[Shorewall-users] Possible multiple interfaces on same hub problem? Not sure.

Mark Underwood mark_underwood@contextmachines.com
Tue, 16 Apr 2002 17:16:37 -0400


Tom, thx for the great work.

I'm working my way through the Troubleshooting doc to solve our setup
issues.  If I remain stuck, I'll put our situation up on a web page for
critique, but I'm trying to work through all the possible pitfalls before
asking others to contribute time on this.

Our config is a traditional DMZ setup on a Red Hat 7.2 three-NIC FW, with
updated iptable RPMs.  I'll be happy if I can put the FW into service with
just the DMZ and NET zones operational.

I can't use the Quick Start because we have 6-plus static IP servers in the
DMZ, and can't use a single external IP.  Originally I was simply going to
static NAT the DMZ servers, but it's looking like ProxyARP or Bind9, because
subnets aren't able to see each other.  More on that perhaps in a future

I've disabled the LOC zone NIC for now, so I'm not even testing that part of
it.  The firewall WAN port is hooked to a Flowpoint DSL router/modem that
has a hub built in.  I've been testing with one cable going from that hub to
the FW, and another cable going to a separate hub for some unrelated live
stuff going on.  Obviously ARP requests from the live action will be visible
at the WAN port.  Will that hose the FW or Shorewall?  This is my main
inquiry for this note.

I can try to test with the live action disconnected, and power down the
Flowpoint to clear its ARP cache (assuming that will do it), but this would
limit my test time severely.

What I'm seeing so far - I can ping the FW from the DMZ servers,  but
packets from DMZ machines seem to stop at the $IF_DMZ and not get relayed to
(or through?) $IF_NET for handling by the FW (or the Flowpoint?).  I.e., the
ARP's just go unanswered.  There are no Shorewall error messages other than
ACCEPTs.  (I was able to brute force a workaround using the "Rules - routing
policy database" section of the Linux Advanced Routing How-To, but this
seemed to interfere with Shorewall by preventing DMZ=>DMZ access. I think
this idea of tweaking routing tables just confused Shorewall and me, but I
mention it in passing).