On Tue, Mar 25, 2008 at 07:36:36PM +0000, Werner van Staden wrote:
> packets from 192.168.192.252, right? they have no meaningful gateway -
> just like my thinking in this case!
The concept of a "gateway" is one that only occurs in the trivial,
endpoint-only configuration of a host (like a typical desktop or
server). It implies that traffic is either sent to locally-connected
hosts (straight cable or via a switch) or outwards towards a real
internet router, and that's just not the case here. A "gateway" is
just a node to which all non-local traffic is sent, which will
presumably know what to do with it all, because the host in question
doesn't. The primary purpose of the concept is so that real network
admins can tell their users what to fill in without having to explain.
The 'gateway' line in ifupdown's interfaces file just installs a
default route for you. A host can have only one default route at any
given time, so for normal purposes, you can have at most one gateway
line in that file. On non-trivial routers, you usually don't have one
at all.
> > When I looked it over, I thought "either I'm reading this wrong, or
> > it's complete nonsense".
>
> My setup is a Shorewall configuration in a routed Xen Dom0 with 3
> physical interfaces:
>
> eth0, 192.168.2.169, loc zone
> eth1, disabled Prism card ("one step at a time" goes the saying)
> eth2, 192.168.1.27, net zone (connects to ADSL modem)
>
> Then several DomU's (virtual machines) with virtual interfaces ranging
> from eth3 through eth8. Each of these is seen by the Xen host (DomU) as
> associated with eth0 (192.168.2.169). Shorewall starts and all
> networking is as expected, except for:
>
> eth7, 192.168.192.252, dmz zone
> This is my error. I assigned this DomU virtual interface an address in a
> different subnet in the mistaken assumption that the DMZ cannot possibly
> be in the same subnet as the local zone... consequently I was stumped
> when I had to specify a gateway in that DomU's /etc/network/interfaces
> file.
You are consistently confusing firewalling issues with routing
issues. There are two completely independent questions here:
1) For each packet outbound from a host, where should it send that
packet? This is the routing decision.
2) For each packet passing through a host, should it let this
packet pass at all? This is filtering, the primary task of a
firewall.
You're not going to make any progress here until you understand how
routing works (in the process, you'll find out what a subnet actually
is). It's not really related to shorewall.
> May I just reassure readers that I have several years experience of
> Shorewall in the context of the Bering firewall and that I have
> configured working 3-interface firewalls in the past.
And I'm betting that none of them have been anything more than a bunch
of locally-connected hosts plus an internet uplink, so you've only
been concerned with part (2) above (because the OS defaults just
happened to be right).
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
