I can see the light at the end of the tunnel, but I'm not quite there yet.

A reminder of my current network:

Internet providers --- gw1 --- fw2 --- lan, dmz, caib, ibs

I replaced the old fw1 with the new fw2 this morning, and everything seemed to 
work until I found that some lan hosts could not access hosts in the caib and 
ibs zones. They could however access hosts in the wan zone, as well as fw2 

The strange thing is that two hosts with apparently the same access rules do 
not behave the same way. One can ping, the other can't.

Let's just take one example:

- ping dest IP address in "ibs" zone from "lan" host with IP 
address is OK 
- ping dest IP address in "ibs" zone from "lan" host with IP 
address FAILS 

Same thing happens with dest IP address in "caib" zone.

Please note that host at can ping fw2 and in "wan" zone 
just fine.

This is the "rule" that should match:
ACCEPT    lan:    caib:    all
ACCEPT    lan:    ibs:    all

While performing the first test, I see this on fw2:

# tcpdump -nni enp10s0 host
07:41:23.433865 ARP, Request who-has tell, length 
07:41:28.933987 ARP, Request who-has tell, length 
07:41:34.434102 ARP, Request who-has tell, length 
07:41:39.934164 ARP, Request who-has tell, length 

My current "interfaces" file on fw2 is as follows:

lan     $IF_LAN         routeback,arp_filter=1
wan     $IF_WAN         routeback,arp_filter=1
caib    $IF_CAIB        arp_filter=1
ibs     $IF_IBS         arp_filter=1
dmz     $IF_DMZ         routeback,dhcp
-       lo              -

I unsuccessfully tried adding proxyarp=1 to IF_IBS, but not IF_LAN.

Here's the link to the shorewall dump while doing this test (I added logging to 
the lan-ibs and lan-caib policies):


(More) help appreciated.


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Shorewall-users mailing list

Reply via email to