[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Firewall & Routing - help!

Kevin F. Berrien wrote:
Thanks for the reponses by everyone. I've combined the ideas, done the following with the following results.

 > a)  make a route in that routes traffic for to
 > your IP of  This will allow your gateway server/router
 > to route packets to this additional network properly.

Done, set a route on 50.1 to 5.0 (test environ is a linksys BEFSR41, live will be Symantec/Raptor fw).

> And you need to turn on packet forwarding on the box that is routing between subnets to do that.
> Edit /etc/sysctl.conf changing ip_forward on:
> net.ipv4.ip_forward = 1
> Then apply the change with the following command:
> sysctl -p

Ok, edited the value of net.ipv4.ip_forward to true. Please note, when I execute a network restart I see the following...

   Shutting down interface eth0:                              [  OK  ]
   Shutting down interface eth1:                              [  OK  ]
   Shutting down loopback interface:                          [  OK  ]
   Disabling IPv4 packet forwarding:                          [  OK  ]

I'm not sure where the IPv4 packet forwarding dissable is comming from.

> When you have multiple devices like this, each device should have its gateway for the local network (or no gateway if *it*

is the gateway)

Edited eth1 with gateway blank.

> then you should have a statement like this in your /etc/sysconfig/network file:


 >  NOW, try pinging from You should get
 >  responses back.  If so, try next.

******** I've turned off the fw to test the routing.

Ok, I can ping from the firewall both ways, machine from one subnet to the other, and vice versa.
I can access my internal web server just fine. I get dns results from internal dns server etc.... so I'm bridging the subnets now.

I however, CAN NOT get out of my 50.x subnet to the internet from the firewall, and from the machine at 5.3.

[root choke root]# ping www.groklaw.net
connect: Network is unreachable

Also, where are the default routes, etc.. stored in RH/FC1? When I first boot, I've got some crazy routes from playing around before....

btw, here is my routing table

Destination Gateway Genmask Flags Metric Ref Use Iface * U 0 0 0 eth1 * U 0 0 0 eth1 * U 0 0 0 eth0 * U 0 0 0 eth1 * U 0 0 0 lo
[root choke root]#

You don't have a default route. Put in

route add default dev eth1


route add default gw

(or whatever your firewall/gateway is).

Dunno what hte 169.254 is, or where its comming from.

That's a standard private network (called "zeroconf") and it's inserted by the /etc/sysconfig/network-scripts/ifup script.

It's used if you're trying to use DHCP and no DHCP server is found.  The
client then sets up an address in this /16 range with a broadcast
address of and broadcasts it's 169.254 address.  If no
one on the network complains, then that's the address that it uses.  If
someone does, it tries another one in the 169.254 range and repeats the
broacast.  This continues until no one on the net complains anymore and,
as a result, the NIC has a 169.254.x.y address.  Think of it as a self-
generating DHCP address.  It ain't pretty, but it works.

If you want the real skinny, the whole thing is being steered by the
zeroconf group of the IETF (http://www.zeroconf.org).  The details
about 169.254/16 are here:


Note that 169.254/16 is NOT routable.  Treat it exactly as if it were a
192.168/16 or 10/8 network address.

My route on the bastion fw (50.1) appears to be ok.

Good. ---------------------------------------------------------------------- - Rick Stevens, Senior Systems Engineer rstevens vitalstream com - - VitalStream, Inc. http://www.vitalstream.com - - - - If Windows isn't a virus, then it sure as hell is a carrier! - ----------------------------------------------------------------------

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]