problems using fiaif as firewall between private nets

Anders Fugmann email hidden
Fri Mar 21 19:41:45 CET 2003


Bill Babcock wrote:
> mekong> FIAIF ver. 1.12.1, by Anders Fugmann (C) 2002-2003
> Usage: /etc/init.d/fiaif {start|stop|restart|reload|force-reload|status|panic|tc-start|tc-stop|tc-status}
> 
> I have a situation where I need to be able to use fiaif internally
> on a gateway segmenting QA and Dev traffic from main network traffic.
> 
> I'm modeling this for now in a small setup, and have run into some odd
> behavior.
> Here's the network:
> 
> (The networks involved here are all in the reserved for internal use
>  ranges, which is what we use internally for our nets.)
> 
>                                         10.1.0.3
>                                          _____
>                                         |win2k|
>                                         |_____|
>                                            |      10.1.0.1
>                                            |      | eth1
> (172.16.153/24)  eth1      eth0 (10.1/16)  |      v 
> ----------------+[ fiaif1 ]+---------------+---+[ fiaif2 ]+---> Internet
>                ^           ^                        +     eth0
>  172.16.153.1 /            |                eth2  ^ |
>                        10.1.0.2                  /  | (10.2/16)
>                                          10.2.0.1   |
> 
> 
> SNAT used for 172.16.153/24 -> ext (eth0) of fiaif1.
> SNAT used for 10.1/16 -> ext (eth0) of fiaif2.
> SNAT used for 10.2/16 -> ext (eth0) of fiaif2.
> 
> Here's the problem:
> 
> Every packet generated from the 10.1.0.2 interface of the fiaif1 box
> to 10.2.0.1 on fiaif2 gets treated as a martian and dropped:

Add 10.2.0.0/255.255.0.0 to NET_EXTRA in zone EXT on the FIAIF1 
firewall, as I guess (without having seen your configuration files) that 
the NET in the EXT zone is set to 10.1.0.0/255.255.0.0.

> 
> TIA,
> 
> - bill
> 
Regards
Anders Fugmann




More information about the fiaif mailing list