On 01/12/2012 07:36 AM, Stephane Bouvard wrote: > Hi, > > Yes, i've read the differents FAQ, and i fully understand them... > > But i cannot use proxy arp : my hosts are dedicated servers hosted on the > cloud with only one vlan available (my hoster refuse to give more than 1 > vlan), and thus my two zones net & loc are connected to the same vlan, and > proxy arp need two layer 2 separated network. Split DNS are not a solution > nope, because i do not have control on the DNS (i host customers VPS on my > servers, my customers use their own DNS on their VPS, and i cannot give to > one customer the list of domains used by the others customers). > > As i do not want that loc->loc traffic appear to originate on the firewall, > i'm testing another solution that i would like to explain here, to see if you > think there could be some problems i've not yet detected... > > Thus to resume : > > # net (eth0) : 1.1.1.0/24 - gateway (router of my hoster) 1.1.1.254 > # loc (eth1) : 10.1.1.0/24 > > > # interfaces > net eth0 detect blacklist > loc eth1 detect routeback > > > # nat > 1.1.1.2 eth0 10.1.1.2 no no > 1.1.1.2 eth1 10.1.1.2 no no > 1.1.1.3 eth0 10.1.1.3 no no > 1.1.1.3 eth1 10.1.1.3 no no > > > To explain : i declare twice the one-to-one rules, once on the net interface, > like documented, but also once on the loc interface... i do *not* declare > any masq rule > > It seems to work : when 10.1.1.2 try to reach 1.1.1.3, 10.1.1.3 receive the > connection originated from 1.1.1.2, it's what i want... > > But is there any reason i should not use this method ? I've not found this > solution documented in the FAQ of Shorewall, and thus i ask myself if i miss > something... >
There is no reason not to use your rules. But these rules do the same thing:
1.1.1.2 eth0 10.1.1.2 yes -
1.1.1.2 eth1 10.1.1.2 yes -
and are documented in FAQ 2a.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
