Shorewall users - Mar 2006 - Network just stopped working

I''ve been using shorewall for a few months now on a Fedora Core 4 box
with an intel e100 nic.  Everything was fun until tonight.  While I
was uploading a file via ssh the connection dropped and I couldn''t
access any services on the box.  I connected to it on a serial console
and everything looked file.  Shorewall was running and everything, now
I can''t access the internet at all.

I tried checking name servers and it can''t connect to any of the name
servers listed in /etc/resolv.conf.  I can''t ping or telnet to an IP
address and I can''t access anything from the outside.  I rebooted into
a recovery environment and I could ping the host, but I couldn''t ssh
to the box which doesn''t have any firewall in recovery mode.  My ISP
says there''s nothing wrong.  I say they''re dorks, but to make
sure of
that, I want some feedback on whether any of this is on me or if it''s
on my ISP and their possibly faulty hardware.  All I can do is a dhcp
request which succeeds.  Why? I am truely baffled.

Here''s the information you guys like to ask for:
http://www.nanovox.com/~steve/shorewall.txt

Any help will be much appreciated.

Steve


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Steven Kiehl wrote:
> I''ve been using shorewall for a few months now on a Fedora Core 4
box
> with an intel e100 nic.  Everything was fun until tonight.  While I
> was uploading a file via ssh the connection dropped and I couldn''t
> access any services on the box.  I connected to it on a serial console
> and everything looked file.  Shorewall was running and everything, now
> I can''t access the internet at all.
> 
>
> Here''s the information you guys like to ask for:
> http://www.nanovox.com/~steve/shorewall.txt
> 
> Any help will be much appreciated.
> 
> Steve
> 
[root@argon shorewall]# ip addr show
1: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:11:11:57:a9:82 brd ff:ff:ff:ff:ff:ff
    inet 82.165.182.175/32 brd 82.165.182.175 scope global eth0
2: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
[root@argon shorewall]# ip route show
10.255.255.1 via 10.255.255.1 dev eth0
169.254.0.0/16 dev eth0  scope link


you dont'' have a default gateway, and DHCP request you mention was not
succefully at all, you got the DHCP autoconfig default address.

check your distribution network scripts, and If you use DHCP make sure
you have the "DHCP" option set  on eth0.(/etc/shorewall/interfaces)

I do have dhcp set up properly.  See here:

/etc/shorewall/interfaces:
###############################################################################
#ZONE   INTERFACE       BROADCAST       OPTION
net     eth0            detect          dhcp,routefilter,norfc1918,tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

And /etc/sysconfig/network-scripts/ifcfg-eth0:
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=dhcp

And when I run dhclient on eth0:
Listening on LPF/eth0/00:11:11:57:a9:82
Sending on   LPF/eth0/00:11:11:57:a9:82
Sending on   Socket/fallback
DHCPREQUEST on eth0 to 255.255.255.255 port 67
DHCPACK from 82.165.237.249
bound to 82.165.182.175 -- renewal in 80261 seconds.

There''s absolutely no hits listed in the messages, but I''m
still not
able to access the internet.  Every service I try that uses dns keeps
saying "Temporary failure in name resolution".  Everything was working
fine until last night.  None of the shorewall files have been altered
since december 14th asside from the rules which wasn''t altered since
last week.

Any more ideas?

Thanks,

Steve

On 3/14/06, Cristian Rodriguez <judas_iscariote@shorewall.net>
wrote:
> Steven Kiehl wrote:
> > I''ve been using shorewall for a few months now on a Fedora
Core 4 box
> > with an intel e100 nic.  Everything was fun until tonight.  While I
> > was uploading a file via ssh the connection dropped and I
couldn''t
> > access any services on the box.  I connected to it on a serial console
> > and everything looked file.  Shorewall was running and everything, now
> > I can''t access the internet at all.
> >
> >
> > Here''s the information you guys like to ask for:
> > http://www.nanovox.com/~steve/shorewall.txt
> >
> > Any help will be much appreciated.
> >
> > Steve
> >
>
> [root@argon shorewall]# ip addr show
> 1: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:11:11:57:a9:82 brd ff:ff:ff:ff:ff:ff
>     inet 82.165.182.175/32 brd 82.165.182.175 scope global eth0
> 2: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
> [root@argon shorewall]# ip route show
> 10.255.255.1 via 10.255.255.1 dev eth0
> 169.254.0.0/16 dev eth0  scope link
>
>
> you dont'' have a default gateway, and DHCP request you mention was
not
> succefully at all, you got the DHCP autoconfig default address.
>
> check your distribution network scripts, and If you use DHCP make sure
> you have the "DHCP" option set  on
eth0.(/etc/shorewall/interfaces)
>
>
>
>
>
>

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

On Monday 13 March 2006 21:55, Cristian Rodriguez wrote:
> Steven Kiehl wrote:
> > I''ve been using shorewall for a few months now on a Fedora
Core 4 box
> > with an intel e100 nic.  Everything was fun until tonight.  While I
> > was uploading a file via ssh the connection dropped and I
couldn''t
> > access any services on the box.  I connected to it on a serial console
> > and everything looked file.  Shorewall was running and everything, now
> > I can''t access the internet at all.
> >
> >
> > Here''s the information you guys like to ask for:
> > http://www.nanovox.com/~steve/shorewall.txt
> >
> > Any help will be much appreciated.
> >
> > Steve
>
> [root@argon shorewall]# ip addr show
> 1: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:11:11:57:a9:82 brd ff:ff:ff:ff:ff:ff
>     inet 82.165.182.175/32 brd 82.165.182.175 scope global eth0
> 2: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
> [root@argon shorewall]# ip route show
> 10.255.255.1 via 10.255.255.1 dev eth0
> 169.254.0.0/16 dev eth0  scope link
>
>
> you dont'' have a default gateway, and DHCP request you mention was
not
> succefully at all, you got the DHCP autoconfig default address.
The first part is true -- there is no default gateway. The second part is 
false; eth0 has IP address 82.165.182.175/32 which isn''t a DHCP
autoconfig
address. There is a route to the autoconfig network through eth0 but that has 
been true with most Linux distributions for some time.

This sure looks like a problem with your ISPs DHCP server configuration.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Tuesday 14 March 2006 06:07, Steven Kiehl wrote:
> I do have dhcp set up properly.  See here:
>
> /etc/shorewall/interfaces:
> ###########################################################################
>#### #ZONE   INTERFACE       BROADCAST       OPTION
> net     eth0            detect          dhcp,routefilter,norfc1918,tcpflags
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
> And /etc/sysconfig/network-scripts/ifcfg-eth0:
> DEVICE=eth0
> ONBOOT=yes
> BOOTPROTO=dhcp
>
> And when I run dhclient on eth0:
> Listening on LPF/eth0/00:11:11:57:a9:82
> Sending on   LPF/eth0/00:11:11:57:a9:82
> Sending on   Socket/fallback
> DHCPREQUEST on eth0 to 255.255.255.255 port 67
> DHCPACK from 82.165.237.249
> bound to 82.165.182.175 -- renewal in 80261 seconds.
>
> There''s absolutely no hits listed in the messages, but
I''m still not
> able to access the internet.  Every service I try that uses dns keeps
> saying "Temporary failure in name resolution".  Everything was
working
> fine until last night.  None of the shorewall files have been altered
> since december 14th asside from the rules which wasn''t altered
since
> last week.
You can always eliminate Shorewall from the mix by doing "shorewall
clear".
But as I said in an earlier post, this looks like a problem with your
ISP''s
DHCP server. You might try releasing the address and then trying to get 
another one (dhclient -r  then run again as you normally do) to see if that 
helps.

Because the DHCP server is assigning you a netmask of 255.255.255.255, even if 
the server specifies a default gateway, dhclient can''t add the default
route
because your system has no route to any addresses at your ISP!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Tuesday 14 March 2006 08:36, Steven Kiehl wrote:
> I spoke with someone else who has a server on the same ISP and they
> said that the output of netstat -rn lists the following for them:
>
> Destination     Gateway         Genmask         Flags   MSS Window  irtt
> Iface 10.255.255.1    0.0.0.0         255.255.255.255 UH        0 0        
>  0 eth0 169.254.0.0     0.0.0.0         255.255.0.0     U         0 0      
>    0 eth0 0.0.0.0         10.255.255.1    0.0.0.0         UG        0 0    
>      0 eth0
>
> For me, netstat -rn lists only:
> Destination     Gateway         Genmask         Flags   MSS Window  irtt
> Iface 10.255.255.1    10.255.255.1    255.255.255.255 UGH       0 0        
>  0 eth0 169.254.0.0     0.0.0.0         255.255.0.0     U         0 0      
>    0 eth0
>
> How can I add that third route in?  Is that suppose to be automatic
> from the dhcp request?  I tried doing something like: ip route add
> default via 10.255.255.1 dev eth0
> but I get the error "network unreachable" when I try to do that. 
I
> don''t think I got the syntax right.
You got the syntax right -- I don''t believe that what they told you is
a valid
interface configuration. It is saying that the firewall is it''s own
default
gateway!

-Tom

PS - Please keep the thread on the list.
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Tuesday 14 March 2006 08:46, Tom Eastep wrote:
> On Tuesday 14 March 2006 08:36, Steven Kiehl wrote:
> > I spoke with someone else who has a server on the same ISP and they
> > said that the output of netstat -rn lists the following for them:
> >
> > Destination     Gateway         Genmask         Flags   MSS Window 
irtt
> > Iface 10.255.255.1    0.0.0.0         255.255.255.255 UH        0 0
> >  0 eth0 169.254.0.0     0.0.0.0         255.255.0.0     U         0 0
> >    0 eth0 0.0.0.0         10.255.255.1    0.0.0.0         UG        0
0
> >      0 eth0
> >
> > For me, netstat -rn lists only:
> > Destination     Gateway         Genmask         Flags   MSS Window 
irtt
> > Iface 10.255.255.1    10.255.255.1    255.255.255.255 UGH       0 0
> >  0 eth0 169.254.0.0     0.0.0.0         255.255.0.0     U         0 0
> >    0 eth0
> >
> > How can I add that third route in?  Is that suppose to be automatic
> > from the dhcp request?  I tried doing something like: ip route add
> > default via 10.255.255.1 dev eth0
> > but I get the error "network unreachable" when I try to do
that.  I
> > don''t think I got the syntax right.
>
> You got the syntax right -- I don''t believe that what they told
you is a
> valid interface configuration. It is saying that the firewall is
it''s own
> default gateway!
>
I''m assuming that 10.255.255.1 is also the IP address assigned to eth0,
right?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Tuesday 14 March 2006 09:21, Tom Eastep wrote:
> On Tuesday 14 March 2006 08:46, Tom Eastep wrote:
> > On Tuesday 14 March 2006 08:36, Steven Kiehl wrote:
> > > I spoke with someone else who has a server on the same ISP and
they
> > > said that the output of netstat -rn lists the following for them:
> > >
> > > Destination     Gateway         Genmask         Flags   MSS
Window
> > > irtt Iface 10.255.255.1    0.0.0.0         255.255.255.255 UH    
0
> > > 0 0 eth0 169.254.0.0     0.0.0.0         255.255.0.0     U       
0 0
> > > 0 eth0 0.0.0.0         10.255.255.1    0.0.0.0         UG       
0 0 0
> > > eth0
> > >
> > > For me, netstat -rn lists only:
> > > Destination     Gateway         Genmask         Flags   MSS
Window
> > > irtt Iface 10.255.255.1    10.255.255.1    255.255.255.255 UGH   
0
> > > 0 0 eth0 169.254.0.0     0.0.0.0         255.255.0.0     U       
0 0
> > > 0 eth0
> > >
> > > How can I add that third route in?  Is that suppose to be
automatic
> > > from the dhcp request?  I tried doing something like: ip route
add
> > > default via 10.255.255.1 dev eth0
> > > but I get the error "network unreachable" when I try to
do that.  I
> > > don''t think I got the syntax right.
> >
> > You got the syntax right -- I don''t believe that what they
told you is a
> > valid interface configuration. It is saying that the firewall is
it''s own
> > default gateway!
>
> I''m assuming that 10.255.255.1 is also the IP address assigned to
eth0,
> right?
And if they are really assigning you an 10.x.x.x default gateway, you want to 
remove ''norfc1918'' from the eth0 entry in
/etc/shorewall/interfaces. Again, I
would disable Shorewall until you get this working. Do a "shorewall
clear"
then take the steps necessary to ensure that Shorewall doesn''t start at
boot
time (distribution-specific; on FC, RedHat and Suse, you can "chkconfig 
--level 35 shorewall off").

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

----- Original Message ----- 
Subject: Re: [Shorewall-users] Network just stopped working

>I do have dhcp set up properly.  See here:
Check "/var/lib/dhcp/dhclient-eth0.leases" for the latest isp supplied
info.
That should help narrow down the cause of the issue, and at least find out 
what the network info that is being supplied. That info, from the isp''s
dhcp
server, might be incorrect and the cause of your issue. 

This is what mine looks like:

lease {
  interface "eth2";
  fixed-address 24.78.192.127;
  option subnet-mask 255.255.254.0;
  option routers 24.78.192.1;
  option dhcp-lease-time 101423;
  option dhcp-message-type 5;
  option domain-name-servers 64.59.176.13,64.59.176.15;
  option dhcp-server-identifier 64.59.176.40;
  option broadcast-address 255.255.255.255;
  option host-name "S010600104b708418";
  option domain-name "wp.shawcable.net";
  renew 2 2006/3/14 22:22:42;
  rebind 3 2006/3/15 10:54:21;
  expire 3 2006/3/15 14:25:39;

Might want to post the last entry in that file and maybe we can spot 
something out of place.

I use FC4 also, not many issues, until you need to use 2 or more gateways, 
but that is off topic at the moment.
>
>/etc/shorewall/interfaces:
>###############################################################################
>#ZONE   INTERFACE       BROADCAST       OPTION
>net     eth0            detect          dhcp,routefilter,norfc1918,tcpflags
>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>And /etc/sysconfig/network-scripts/ifcfg-eth0:
>DEVICE=eth0
>ONBOOT=yes
>BOOTPROTO=dhcp
Did you set "GATEWAYDEV=eth0" in the /etc/sysconfig/network file?
dhclient sources that file looking for "GATEWAYDEV", and with the
ifcfg-eth*
files, for "GATEWAY". check out the /sbin/dhclient-script file for
what
dhclient is really doing. 
>And when I run dhclient on eth0:
>Listening on LPF/eth0/00:11:11:57:a9:82
>Sending on   LPF/eth0/00:11:11:57:a9:82
>Sending on   Socket/fallback
>DHCPREQUEST on eth0 to 255.255.255.255 port 67
>DHCPACK from 82.165.237.249
>bound to 82.165.182.175 -- renewal in 80261 seconds.
>
Without having the above entry in the /etc/sysconfig/network file, a default 
gateway doesn''t get added to the routing for that interface, but I
can''t recall
if a network route should be created for that ip/subnetmask.
Hoping it is just that simple to fix, and my 2 cents worth.

Jerry




-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

My last lease shows the following:

lease {
  interface "eth0";
  fixed-address 82.165.182.175;
  filename "/pxelinux.0";
  option subnet-mask 255.255.255.255;
  option static-routes 10.255.255.1 10.255.255.1;
  option routers 10.255.255.1;
  option dhcp-lease-time 172800;
  option dhcp-message-type 5;
  option domain-name-servers 82.165.182.251,195.20.224.234,195.20.224.99;
  option dhcp-server-identifier 82.165.237.249;
  option broadcast-address 82.165.182.175;
  option domain-name "onlinehome-server.com";
  renew 3 2006/3/15 14:14:04;
  rebind 4 2006/3/16 12:15:35;
  expire 4 2006/3/16 18:15:35;
}

Should I just remove the static-routes from the dhclient-eth0.conf request?
I dont have GATEWAYDEV or GATEWAY specified in my ifcfg-eth0.

On 3/14/06, Jerry Vonau <jvonau@shaw.ca> wrote:
>
> ----- Original Message -----
> Subject: Re: [Shorewall-users] Network just stopped working
>
>
> >I do have dhcp set up properly.  See here:
>
> Check "/var/lib/dhcp/dhclient-eth0.leases" for the latest isp
supplied info.
> That should help narrow down the cause of the issue, and at least find out
> what the network info that is being supplied. That info, from the
isp''s dhcp
> server, might be incorrect and the cause of your issue.
>
> This is what mine looks like:
>
> lease {
>   interface "eth2";
>   fixed-address 24.78.192.127;
>   option subnet-mask 255.255.254.0;
>   option routers 24.78.192.1;
>   option dhcp-lease-time 101423;
>   option dhcp-message-type 5;
>   option domain-name-servers 64.59.176.13,64.59.176.15;
>   option dhcp-server-identifier 64.59.176.40;
>   option broadcast-address 255.255.255.255;
>   option host-name "S010600104b708418";
>   option domain-name "wp.shawcable.net";
>   renew 2 2006/3/14 22:22:42;
>   rebind 3 2006/3/15 10:54:21;
>   expire 3 2006/3/15 14:25:39;
>
> Might want to post the last entry in that file and maybe we can spot
> something out of place.
>
> I use FC4 also, not many issues, until you need to use 2 or more gateways,
> but that is off topic at the moment.
>
> >
> >/etc/shorewall/interfaces:
>
>###############################################################################
> >#ZONE   INTERFACE       BROADCAST       OPTION
> >net     eth0            detect         
dhcp,routefilter,norfc1918,tcpflags
> >#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> >
> >And /etc/sysconfig/network-scripts/ifcfg-eth0:
> >DEVICE=eth0
> >ONBOOT=yes
> >BOOTPROTO=dhcp
>
> Did you set "GATEWAYDEV=eth0" in the /etc/sysconfig/network file?
> dhclient sources that file looking for "GATEWAYDEV", and with the
ifcfg-eth*
> files, for "GATEWAY". check out the /sbin/dhclient-script file
for what
> dhclient is really doing.
>
> >And when I run dhclient on eth0:
> >Listening on LPF/eth0/00:11:11:57:a9:82
> >Sending on   LPF/eth0/00:11:11:57:a9:82
> >Sending on   Socket/fallback
> >DHCPREQUEST on eth0 to 255.255.255.255 port 67
> >DHCPACK from 82.165.237.249
> >bound to 82.165.182.175 -- renewal in 80261 seconds.
> >
>
> Without having the above entry in the /etc/sysconfig/network file, a
default
> gateway doesn''t get added to the routing for that interface, but I
can''t recall
> if a network route should be created for that ip/subnetmask.
> Hoping it is just that simple to fix, and my 2 cents worth.
>
> Jerry
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live
webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmdlnk&kid0944&bid$1720&dat1642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Hm... upgraded dhclient to the lastest stable and that fixed things. 
ifdown eth0 and ifup eth0 no longer foobar my routing table. 
However... I do end up with a pointless error message now:

[root@argon dhclient]# ifup eth0

Determining IP information for eth0...RTNETLINK answers: File exists
 done.
[root@argon dhclient]# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.255.255.1    0.0.0.0         255.255.255.255 UH        0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
0.0.0.0         10.255.255.1    0.0.0.0         UG        0 0          0 eth0
[root@argon dhclient]#


On 3/14/06, Steven Kiehl <nanovox@gmail.com>
wrote:
> My last lease shows the following:
>
> lease {
>   interface "eth0";
>   fixed-address 82.165.182.175;
>   filename "/pxelinux.0";
>   option subnet-mask 255.255.255.255;
>   option static-routes 10.255.255.1 10.255.255.1;
>   option routers 10.255.255.1;
>   option dhcp-lease-time 172800;
>   option dhcp-message-type 5;
>   option domain-name-servers 82.165.182.251,195.20.224.234,195.20.224.99;
>   option dhcp-server-identifier 82.165.237.249;
>   option broadcast-address 82.165.182.175;
>   option domain-name "onlinehome-server.com";
>   renew 3 2006/3/15 14:14:04;
>   rebind 4 2006/3/16 12:15:35;
>   expire 4 2006/3/16 18:15:35;
> }
>
> Should I just remove the static-routes from the dhclient-eth0.conf request?
> I dont have GATEWAYDEV or GATEWAY specified in my ifcfg-eth0.
>
> On 3/14/06, Jerry Vonau <jvonau@shaw.ca> wrote:
> >
> > ----- Original Message -----
> > Subject: Re: [Shorewall-users] Network just stopped working
> >
> >
> > >I do have dhcp set up properly.  See here:
> >
> > Check "/var/lib/dhcp/dhclient-eth0.leases" for the latest
isp supplied info.
> > That should help narrow down the cause of the issue, and at least find
out
> > what the network info that is being supplied. That info, from the
isp''s dhcp
> > server, might be incorrect and the cause of your issue.
> >
> > This is what mine looks like:
> >
> > lease {
> >   interface "eth2";
> >   fixed-address 24.78.192.127;
> >   option subnet-mask 255.255.254.0;
> >   option routers 24.78.192.1;
> >   option dhcp-lease-time 101423;
> >   option dhcp-message-type 5;
> >   option domain-name-servers 64.59.176.13,64.59.176.15;
> >   option dhcp-server-identifier 64.59.176.40;
> >   option broadcast-address 255.255.255.255;
> >   option host-name "S010600104b708418";
> >   option domain-name "wp.shawcable.net";
> >   renew 2 2006/3/14 22:22:42;
> >   rebind 3 2006/3/15 10:54:21;
> >   expire 3 2006/3/15 14:25:39;
> >
> > Might want to post the last entry in that file and maybe we can spot
> > something out of place.
> >
> > I use FC4 also, not many issues, until you need to use 2 or more
gateways,
> > but that is off topic at the moment.
> >
> > >
> > >/etc/shorewall/interfaces:
> >
>###############################################################################
> > >#ZONE   INTERFACE       BROADCAST       OPTION
> > >net     eth0            detect         
dhcp,routefilter,norfc1918,tcpflags
> > >#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
> > >
> > >And /etc/sysconfig/network-scripts/ifcfg-eth0:
> > >DEVICE=eth0
> > >ONBOOT=yes
> > >BOOTPROTO=dhcp
> >
> > Did you set "GATEWAYDEV=eth0" in the /etc/sysconfig/network
file?
> > dhclient sources that file looking for "GATEWAYDEV", and
with the ifcfg-eth*
> > files, for "GATEWAY". check out the /sbin/dhclient-script
file for what
> > dhclient is really doing.
> >
> > >And when I run dhclient on eth0:
> > >Listening on LPF/eth0/00:11:11:57:a9:82
> > >Sending on   LPF/eth0/00:11:11:57:a9:82
> > >Sending on   Socket/fallback
> > >DHCPREQUEST on eth0 to 255.255.255.255 port 67
> > >DHCPACK from 82.165.237.249
> > >bound to 82.165.182.175 -- renewal in 80261 seconds.
> > >
> >
> > Without having the above entry in the /etc/sysconfig/network file, a
default
> > gateway doesn''t get added to the routing for that interface,
but I can''t recall
> > if a network route should be created for that ip/subnetmask.
> > Hoping it is just that simple to fix, and my 2 cents worth.
> >
> > Jerry
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by xPML, a groundbreaking scripting
language
> > that extends applications into web and mobile media. Attend the live
webcast
> > and join the prime developer group breaking into this new coding
territory!
> >
http://sel.as-us.falkag.net/sel?cmdlnk&kid0944&bid$1720&dat1642
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
> >
>

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

----- Original Message ----- 
>Hm... upgraded dhclient to the lastest stable and that fixed things. 
>ifdown eth0 and ifup eth0 no longer foobar my routing table. 
>However... I do end up with a pointless error message now:
>
>[root@argon dhclient]# ifup eth0
>
>Determining IP information for eth0...RTNETLINK answers: File exists
> done.
Think it is tring to add the route to 10.255.255.1, but it is already present,
ifup should
really use ''replace'' instead of ''add'' here.
I don''t think that error should harm anything
>[root@argon dhclient]# netstat -rn
>Kernel IP routing table
>Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
>10.255.255.1    0.0.0.0         255.255.255.255 UH        0 0          0
eth0
>169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0
eth0
>0.0.0.0         10.255.255.1    0.0.0.0         UG        0 0          0
eth0
>[root@argon dhclient]#
I just don''t see 82.165.182.175 anywhere. 
What does "ip addr show" give you? 
Doe''s everything work now?

Jerry



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Here''s how things look now in addr and route.  All my services now
work and my web server works, and dig google.com works. I sigh in
relief that I don''t have to reimage the server.  Thanks guys.

[root@argon site]# ip addr show
1: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:11:11:57:a9:82 brd ff:ff:ff:ff:ff:ff
    inet 82.165.182.175/32 brd 82.165.182.175 scope global eth0
2: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
[root@argon site]# ip route show
10.255.255.1 dev eth0  scope link
169.254.0.0/16 dev eth0  scope link
default via 10.255.255.1 dev eth0


On 3/14/06, Jerry Vonau <jvonau@shaw.ca> wrote:
>
> ----- Original Message -----
>
> >Hm... upgraded dhclient to the lastest stable and that fixed things.
> >ifdown eth0 and ifup eth0 no longer foobar my routing table.
> >However... I do end up with a pointless error message now:
> >
> >[root@argon dhclient]# ifup eth0
> >
> >Determining IP information for eth0...RTNETLINK answers: File exists
> > done.
>
> Think it is tring to add the route to 10.255.255.1, but it is already
present, ifup should
> really use ''replace'' instead of ''add''
here. I don''t think that error should harm anything
>
> >[root@argon dhclient]# netstat -rn
> >Kernel IP routing table
> >Destination     Gateway         Genmask         Flags   MSS Window 
irtt Iface
> >10.255.255.1    0.0.0.0         255.255.255.255 UH        0 0         
0 eth0
> >169.254.0.0     0.0.0.0         255.255.0.0     U         0 0         
0 eth0
> >0.0.0.0         10.255.255.1    0.0.0.0         UG        0 0         
0 eth0
> >[root@argon dhclient]#
>
> I just don''t see 82.165.182.175 anywhere.
> What does "ip addr show" give you?
> Doe''s everything work now?
>
> Jerry
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting language
> that extends applications into web and mobile media. Attend the live
webcast
> and join the prime developer group breaking into this new coding territory!
> http://sel.as-us.falkag.net/sel?cmdlnk&kid0944&bid$1720&dat1642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

On Tuesday 14 March 2006 11:08, Steven Kiehl wrote:
> Here''s how things look now in addr and route.  All my services now
> work and my web server works, and dig google.com works. I sigh in
> relief that I don''t have to reimage the server.  Thanks guys.
>
> [root@argon site]# ip addr show
> 1: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>     link/ether 00:11:11:57:a9:82 brd ff:ff:ff:ff:ff:ff
>     inet 82.165.182.175/32 brd 82.165.182.175 scope global eth0
dhclient really shouldn''t be configuring a broadcast address on this
link. Be
sure to place "-" in the BROADCAST column of eth0''s
/etc/shorewall/interfaces
entry.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Tuesday 14 March 2006 12:31, Tom Eastep wrote:
> On Tuesday 14 March 2006 11:08, Steven Kiehl wrote:
> > Here''s how things look now in addr and route.  All my
services now
> > work and my web server works, and dig google.com works. I sigh in
> > relief that I don''t have to reimage the server.  Thanks guys.
> >
> > [root@argon site]# ip addr show
> > 1: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
1000
> >     link/ether 00:11:11:57:a9:82 brd ff:ff:ff:ff:ff:ff
> >     inet 82.165.182.175/32 brd 82.165.182.175 scope global eth0
>
> dhclient really shouldn''t be configuring a broadcast address on
this link.
From looking at the lease information you posted earlier, it looks like the 
DHCP server is pushing that broadcast address and dhclient is just doing what 
it''s told.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

I''m having another problem now.  My two servers won''t talk to
each
other. They can ping each other but they won''t actually connect.  So
ICMP traffic is working between them, but nothing udp or tcp related
seems to work.  I had earlier run "shorewall allow 24.195.175.238" to
make sure that shorewall wasn''t just blocking traffic to the two, but
now it seems to be doing just the opposite even after restarting
shorewall and such and finding no references to the ip address in the
shorewall configs.  Why would these two servers not talk to each
other?  I can walk across the room to a different desktop and access
both servers just fine, but the two won''t talk together.  Is there a
way to remove the explicit allow from shorewall so that it treats all
hosts equally?

I dont want to just set up a route to the 24. machine, because it''s
got a dynamic ip address.

- Steve

On 3/14/06, Tom Eastep <teastep@shorewall.net>
wrote:
> On Tuesday 14 March 2006 12:31, Tom Eastep wrote:
> > On Tuesday 14 March 2006 11:08, Steven Kiehl wrote:
> > > Here''s how things look now in addr and route.  All my
services now
> > > work and my web server works, and dig google.com works. I sigh in
> > > relief that I don''t have to reimage the server.  Thanks
guys.
> > >
> > > [root@argon site]# ip addr show
> > > 1: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
qlen 1000
> > >     link/ether 00:11:11:57:a9:82 brd ff:ff:ff:ff:ff:ff
> > >     inet 82.165.182.175/32 brd 82.165.182.175 scope global eth0
> >
> > dhclient really shouldn''t be configuring a broadcast address
on this link.
>
> From looking at the lease information you posted earlier, it looks like the
> DHCP server is pushing that broadcast address and dhclient is just doing
what
> it''s told.
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
>

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

On Tuesday 14 March 2006 22:16, Steven Kiehl wrote:
> I''m having another problem now.  My two servers won''t
talk to each
> other. They can ping each other but they won''t actually connect. 
So
> ICMP traffic is working between them, but nothing udp or tcp related
> seems to work.  I had earlier run "shorewall allow
24.195.175.238" to
> make sure that shorewall wasn''t just blocking traffic to the two
You clearly don''t understand what "shorewall allow" does.
> but 
> now it seems to be doing just the opposite even after restarting
> shorewall and such and finding no references to the ip address in the
> shorewall configs.  Why would these two servers not talk to each
> other?  I can walk across the room to a different desktop and access
> both servers just fine, but the two won''t talk together.  Is there
a
> way to remove the explicit allow from shorewall so that it treats all
> hosts equally?
>
> I dont want to just set up a route to the 24. machine, because
it''s
> got a dynamic ip address.
Steven -- take a deep breath then ask yourself - "If I just read the above 
problem description, would I have any clue whatsoever:

a) what the network topology is?
b) where the server''s just mentioned are located relative to the
firewall?
c) How they the servers could have 24.x.x.x addresses when all day yesterday, 
we discussed a problem that had nothing to do with that network?

So until we get a problem report that says something other than "Something 
doesn''t work" and gives the details we need, we can''t
help you.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key