________________________________ From: Simon Matter <[email protected]> > > Exactly, what about the rest of the network, switches/routers, how do they
> know about the FW change? (I guess the easiest solution would be to simply> > reboot those devices after the FW change) Note that I've kept the new FW online for more than 5 minutes. I'm not sure yet when an ARP entry times out in my network devices (I'll need to check on each and every switch firmware), but in Linux it should be about 1 minute according to: /proc/sys/net/ipv4/neigh/default/gc_stale_time I'm only assuming the other network devices have similar settings, but I guess I'll need to check thoroughly. The fact that I can ping from the new FW to any host in any "zone" can be explained by the fact that the new FW has an empty ARP table, and when a new connection is to be made the dst host replies to the ARP request directly to the new FW. So I guess I can successfully ping from the new FW to host A, but not necessarily the other way around. Thanks, Vieri ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
