* Marco Ahrendt wrote on Fri, Mar 02, 2001 at 10:19 +0100:
Internet | (official IP) Router1 (192.168.1.1) | | eth0 (192.168.1.2) eth0 (official IP) Router2/Firewall eth2(192.168.1.3) --- DMZ eth1 (official IP) eth0:1 (192.168.1.4) | | Local Network (official IPs)
Default gateway for DMZ is 192.168.1.3 (eth2 on FW) how you can see. The problem is, linux uses the first IP (?), which it can use for the fastest hop
yep, and usually that is correct ;) But why do you need the eth0:1 IP? It seems, you use it just for routing? You could drop that eth0:1 interface (eth0:0 does not exists?). on router2 you set up a host route: dest gw mask dev DMZ-off-IP 0.0.0.0 255.255.255.255 eth0 (something like: "route add -host <DMZIP> dev eth0" should do it). On DMZ you have only a default route to router2. you have a little problem if all official IPs are in the same net, since local network don't know that DMZIP needs to be routed through router2. Maybe it's enough to set the mask of the localnet machines to /32, so that the router is used everytime, and redirects the machines for the most IPs, this shouldn't eat up too much performance. After all, if you have only a few IPs for much nets, usually it's the simplest and best idea to route anything per hostroutes. You don't need to give non-routeable IPs for mininets, of couse this is causeing problems. But the router2 don't need to ping in the internet, ain't :) Otherwise use masquerading on outer router.
define a loglevel at first what should I add do syslogd.conf if I want to write all firewall-msgs to /var/log/firewall for example ? The ULOG
This is a FAQ, in short: (standard) syslogd cannot sort messages by strings/expressions, only by priority and facility. firewall is facility kernel IIRC, and so syslogd cannot distinguish between kernel and firewall entries (with same priority, maybe warn or whatever). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.