Shorewall users - Feb 2006 - Server with shorewall hangs - 2 ISP config

Hi all,
I''ve a little server, an old PIII 677 with Fedora Core 4, default
kernel, and Shorewall 3.0.1. This pc is working fine, but I need to use a 2nd
ISP connection; everything is working from configuration point of view, but the
server, after a while (usually few hours), just hangs. Removing the 2-ISP
configuration part, the problem is solved, so I''m quite sure that hangs
are related to that point. I tried searching in all system logs, but I
didn''t find anything interesting, also I googled around and nothing
seems to give e some idea. Anyone ?
 
thaks in advice
 
marco
 

 

Ai sensi del D.lgs n. 196 del 30.06.03 (Codice Privacy) si precisa che le
informazioni contenute in questo messaggio sono riservate e ad uso esclusivo del
destinatario. Qualora il messaggio in parola Le fosse pervenuto per errore, La
preghiamo di eliminarlo senza copiarlo e di non inoltrarlo a terzi, dandocene
gentilmente comunicazione.Grazie

This message, for the D.lgs n. 196 / 30.06.03 (Privacy Code), may contain
confidential and/or privileged information. If you are not the addressee or
authorized to receive this for the addressee, you must not use, copy, disclose
or take any action based on this message or any information herein. If you have
received this message in error, please advise the sender immediately by reply
e-mail and delete this message. Thank you for your cooperation.

 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.11/264 - Release Date: 17/02/2006

Based on what you are saying, I would suspect that the NIC you are using for
the second connection is bad or sharing resources with something that it
doesn''t play nice with.  Just a WAG.
 
- Bob Coffman

-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Marco
Vescovi
Sent: Monday, February 20, 2006 6:53 PM
To: shorewall-users@lists.sourceforge.net
Subject: [Shorewall-users] Server with shorewall hangs - 2 ISP config


Hi all,
I''ve a little server, an old PIII 677 with Fedora Core 4, default
kernel,
and Shorewall 3.0.1. This pc is working fine, but I need to use a 2nd ISP
connection; everything is working from configuration point of view, but the
server, after a while (usually few hours), just hangs. Removing the 2-ISP
configuration part, the problem is solved, so I''m quite sure that hangs
are
related to that point. I tried searching in all system logs, but I
didn''t
find anything interesting, also I googled around and nothing seems to give e
some idea. Anyone ?
 
thaks in advice
 
marco
 

 

Ai sensi del D.lgs n. 196 del 30.06.03 (Codice Privacy) si precisa che le
informazioni contenute in questo messaggio sono riservate e ad uso esclusivo
del destinatario. Qualora il messaggio in parola Le fosse pervenuto per
errore, La preghiamo di eliminarlo senza copiarlo e di non inoltrarlo a
terzi, dandocene gentilmente comunicazione.Grazie

This message, for the D.lgs n. 196 / 30.06.03 (Privacy Code), may contain
confidential and/or privileged information. If you are not the addressee or
authorized to receive this for the addressee, you must not use, copy,
disclose or take any action based on this message or any information herein.
If you have received this message in error, please advise the sender
immediately by reply e-mail and delete this message. Thank you for your
cooperation.

 


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.11/264 - Release Date: 17/02/2006

Marco - 

I had a similar problem when implementing the multiple ISP setup on my box.
It’s a Celeron 333 with a Micronics C300 motherboard, 192 MB RAM, Intel I740
video card, and 5 3com 3c905tx network cards.  When I was running FC4 with a
2.6 kernel, I had all sorts of problems with my server locking up.  Mine,
however, only took about 30 seconds before crashing.  If I removed the
balance entry in the providers file, everything worked fine.  

It seemed to be related to the multi-hop gateway that is created when the
balance option is used.  Jerry provided some revised networking init scripts
that could build the multi-hop gateway for me independently of Shorewall.
The scripts worked fine, but after the multi-hop gateway was created, my
kernel would panic within about 30 seconds.  I eventually compiled my own
kernel with only the options my machine needed, and that helped.  My kernel
still panicked, but it took about 5 minutes.  

I suppose that if I had continued to tweak the kernel options I might have
been able to fix it, but since I''m relatively inexperienced with it, I
decided to try something else.  I switched to Debian 3.1 with a 2.4 kernel.
I had to re-compile the kernel several times to get all the correct options
necessary for the "track" option to work in the providers file (all
the
CONNMARK stuff - plus I didn''t know what I was doing).  Once all the
correct
netfilter options had been included in the kernel and iptables was correct,
I had a working machine.

A few weeks ago I started on a project that might have been easier using a
2.6 kernel, so I backed up my hard drive and re-formatted using SUSE 10 with
a 2.6 kernel.  After configuring the multiple ISP setup, I got kernel panic
in just a short time.  I re-formatted and installed Debian 3.1 with the 2.6
kernel.  Same problem.  

You might want to try installing a 2.4 kernel on your box and see if that
helps.  If you''re more skilled than I am at kernel stuff, it might be
possible for you to down-grade without reinstalling FC4.  If it were me,
I''d
just format and reinstall.  (To avoid problems with stuff like udev, which
only runs on >2.6.?? kernels.)  If you do install a 2.4 kernel,
you''ll need
to use patch-o-matic to patch your kernel sources and enable the required
CONNMARK target and connmark match support options (that means
re-compiling).  You will probably also have to re-compile iptables to get
those options working.  After installing the newly-compiled iptables, you
might have to change the IPTABLES option in shorewall.conf to point to the
correct location of iptables.  Mine is in /usr/local/sbin/iptables.  

I suspect that there might be a bug in the 2.6 kernel that was causing my
problem, but I haven''t pursued that suspicion or submitted a bug report
to
the kernel developers.  Since I don''t know if this is an actual kernel
bug,
my advice may lead you to the exact same point where you are right now, but
it worked for me (tm).
-Russel

________________________________________
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Marco
Vescovi
Sent: Monday, February 20, 2006 4:53 PM
To: shorewall-users@lists.sourceforge.net
Subject: [Shorewall-users] Server with shorewall hangs - 2 ISP config

Hi all,
I''ve a little server, an old PIII 677 with Fedora Core 4, default
kernel,
and Shorewall 3.0.1. This pc is working fine, but I need to use a 2nd ISP
connection; everything is working from configuration point of view, but the
server, after a while (usually few hours), just hangs. Removing the 2-ISP
configuration part, the problem is solved, so I''m quite sure that hangs
are
related to that point. I tried searching in all system logs, but I
didn''t
find anything interesting, also I googled around and nothing seems to give e
some idea. Anyone ?
 
thaks in advice
 
marco
 
 
Ai sensi del D.lgs n. 196 del 30.06.03 (Codice Privacy) si precisa che le
informazioni contenute in questo messaggio sono riservate e ad uso esclusivo
del destinatario. Qualora il messaggio in parola Le fosse pervenuto per
errore, La preghiamo di eliminarlo senza copiarlo e di non inoltrarlo a
terzi, dandocene gentilmente comunicazione.Grazie
This message, for the D.lgs n. 196 / 30.06.03 (Privacy Code), may contain
confidential and/or privileged information. If you are not the addressee or
authorized to receive this for the addressee, you must not use, copy,
disclose or take any action based on this message or any information herein.
If you have received this message in error, please advise the sender
immediately by reply e-mail and delete this message. Thank you for your
cooperation.
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.11/264 - Release Date: 2/17/2006
 


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642