[Shorewall-users] Design Problems for VPN/Transparent Firewall

Tom Eastep teastep@shorewall.net
Tue, 29 Jan 2002 06:35:53 -0800


On Tuesday 29 January 2002 12:59 am, dgilleece@optimumnetworks.com wrote:
> OK, I changed the IP addresses of my test setup, so I could connect to =
my
> actual internet connection, rather than trying to simulate a client's
> connection in a "lab."  All the config problems with Shorewall appear t=
o be
> solved -- everything comes up as expected, and does what it should -- o=
ther
> than route :/

Since you have "Yes" in the HAVEROUTE column in /etc/shorewall/proxy,=20
Shorewall does NOTHING with respect to routes.

>
> Here it the routing table generated when using the Shorewall configs be=
low,
> and with a gateway defined in /etc/sysconfig/network-scripts/ifcfg-eth0
>
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface 209.98.58.246   *               255.255.255.255 UH    0      0   =
   =20
> 0 eth1 209.98.58.240   *               255.255.255.248 U     0      0  =
   =20
>  0 eth1 209.98.58.240   *               255.255.255.248 U     0      0 =
   =20
>   0 eth1 127.0.0.0       *               255.0.0.0       U     0      0=
   =20
>    0 lo default         209.98.58.241   0.0.0.0         UG    0      0 =
   =20
>   0 eth0
>
> The strange part is the duplicate routes to 209.98.58.240/29 --- what
> generates this?  With routing table above, nothing moves.
>
> If I do 'route add -host 209.98.58.241/29 dev eth0' it add this to the
> table: 209.98.58.241   *               255.255.255.255 UH    0      0  =
   =20
>  0 eth0
>
> ... and everything flows.  I have looked throught the proxyarp, interfa=
ces,
> zones, et al, and how the routes are created (or not created) is still
> escaping me.

Since you have eth0 defined with netmask 255.255.255.255 you must manuall=
y=20
add ALL routes needed on that interface, including one to your default=20
gateway.

>
> Will I need to establish that device route via eth0 manually

Yes.

-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net