[Shorewall-newbies] Trying to get shorewall to work inbound. Perhaps arp/routing issues.

Zot O'Connor zot at zotconsulting.com
Fri Feb 13 16:14:16 PST 2004


On Wed, 2004-02-11 at 18:10, Zot O'Connor wrote:
> On Wed, 2004-02-11 at 17:21, Tom Eastep wrote:
> > On Wed, 11 Feb 2004, Zot O'Connor wrote:
> > 
> > > On Wed, 2004-02-11 at 16:55, Tom Eastep wrote:
> > >
> 
> > 
> > WHY?????
> > 
> > Once the addresses and the routes are there, all that's left is the rules
> > and policies!!!!
> > 
> 
> Well it seem like a good idea at the time.

Actually it turns out I need this, partially.

In my diagram of my original note I had 

So the current router looks like this:

DSL_ISP
  |
  |
__|_____________________________________________
REAL_OUT_IP                    MASQ/NAT to REAL_OUT_IP
________________________________________________
REAL_INSIDE_IP                 FAKE_INSIDE_IP
____________________________________________________________
  |                                   |
  |                                   |
LAN Machines (REAL_IPs)   LAN Machines (FAKE_IP)



In order for FAKE_IP machines to go to REAL_IP machines they bounce off
the router (FAKE_INSIDE_IP is the FAKE_IP Gateway).  So I had to be able
to define the loc as the hardcoded real_IPs, and the natted subnet
(FAKE_IP).

So now my files look like:

hosts:
loc		eth1:REAL_IP_BASE3/32
loc		eth1:REAL_IP_BASE4/32
loc		eth1:REAL_IP_BASE5/32
loc		eth1:REAL_IP_BASE6/32
loc		eth1:REAL_IP_BASE7/32
loc		eth1:REAL_IP_BASE8/32
loc		eth1:REAL_IP_BASE9/32
loc		eth1:REAL_IP_BASE10/32
loc		eth1:REAL_IP_BASE11/32
loc		eth1:REAL_IP_BASE12/32
loc		eth1:FAKE_IP_BASE.0/24

interfaces
net     eth0            REAL_IP_BASE.255          routefilter
-       eth1            REAL_IP_BASE.255,FAKE_IP_BASE.255

I have in policy
loc		loc		ACCEPT

But isn't loc to loc the default now?  I do not remember if worked
without it in place.

If there is a simpler way of doing this please let me know! This way is
not too "unsimple" for me. 

I guess I would also rather a syntax like

loc	eth1:192.168.0.1, 192.168.0.2, 192.168.0.3

to make life a little easier.


In general would real prefer a loc that is all the REAL_IPs and a fake
that is just the fake ones.

Can I do that by changing the last "loc" to "fake" and adding it to
zones?

Then I would have

loc	fake	ACCEPT
fake	loc	ACCEPT

or not as needed.

Since fake and loc are on the same physical LAN, firewalling on the
router is silly, but I like to use it to test things from time to time.





-- 
Zot O'Connor <zot at zotconsulting.com>
White Knight Hackers, Inc.



More information about the Shorewall-newbies mailing list