Re: [Shorewall-users] Configuration - appropriate configuration with 2 default gateways

Sat, 02 Apr 2016 16:51:41 -0700 

On 04/02/2016 03:05 PM, Thomas Schneider wrote:
> Hi,
> 
> any client in loc (= 10.0.0.0/24) and dmz (= 10.1.0.0/24) show this DNS
> configuration:
> root@vm104-mail:~# cat /etc/resolv.conf
> # --- BEGIN PVE ---
> nameserver 78.42.43.41
> nameserver 82.212.62.41
> # --- END PVE ---
> 
> These DNS servers are in net.
> 
> I have defined these rules to permit access to Debian update servers:
> ## Permit Debian Update access
> ACCEPT          dmz             net:130.89.148.12       tcp     http
> ACCEPT          dmz             net:195.20.242.89       tcp     http
> ACCEPT          dmz             net:87.230.23.19        tcp     http
> ACCEPT          dmz             net:198.199.77.106      tcp     http
> ACCEPT          dmz             net:134.109.228.1       tcp     http
> ACCEPT          dmz             net:212.211.132.250     tcp     http
> ACCEPT          dmz             net:129.143.116.113     tcp     http

Beware, if you got those addresses via DNS -- see
http://www.shorewall.org/configuration_file_basics.htm#dnsnames.

> 
> I have defined these rules to permit access to DNS servers:
> ## Permit DNS access
> DNS(ACCEPT)     loc,dmz         net
> DNS(ACCEPT)     $FW             net
> 
> But name resolution fails from loc and dmz; there are no issues on
> firewall host.

Another 'shorewall dump' please, collected after 'shorewall reset' and a
name resolution attempt.

> 
> Why do you recommend to add another SNAT rulle for 10.1.0.0/24?
> I cannot find anything similar in guide
> <http://www.shorewall.net/MultiISP.html> " Shorewall and Multiple
> Internet Connections".

That article focuses on the configuration elements specific to multiple
uplinks. The need for SNAT/Masquerade is covered in the beginner
documentation; for example, http://www.shorewall.org/two-interface.htm#SNAT.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to