[Shorewall-newbies] Migrating a firewall from old hardware to new

Tom Eastep teastep at shorewall.net
Sat Mar 6 14:01:42 PST 2004


On Sat, 6 Mar 2004, Chris Evans wrote:

> Probably the first mistake I made was to move to Shorewall 1.4.8 from
> the Debian backports (the post in the shorewall list archives, and
> perhaps the FAQ, has only a partial solution with a single line
> addition to /etc/apt/sources.list:
> 	deb http://security.dsi.unimi.it/~lorenzo/debian ./
> That fails against Debian 3.0r2 (a.k.a. "stable" = Woody) as the
> version of iptables isn't high enough. You need:
>
> So what works for me in the UK is:
> 	# for shorewall:
> 	deb http://www.uk.backports.org/debian stable shorewall
> 	# for iptables:
> 	deb http://www.uk.backports.org/debian stable shorewall iptables
>
> So my first question (yes, I have been through the sequence of
> changes in the FAQ) is:
>
> what is likely to have be changed in my config files?

Did  you look at the Upgrade Issues page
(http://shorewall.net/upgrade_issues.htm)? That would be the best source
of information about what the pitfalls of this upgrade would be.

> And my other question is more basic:
> I _think_ I did a pretty accurate transfer following those
> instructions and basically the loc network was crawling accessing the
> dmz and the dmz wasn't getting returns from the net. Am I right in
> thinking that's probably about proxyarp and arp cache issues and if
> so, are the arp maps in the router and likely to clear if I power it
> down for a minute or two, or are they at BT somewhere?

If the BT device is truly a router then cycling the power on it should
cause it to refresh it's arp cache.

The crawling access to the dmz from the local network would have nothing
to do with arp caches.

>
> And my final question is:
> Am I better ditching proxyarp and going for SNAT/DNAT combination for
> both loc and the dmz?

No. Crawling access between two local networks is usually a driver or
hardware issue (although mis-matched MTUs can also contribute).

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net


More information about the Shorewall-newbies mailing list