This probably isn''t a Shorewall-specific issue, but I don''t really know where to direct it. I have a Shorewall box that has a DMZ interface that proxyarps a few public IP''s for some servers. The servers are a mix of Windows 2000 and 2003. The servers have a mix of Intel and 3com network cards that are plugged into the DMZ switch. The DMZ switch is an unmanaged 24 port Dell 2124 (I think). The DMZ interface in the Shorewall box is a plain vanilla 3com 10/100 nic. The problem occurs when I reboot or disable/re-enable the nic of one of the Windows servers connected to the DMZ switch. Each Windows system complains that "there is another device on the network occupying the IP address x.x.x.x". The MAC address listed as the offender is the MAC of the DMZ interface on the firewall. In order to get those public interfaces initialized, I have to stop Shorewall (thereby disabling Proxyarp for the DMZ interface entirely), start or initialize the public interface on the Windows server, and then start Shorewall back up. This is the only way I can get a proxyarp''d host to not detect an IP address conflict when connecting to the DMZ network. I''ve got lot''s of other Shorewall boxes with similar to identical uses of Proxyarp, and I''ve *never* seen this problem on any of them. Any idea what causes this or how to fix it? If not, does anyone know where to direct me to research it further...since this probably isn''t a problem with Shorewall itself. Thanks! ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
List Receiver wrote:> > I''ve got lot''s of other Shorewall boxes with similar to identical uses > of Proxyarp, and I''ve *never* seen this problem on any of them. Any > idea what causes this or how to fix it? If not, does anyone know where > to direct me to research it further...since this probably isn''t a > problem with Shorewall itself. >The reason that this would happen is that the Shorewall box is responding to ARP who-has requests from systems in the DMZ for other systems in the DMZ. I might be able to tell more if you post the output of "shorewall dump". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> > The reason that this would happen is that the Shorewall box is > responding to ARP who-has requests from systems in the DMZ for other > systems in the DMZ. > > I might be able to tell more if you post the output of "shorewall dump". >And if you do post the dump, please include the IP address of one of the Windows systems that is presenting the problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Sure, Attached is the dump. Both the .117 and the .115 addresses are Windows boxes with the problems. I haven''t put any more systems on the DMZ until I can solve this issue. -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Tuesday, May 09, 2006 10:55 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Proxyarp''d host detects IP address conflict Tom Eastep wrote:> > The reason that this would happen is that the Shorewall box is > responding to ARP who-has requests from systems in the DMZ for other > systems in the DMZ. > > I might be able to tell more if you post the output of "shorewalldump".>And if you do post the dump, please include the IP address of one of the Windows systems that is presenting the problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
List Receiver wrote:> Sure, > > Attached is the dump. Both the .117 and the .115 addresses are Windows > boxes with the problems. I haven''t put any more systems on the DMZ > until I can solve this issue. >You are going to have to define the routes to these hosts on eth0 before starting Shorewall (use Yast2) and you are going to have to set the HAVEROUTE column in /etc/shorewall/proxyarp to Yes. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> List Receiver wrote: > >>Sure, >> >>Attached is the dump. Both the .117 and the .115 addresses are Windows >>boxes with the problems. I haven''t put any more systems on the DMZ >>until I can solve this issue. >> > > > You are going to have to define the routes to these hosts on eth0 before > starting Shorewall (use Yast2) and you are going to have to set the > HAVEROUTE column in /etc/shorewall/proxyarp to Yes.I should warn you that the above is just a guess -- but I think the reason this is happening is because .117 and .115 aren''t present in the DMZ routing table. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hello: Last year I setup Shorewall and test it. I was happy with its performance. Now I am in the process of setting up a new system with load balancing. There will be two load balancing server; one primary and another standby. (I am still reading and am undecided, which load balancing software to use). The OS will be CentOS 4.3. I have read that there is good firewall built up in CentOS 4.3. So I have the following questions (for those who are familiar with CentOS and Load Balancing): (1) Should I use Shorewall Firewall or just use CentOS 4.3, (2) If the answer is YES (use Shorewall), then is it possible to have both Shorewall & Load balancing software on the same box. If any one wants me to draw the setup, I will be happy to do that. If somebody has done a similar setup and is willing to help off this list, please let me know. Thanks. Kirti ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
This is what you said Kirti S. Bajwa> Hello: >> (1) Should I use Shorewall Firewall or just use CentOS 4.3,I have had good success with Shorewall and CentOS 4.3 x86-64. What firewall is built into Shorewall? I assumed it was just using the normal iptables based packet filter.> (2) If the answer is YES (use Shorewall), then is it possible to have both > Shorewall & Load balancing software on the same box.Shorewall is just an easier method for configuring iptables. Once it runs its scripts and manipulates iptables Shorewall is done. No process is left running in memory. If your Load balance software works with iptables it should work with shorewall.> > If any one wants me to draw the setup, I will be happy to do that. If > somebody has done a similar setup and is willing to help off this list, > please let me know.My configuration is simple and is based on a 3-interface setup. I have never configured load balancing, so my input would not be valuable. ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642