Re: [Shorewall-users] kernel: martian

Tue, 26 Feb 2008 01:33:44 -0800 

On Mon, 25 Feb 2008, Simon Hobson wrote:

> Pieter Donche wrote:
>
>> I want to install a fireall with 2 extra interfaces :
>>
>> - My serv ("dmz") zone is a /28 subnet behind eth1, with a small number of 
>> SUN
>> servers (IPs between ABC.DEF.75.1 and .13), one of which is a DHCP server for
>> the 75 subnet.
>> - The loc zone are PCs in the 75 subnet behind eth2 with IPs between
>> ABC.DEF.75.17 and .253
>> - The fw zone is the firewall itself (SuSE 10.2) (eth0)
>>
>>
>> The setup of the network cards is:
>>          eth0                eth1 (for zone serv)    eth2 (for zone loc)
>> IP:     ABC.DEF.70.201      ABC.DEF.75.14           ABC.DEF.75.254
>> HN:     pcfw0 (prompt)      (pcfw0) (prompt)        (pcfw0) (prompt)
>> SM:     255.255.255.0       255.255.255.240         255.255.255.0
>> GA:     ABC.DEF.70.254      ABC.DEF.70.254          ABC.DEF.70.254
>> BA:     ABC.DEF.70.255      ABC.DEF.75.15           ABC.DEF.75.255
>
> You are aware that this is not a valid IP configuration aren't you ?
>
> ABC.DEF.75.0/28 (serv) is a subnet of ABC.DEF.75..0/24 (loc), and so
> you have overlapping address spaces (eg, ABC.DEF.75..1 is valid on
> two networks) which means that the required routing is ambiguous.

In the machines in the real serv and loc zone, the settings are:
serv:
SM: 255.255.255.0
GA: ABD.DEF.75.14
loc:
SM: 255.255.255.0
GA: ABD.DEF.75.255

In fact the 75 subnet in not really divided in two subnets, they remain
one, but there is only a difference in GATEWAY between the serv machines
and the loc machines.

> Also, ABC.DEF.70.254 is not a valid gateway address for the serv
> network - it's not in the subnet. Ditto for the loc network.

In SuSE 10.2 Linux, whenever I change a Gateway adress for one network
interface, is automatically changes for any other network interface in
the same thing (as does also when you change the hostname).


If I read the netstat -nr tables the routing looks to follow the directions
I want.


The setup worked for years in Shorewall 1.0.3 and also in my test setup
in Shorewall 4.0.6.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to