[Shorewall-users] Design Problems for VPN/Transparent Firewall

dgilleece@optimumnetworks.com dgilleece@optimumnetworks.com
Tue, 29 Jan 2002 02:59:28 -0600 (CST)


OK, I changed the IP addresses of my test setup, so I could connect to my 
actual internet connection, rather than trying to simulate a client's 
connection in a "lab."  All the config problems with Shorewall appear to be 
solved -- everything comes up as expected, and does what it should -- other 
than route :/

Here it the routing table generated when using the Shorewall configs below, and 
with a gateway defined in /etc/sysconfig/network-scripts/ifcfg-eth0

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
209.98.58.246   *               255.255.255.255 UH    0      0        0 eth1
209.98.58.240   *               255.255.255.248 U     0      0        0 eth1
209.98.58.240   *               255.255.255.248 U     0      0        0 eth1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         209.98.58.241   0.0.0.0         UG    0      0        0 eth0

The strange part is the duplicate routes to 209.98.58.240/29 --- what generates 
this?  With routing table above, nothing moves.

If I do 'route add -host 209.98.58.241/29 dev eth0' it add this to the table:
209.98.58.241   *               255.255.255.255 UH    0      0        0 eth0

... and everything flows.  I have looked throught the proxyarp, interfaces, 
zones, et al, and how the routes are created (or not created) is still escaping 
me.

Will I need to establish that device route via eth0 manually, or have I missed 
something in the configs?  If I do need to establish that route manually, how 
can I do this so it is automatic at startup.

Thanks again for all the help,

Dan
> Quoting Tom Eastep <teastep@shorewall.net>:
> 
> 
> > Ok. I'm assuming that eth0 is your interface to the DSL router -- if
> > not, 
> > reverse eth0 and eth1.
> 
> My setup matches this...
> 
> > 
> > /etc/shorewall/zones
> > 
> > net	Internet	The internet including your DSL router
> > loc	Local		Local including the subnetworks accessed via IPSEC VPN
> Done
> 
> > /etc/shorewall/interfaces:
> > 
> > net	eth0		norfc1918,...
> > loc	eth1		routestopped
> > loc	ipsec+		multi
> 
> Done
> 
> > /etc/shorewall/policy
> > 
> > loc	loc		ACCEPT
> > loc	net		ACCEPT
> > net	all		DROP
> > all	all		REJECT:info
> 
> Done
>  
> > /etc/shorewall/proxyarp
> > 
> > <124 entries> with "Yes" in the HAVEROUTE column
> 
> 
> Interfaces
> ##############################################################################
> #ZONE	 INTERFACE	BROADCAST	OPTIONS
> net	eth0				norfc1918
> loc	eth1				routestopped
> loc	ipsec+			multi
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> 
> Policy
> 
###############################################################################
> #CLIENT		SERVER		POLICY		LOG LEVEL
> loc		loc		ACCEPT
> loc		net		ACCEPT
> net		all		DROP			info
> all		all		REJECT		info
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> 
> 
> Proxyarp
> #			#ADDRESS	INTERFACE	EXTERNAL   HAVEROUTE
> #			155.186.235.6	eth1		eth0       No
> ##############################################################################
> #ADDRESS		INTERFACE	EXTERNAL        HAVEROUTE
> 219.98.36.1		eth1		eth0			Yes
> 219.98.36.2		eth1		eth0			Yes
> 219.98.36.3		eth1		eth0			Yes
> 219.98.36.4		eth1		eth0			Yes
> 219.98.36.5		eth1		eth0			Yes
> 219.98.36.6		eth1		eth0			Yes
> 219.98.36.7		eth1		eth0			Yes
> 
> ....to 219.98.36.124
> 
> Zones
> #ZONE	DISPLAY		COMMENTS
> net	Internet		Internet 
> loc	Localnet		Local networks
> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>