth1 > > dmz eth0 > > I also have multiple virtual interfaces on eth2 using IP's from the > public block for DNAT connetions. > > The first thing I did during was changed the virtual interface IP's used > for DNAT to IP's in the new block. Everything here works as expected > after this change. > > The second change I made didn't work out so well. We have two systems > in the DMZ which use one to one NAT. I added two more entries to the > list for the new IPs so that when I had the DNS records changed it > would translate both the old and new IP while the switch made it to all > DNS servers. I never got to change the DNS records because through the > night the firewall stopped allowing connections to these systems. I > removed the two entries and everything started working again. Should > this not work since it just translates the address used from outside to > the one I want on the inside?
It depends. Since one-to-one NAT translates in both directions, whichever /etc/shorewall/nat entry is first will determine the outgoing SOURCE IP. If that is different from the IP address on which a request is sent, you can have problems with both SMTP and DNS servers. > > The next thing I tried didn't work either. I changed the main interface > IP used for the net zone to one in the new IP block. This didn't > display any immediate problems either but I did find it strange that it > would display the only IP left on one of my virtual interfaces from the > old class C block when I would check the IP I was connecting from at > dnsstuff. I figured that this should be the new IP I had on eth2 for > the net zone. That problem description is too vaque for me to comment. This is another case were through the night the access > stopped working from outside again. I changed the interface back and > all worked as advertised. As Roberto says, without details we can't even hazard a guess as to what your problems are, let alone what the solutions might be. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
