Andrew, are you addressing the issue at hand or are you venting off at
some imaginary idiot? You're making some wild assumptions and some
offencive accusations too.
You don't talk to me like that!
On Tue, 2008-03-25 at 20:30 +0000, Andrew Suffield wrote:
> On Tue, Mar 25, 2008 at 07:36:36PM +0000, Werner van Staden wrote:
> > packets from 192.168.192.252, right? they have no meaningful gateway -
> > just like my thinking in this case!
>
> The concept of a "gateway" is one that only occurs in the trivial,
> endpoint-only configuration of a host (like a typical desktop or
> server). It implies that traffic is either sent to locally-connected
> hosts (straight cable or via a switch) or outwards towards a real
> internet router, and that's just not the case here. A "gateway" is
> just a node to which all non-local traffic is sent, which will
> presumably know what to do with it all, because the host in question
> doesn't. The primary purpose of the concept is so that real network
> admins can tell their users what to fill in without having to explain.
>
> The 'gateway' line in ifupdown's interfaces file just installs a
> default route for you. A host can have only one default route at any
> given time, so for normal purposes, you can have at most one gateway
> line in that file. On non-trivial routers, you usually don't have one
> at all.
>
> > > When I looked it over, I thought "either I'm reading this wrong, or
> > > it's complete nonsense".
> >
> > My setup is a Shorewall configuration in a routed Xen Dom0 with 3
> > physical interfaces:
> >
> > eth0, 192.168.2.169, loc zone
> > eth1, disabled Prism card ("one step at a time" goes the saying)
> > eth2, 192.168.1.27, net zone (connects to ADSL modem)
> >
> > Then several DomU's (virtual machines) with virtual interfaces ranging
> > from eth3 through eth8. Each of these is seen by the Xen host (DomU) as
> > associated with eth0 (192.168.2.169). Shorewall starts and all
> > networking is as expected, except for:
> >
> > eth7, 192.168.192.252, dmz zone
> > This is my error. I assigned this DomU virtual interface an address in a
> > different subnet in the mistaken assumption that the DMZ cannot possibly
> > be in the same subnet as the local zone... consequently I was stumped
> > when I had to specify a gateway in that DomU's /etc/network/interfaces
> > file.
>
> You are consistently confusing firewalling issues with routing
> issues. There are two completely independent questions here:
>
> 1) For each packet outbound from a host, where should it send that
> packet? This is the routing decision.
>
> 2) For each packet passing through a host, should it let this
> packet pass at all? This is filtering, the primary task of a
> firewall.
>
> You're not going to make any progress here until you understand how
> routing works (in the process, you'll find out what a subnet actually
> is). It's not really related to shorewall.
>
> > May I just reassure readers that I have several years experience of
> > Shorewall in the context of the Bering firewall and that I have
> > configured working 3-interface firewalls in the past.
>
> And I'm betting that none of them have been anything more than a bunch
> of locally-connected hosts plus an internet uplink, so you've only
> been concerned with part (2) above (because the OS defaults just
> happened to be right).
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
