On 11/12/10 9:45 AM, Alan Madill wrote: > > > On 11/11/2010 6:21 PM, Tom Eastep wrote: >> Shorewall itself cannot *directly* affect ARP. It >> configures iptables/Netfilter which only operates on IP, not ARP (or >> Appletalk, or ...). > > But it does play with a lot of different parameters, modules, sysctl, > etc that can impact ARP.
One key piece of information that was omitted is that your Shorewall
configuration uses policy routing (providers).
- You were pinging from a host connected to eth1.4.
- From the routing rules, traffic entering on eth1.4 is routed via
table WRLS.
1000: from all iif eth1.4 lookup WRLS
- Table WRLS has no route to 10.1.19.248 except back out of eth1.4
209.53.153.254 dev eth0 scope link src 209.53.153.50
209.53.153.0/24 dev eth0 proto kernel scope link src 209.53.153.50
10.1.20.0/24 dev eth1.5 proto kernel scope link src 10.1.20.1
10.1.19.0/24 dev eth1.4 proto kernel scope link src 10.1.19.1
169.254.0.0/16 dev eth1.5 scope link
default via 209.53.153.254 dev eth0 src 209.53.153.50
- Therefore, the firewall apparently ignores the packet even though
there is a perm ARP table entry for 10.1.19.248.
? (10.1.19.248) at * PERM PUP on eth1.4
When you have VPN connections that come and go, it is recommended that
you set USE_DEFAULT_RT=Yes which causes all packets to be first routed
via the main table and only if they don't match an entry in the main
table do they get sent to a provider table. In this configuration, there
is no default route in the main table. This allows dynamic changes in
the main table to be visible to all packets.
The alternative is to include ppp0 in the COPY column for the WRLS
provider and restart Shorewall each time that a pptp link comes up.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
