On Fri, Mar 02, 2001 at 11:13:41AM +0100, Steffen Dettmer wrote:
yep, and usually that is correct ;) But why do you need the eth0:1 IP? It seems, you use it just for routing?
Yes, I want to route all traffic for DMZ through the eth2 interface. The eth1 interface is only for the LAN.
You could drop that eth0:1 interface (eth0:0 does not exists?). on router2 you set up a host route: (something like: "route add -host <DMZIP> dev eth0" should do it). On DMZ you have only a default route to router2.
Good idea! I could give the FW on interface eth2 the same official IP which it has on eth1. Then host-route for DMZ and on DMZ the default route to FW. Fine! :)
you have a little problem if all official IPs are in the same net, since local network don't know that DMZIP needs to be routed through router2. Maybe it's enough to set the mask of the localnet machines to /32, so that the router is used everytime, and redirects the machines for the most IPs, this shouldn't eat up too much performance.
If all local network machines has the FW as default route, the FW should now that the packets for the DMZ (from LAN) should be routed with the host-route to DMZ. weeew.. routing isn't easy :)
is causeing problems. But the router2 don't need to ping in the internet, ain't :) Otherwise use masquerading on outer router.
You're right. The FW doesn't need to reach the internet.
This is a FAQ, in short: (standard) syslogd cannot sort messages by strings/expressions, only by priority and facility. firewall is facility kernel IIRC, and so syslogd cannot distinguish between kernel and firewall entries (with same priority, maybe warn or whatever).
I see. Well, I think I'll use an exotic loglevel which I can parse to another file. This should be ok for now. cu, Marco -- Marco Ahrendt phone : +49-341-98-474-0 adconsys AG fax : +49-341-98-474-59 Karl-Liebknecht-Str. 19 email : marco.ahrendt@adconsys.de 04107 Leipzig/Germany gnupg key at www.aktex.net/marco_work.asc