[Shorewall-newbies] Migrating a firewall from old hardware to new

Chris Evans chris1 at psyctc.org
Sun Mar 7 00:49:39 PST 2004

On 6 Mar 2004 at 16:01, Tom Eastep wrote:

> If the device itself has an IP address which is also the default
> gateway for your systems then it is probably a router. Otherwise, it
> is probably some sort of bridge.

Thanks Tom. In that case it's a probable router.  Might be worth 
adding that pointer to your proxyarp documentation as it's so clear 
and helps one speed up debugging and correcting an upgrade.

> Both the proxy arp and NAT documentation give instructions for
> determining if the upstream ARP cache is the problem.
Sorry, that's true, and I followed those and they seemed to me to 
show that there was a problem, i.e. the arp addresses were different, 
but I couldn't square that with the problems I was seeing also 
affecting the loc -> dmz traffic (sounds as if I was right to think 
that couldn't be arp map problems: I'd just lost confidence at that 
point and didn't do the necessary to start separating the two 
problems, perhaps including a power cycle on the router!)

While we're on proxyarp: the Debian version of arping doesn't seem to 
allow gratuitous requests, or if it does, different syntax from yours 
and not obvious from the documentation that I could see.
> Does the slow access only occur on new connection establishment? If
> so, it is probably a DNS problem. Is your kernel belching Shorewall
> messages when you see this problem?
Hm, I'm pretty sure the answers were yes and no to that which was 
part of what was baffling me and I still haven't understood this at 

> MTU = Maximum Transmission Unit
> If you "ip link ls", you can see the MTU of all of your net devices.
> All of the ethernet devices should have MTU=1500.
Aha: thanks: done, all correct.
> > More generally (repeat _NO_ rush on these questions) would you
> > recommend ditching proxyarp and, if so, how/why?  Again, I had the
> > impression from one thing on your site that you were recommending
> > moving away from proxyarp (problems with collisions with
> > FreeSWAN/tunnelling?) but another thing seemed to suggest there were
> > no problems other than the cache issue.

> Unless you absolutely have to use IPSEC for compatibility reasons, I
> would use ANY other method. The 2.4 FreeS/Wan implementation has the
> Proxy ARP problem (among others) and the 2.6 implementation isn't
> currently well supported by Netfilter. Even when the Netfilter code is
> available, it is unlikely that IPSEC under 2.6 will never be as well
> supported by Shorewall as the other tunnel types.

OK. Had a look around about IPSEC and if that's the only issue, I 
think I can stick with the simplicity of proxyarp, as something I had 
got set up correctly, to handle the dmz.  OK  I will do some serious 
planning with your documents and maybe come back with more stupid 
questions or perhaps with some real experience with another retry. 

Many, many thanks yet again.


PSYCTC: Psychotherapy, Psychology, Psychiatry, Counselling
   and Therapeutic Communities; practice, research, 
   teaching and consultancy.
Chris Evans & Jo-anne Carlyle
http://psyctc.org/ Email: chris at psyctc.org

More information about the Shorewall-newbies mailing list