On 11/15/10 9:13 AM, Alan Madill wrote: > > > On 11/12/2010 11:29 AM, Tom Eastep wrote: >> >> One key piece of information that was omitted is that your Shorewall >> configuration uses policy routing (providers). >> >> - Therefore, the firewall apparently ignores the packet even though >> there is a perm ARP table entry for 10.1.19.248. >> >> ? (10.1.19.248) at * PERM PUP on eth1.4 >> >> When you have VPN connections that come and go, it is recommended that >> you set USE_DEFAULT_RT=Yes which causes all packets to be first routed >> via the main table and only if they don't match an entry in the main >> table do they get sent to a provider table. In this configuration, there >> is no default route in the main table. This allows dynamic changes in >> the main table to be visible to all packets. >> > > That was the fix, thank you. I had turned off USE_DEFAULT_RT so that systems > on > the PROC (industrial) side of the network would have no knowledge of the > routes > on the CORP (business) side.
How would they get this knowledge? If your firewall rules prohibit such traffic, why does the existence of these routes matter? > > One other question. How do I force the firewall itself to use eth0 and its > default route for outgoing connections? As it is I have a 50/50 chance of > hitting the corporate ISA server for outgoing connections for yum updates and > ssh sessions. It is just those two protocols that I am concerned about. > Would > it fit in tcrules? Yes -- with $FW as the source. Note that you may have to resort to the routing rule that is given in "Applications running on the Firewall -making them use a particular provider" section of the Shorewall Multi-ISP doc. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Centralized Desktop Delivery: Dell and VMware Reference Architecture Simplifying enterprise desktop deployment and management using Dell EqualLogic storage and VMware View: A highly scalable, end-to-end client virtualization framework. Read more! http://p.sf.net/sfu/dell-eql-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
