[Shorewall-newbies] Migrating a firewall from old hardware to new
chris1 at psyctc.org
Sun Mar 7 00:49:39 PST 2004
On 6 Mar 2004 at 16:01, Tom Eastep wrote:
> If the device itself has an IP address which is also the default
> gateway for your systems then it is probably a router. Otherwise, it
> is probably some sort of bridge.
Thanks Tom. In that case it's a probable router. Might be worth
adding that pointer to your proxyarp documentation as it's so clear
and helps one speed up debugging and correcting an upgrade.
> Both the proxy arp and NAT documentation give instructions for
> determining if the upstream ARP cache is the problem.
Sorry, that's true, and I followed those and they seemed to me to
show that there was a problem, i.e. the arp addresses were different,
but I couldn't square that with the problems I was seeing also
affecting the loc -> dmz traffic (sounds as if I was right to think
that couldn't be arp map problems: I'd just lost confidence at that
point and didn't do the necessary to start separating the two
problems, perhaps including a power cycle on the router!)
While we're on proxyarp: the Debian version of arping doesn't seem to
allow gratuitous requests, or if it does, different syntax from yours
and not obvious from the documentation that I could see.
> Does the slow access only occur on new connection establishment? If
> so, it is probably a DNS problem. Is your kernel belching Shorewall
> messages when you see this problem?
Hm, I'm pretty sure the answers were yes and no to that which was
part of what was baffling me and I still haven't understood this at
> MTU = Maximum Transmission Unit
> If you "ip link ls", you can see the MTU of all of your net devices.
> All of the ethernet devices should have MTU=1500.
Aha: thanks: done, all correct.
> > More generally (repeat _NO_ rush on these questions) would you
> > recommend ditching proxyarp and, if so, how/why? Again, I had the
> > impression from one thing on your site that you were recommending
> > moving away from proxyarp (problems with collisions with
> > FreeSWAN/tunnelling?) but another thing seemed to suggest there were
> > no problems other than the cache issue.
> Unless you absolutely have to use IPSEC for compatibility reasons, I
> would use ANY other method. The 2.4 FreeS/Wan implementation has the
> Proxy ARP problem (among others) and the 2.6 implementation isn't
> currently well supported by Netfilter. Even when the Netfilter code is
> available, it is unlikely that IPSEC under 2.6 will never be as well
> supported by Shorewall as the other tunnel types.
OK. Had a look around about IPSEC and if that's the only issue, I
think I can stick with the simplicity of proxyarp, as something I had
got set up correctly, to handle the dmz. OK I will do some serious
planning with your documents and maybe come back with more stupid
questions or perhaps with some real experience with another retry.
Many, many thanks yet again.
PSYCTC: Psychotherapy, Psychology, Psychiatry, Counselling
and Therapeutic Communities; practice, research,
teaching and consultancy.
Chris Evans & Jo-anne Carlyle
http://psyctc.org/ Email: chris at psyctc.org
More information about the Shorewall-newbies