ok, my setup is slightly different. per this statement here:
"The above assumes that the IP address of the ALPHA is 10.223.8.10 and
that it is connected through eth0. It also assumes that the ALPHA's
default gateway is configured with the IP address of eth0."
the alpha is definitely on the loc interface with the ip 10.223.8.10 BUT it
does *not* have a default gateway of this machine. it has a default gateway
to another router connected to a private wan.
as a side note, the eth0 interface has ip 10.223.8.7.
this machine does not act as a gateway to the network. it is an email
server BUT it is the only device that has an internet accessable IP
address(as the private network filters email), all others go through a
private wan to connect which is controlled by people outside of my
department so i must route incoming connections through this device
including the alpha in question BUT it is not the internet gateway.
would that really matter though? it doesnt look like the shorewall server
is ever even trying to connect to the private network.
On Wed, Mar 12, 2008 at 9:21 AM, Tom Eastep <[EMAIL PROTECTED]> wrote:
> dan wrote:
> > more info.
> > when i start shorwall, i see this:
> >
> > Determining Hosts in Zones...
> > loc Zone: eth0:0.0.0.0/0 <http://0.0.0.0/0>
> > net Zone: eth1:0.0.0.0/0 <http://0.0.0.0/0>
>
> Would you please post in plain text? HTML is for web pages; email should
> be
> plain text. Your mailer has a particularly annoying habit of trying to
> make
> HTML links out of everything that it thinks is an IP address; extremely
> annoying. I edited them out of my last response but I'm leaving them in
> here
> so you too can enjoy them.
>
> >
> > is that an issue? my loc is a private network 10.223.8.0
> > <http://10.223.8.0>. shouldn't the loc Zone: have eth0:10.223.8.0/23
> > <http://10.223.8.0/23>? the net Zone: should have 0.0.0.0/0
> > <http://0.0.0.0/0> right?
>
> This is Shorewall FAQ 9.
> >
> > what also stands out is that in the messages list where it says MAC= i
> get
> >
> > MAC=00:e0:81:75:54:8f:00:0b:46:e0:b6:31:08:00
> > and as i understand it, first 6 or 'first destination' and the second 6
> > octets are the 'NATed destination' problem is that the second 6 octets
> > are to an ip address on my "net" interface. so says arp. ?!? my rule
> > clearly says from=net to=loc:10.223.8.10 <http://10.223.8.10>, why would
> > this try to go out the net interface?
>
> What you are seeing is the Ethernet header from the INCOMING request. See
> Shorewall FAQ 6d.
>
> unless my interfaces are not
> > setup right.. i have tried putting the broadcast address in for the
> > network interfaces from ifconfig, i have tried putting 'detect' in,
> > still the same result. no OUT= and a destination in MAC= that is on the
> > wrong interface.
> >
>
> As I explained in my last message, that is an INCOMING request whose
> destination IP address is that of the firewall. If you think it should
> have
> been forwarded to an internal system then your DNAT rule isn't matching
> what
> is actually coming in; or, as I mentioned in my earlier post, the server
> address 10.223.8.10 is wrong.
>
> -Tom
> --
> Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
> Shoreline, \ http://shorewall.net
> Washington USA \ [EMAIL PROTECTED]
> PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
