[Shorewall-users] eth1 to eth1

Tom Eastep teastep@shorewall.net
Thu, 4 Apr 2002 13:33:09 -0800 (PST)


On Thu, 4 Apr 2002, ian wrote:

> On Thu, Apr 04, 2002 at 05:59:33AM -0800, Tom Eastep wrote:
> > >
> > 
> > It will be if you specify the 'multi' option for eth1 in 
> > /etc/shorewall/interfaces.

Did you try this suggestion? -- your current config should work if you do.

> >  
> > And now an editorial note:
> > 
> > Your setup hints strongly of the problems discussed in FAQs 2 and 2a and
> > would be MUCH cleaner if you would use Proxy ARP rather than static NAT.
> > In my view, any setup that requires a router to route packets out to the
> > same interface that they came in on is just plain broken.  I use static 
> > NAT in my own network but I have also implemented views in my DNS 
> > configuration so that my domain names resolve to local addresses for local 
> > clients and network addresses for network clients. If you would do that 
> > then your two local systems could communicate directly without having to 
> > involve your firewall. Alternatively, given that there are only two 
> > systems to deal with, entries in /etc/hosts would also be a fine solution.
> 
> But if your configuration is two independent mail server systems 
> ie. domain1.com & domain2.com, and you want to run them both behind one
> firewall they are not allowed to send mail back and forth then.
> 
> I'm confused.  How will Proxy ARP help versus static NAT?

Under Proxy ARP, you would configure the two servers with their EXTERNAL 
IP addresses and the same subnet mask and default gateway as your external 
firewall interface. DNS lookups using your ISPs DNS will then give you the 
correct IP address for either system and the two servers can communicate 
without any help from the firewall.

-Tom 
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net