[Shorewall-newbies] Warm thanks - and a few "gotcha"s to avoid

nkjbox at internetgruppen.dk nkjbox at internetgruppen.dk
Thu Jan 8 08:39:16 PST 2004


Thanks a lot for your work, Tom!

I replaced an existing raptor firewall box with a shorewall box. It now
runs a heavyly loaded 2MBit/s line on a simple Pentium/133 with 80 MB RAM
with no noticable delay on up/downloads. DHCP server runs on loc zone.
ssh-administration set up to accept only a few fixed IP's. Neat :-)

This move will save the Danish scout association quite a lot of money in
years to come.

A lesson learned:

Somehow it initially only worked with one of the servers, which had an
external secondary DNS.

(The setup has an internal DNS server)

The problem was solved after a while:

Before:
ISP-router -> switch-A -> old fw1 -> dmz-switch

(wires moved)

After:
ISP-router -> switch-A -> shorewall -> dmz-switch


I needed to reset switch_A before DNS queries could get in! Problably a
long MAC-table timeout in the switch_A.

The problem was found changing DNAT to DNAT:info on the incomming domain
traffic rule - and I simply saw NO domain traffic in /var/log/messages.
This pointed to a non-shorewall problem.


Next lesson learned:


On the loc zone: AVOID 192.168.0.x/24

Why?

Windows Internet connection sharing ALWAYS uses that subnet for the shared
connection (if you share eth0 on eth1, eth1 will always have a dhcp-server
and declare some 192.168.0.x address as the gateway)

If you set up loc as 192.168.0.x/24 and a PC shares its connection e.g. via
the wireless card it just won't work.

In short: AVOID 192.168.0.x/24 for any use.

Best regards and once again warm thanks,

Niels Kristian Jensen

--
http://spejder.dk/ - http://seniorsite.dk - http://dds.dk




More information about the Shorewall-newbies mailing list