[Shorewall-users] Losing Connectivity on Static NAT'd System

Brian Credeur brian@silverthread.net
Fri, 17 May 2002 18:43:37 -0500


Hi,

I have a LEAF Bering 1.0-rc1 system (Shorewall 1.2.8) and have 5 static 
external IP addresses to use.  One IP is the primary of the firewall, I 
am using proxy arp for three of the IP's (DMZ network servers), and 
static NAT for the last IP (internal network system).  This is a similar 
setup to the newer example network in the Shorewall documentation.

Everyting, seems to work just fine, with one exception.  After a long 
period of idleness I find that I cannot connect to external and DMZ 
hosts from the statically NAT'd system, though it can connect to 
internal network hosts just fine.  All other connections work as 
configured (DMZ<->internal, internal (masq'd) <->Internet, ...), so 
appears to be an issue specific to the static NAT.

When the problem occurs I cannot make any TCP connections to the 
Internet, for example, from the static NAT'd PC.  Also, if I ping an 
Internet host, from it the packets are dropped by the firewall:
    Shorewall:rfc1918:DROP:IN=eth0 OUT=eth0 SRC=<static_nat_host> 
DST=<non-internal_network_host> ...

If I tracert (Windows tracroute, using ICMP) from this static_nat_host 
to the same non-internal_network_host, the tracert works and then 
everything works fine, thereafter, until I don't use the system for a 
while (ex:  turn it off, go to sleep, come back in the morning).

Just a guess:  Is this an ARP issue with Shorwall?

Your suggestions would be appreciated.

Thanks,
Brian