deya@ozemail.com.au
2003-Aug-12 14:45 UTC
[Shorewall-announce] Shorewall Keeps sending false IP Address Conflict
Dear All, After installing Shorewall, on a router with 4 NIC, seems running ok. Next day, when connecting from clients, (MS) we keep getting ip conflict for non-conflicting ip addresses. Any help is appreciated. Detals of Startup: + shift + nolock+ ''['' 1 -gt 1 '']'' + trap ''my_mutex_off; exit 2'' 1 2 3 4 5 6 9 + command=start + ''['' 1 -ne 1 '']'' + do_initialize + export LC_ALL=C + LC_ALL=C + PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin + terminator=startup_error + version+ FW+ SUBSYSLOCK+ STATEDIR+ ALLOWRELATED=Yes + LOGRATE+ LOGBURST+ LOGPARMS+ ADD_IP_ALIASES+ ADD_SNAT_ALIASES+ TC_ENABLED+ LOGUNCLEAN+ BLACKLIST_DISPOSITION+ BLACKLIST_LOGLEVEL+ CLAMPMSS+ ROUTE_FILTER+ NAT_BEFORE_RULES+ DETECT_DNAT_IPADDRS+ MUTEX_TIMEOUT+ NEWNOTSYN+ LOGNEWNOTSYN+ FORWARDPING+ MACLIST_DISPOSITION+ MACLIST_LOG_LEVEL+ TCP_FLAGS_DISPOSITION+ TCP_FLAGS_LOG_LEVEL+ RFC1918_LOG_LEVEL+ MARK_IN_FORWARD_CHAIN+ SHARED_DIR=/usr/share/shorewall + FUNCTIONS+ VERSION_FILE+ LOGFORMAT+ LOGRULENUMBERS+ stopping+ have_mutex+ masq_seq=1 + nonat_seq=1 + aliases_to_add+ TMP_DIR=/tmp/shorewall-25579 + rm -rf /tmp/shorewall-25579 + mkdir -p /tmp/shorewall-25579 + chmod 700 /tmp/shorewall-25579 + trap ''rm -rf /tmp/shorewall-25579; my_mutex_off; exit 2'' 1 2 3 4 5 6 9 Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Restarting Shorewall... Loading Modules... Initializing... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Connection Tracking Match: Available Determining Zones... Zones: net wst dmz svr Validating interfaces file... Validating hosts file... Validating Policy file... Determining Hosts in Zones... Net Zone: eth0:0.0.0.0/0 Local-Wst Zone: eth2:0.0.0.0/0 DMZ Zone: eth1:0.0.0.0/0 Local-Srv Zone: eth3:0.0.0.0/0 Processing /etc/shorewall/init ... Deleting user chains... Creating Interface Chains... Configuring Proxy ARP Host 81.10.4.178 connected to eth0 added to ARP on eth0 Host 81.10.4.178 connected to eth0 added to ARP on eth3 Host 192.168.2.3 connected to eth1 added to ARP on eth3 Setting up NAT... Adding Common Rules /usr/share/shorewall/firewall: line 1: /etc/shorewall/common.def: Permission denied Enabling RFC1918 Filtering Setting up TCP Flags checking... Setting up Blacklisting... Blacklisting enabled on eth0 Setting up Kernel Route Filtering... IP Forwarding Enabled Processing /etc/shorewall/tunnels... Processing /etc/shorewall/rules... Rule "ACCEPT svr svr icmp 8" added. Rule "ACCEPT svr dmz tcp 21,23,25,110" added. Rule "ACCEPT svr dmz icmp 8" added. Rule "ACCEPT wst net icmp echo-request" added. Rule "ACCEPT svr net icmp echo-request" added. Rule "ACCEPT svr fw icmp 8" added. Rule "ACCEPT dmz net udp domain" added. Rule "ACCEPT dmz svr tcp ftp" added. Rule "ACCEPT dmz net tcp ntp" added. Rule "DNAT net dmz:192.168.2.3 tcp smtp" added. Processing /etc/shorewall/policy... Policy ACCEPT for fw to svr using chain fw2svr Policy ACCEPT for net to dmz using chain net2dmz Policy ACCEPT for wst to net using chain wst2net Policy REJECT for dmz to net using chain all2all Policy REJECT for dmz to svr using chain all2all Policy ACCEPT for svr to fw using chain svr2fw Policy ACCEPT for svr to net using chain svr2net Policy ACCEPT for svr to wst using chain svr2wst Policy ACCEPT for svr to dmz using chain svr2dmz Policy ACCEPT for svr to svr using chain svr2svr Masqueraded Subnets and Hosts: To 0.0.0.0/0 from 192.168.168.0/24 through eth0 using 81.10.4.178 To 0.0.0.0/0 from 192.168.2.0/24 through eth0 using 81.10.4.178 Processing /etc/shorewall/tos... Rule "all all tcp - ssh 16" added. Rule "all all tcp ssh - 16" added. Rule "all all tcp - ftp 16" added. Rule "all all tcp ftp - 16" added. Rule "all all tcp ftp-data - 8" added. Rule "all all tcp - ftp-data 8" added. Processing /etc/shorewall/ecn... Activating Rules... Adding IP Addresses... Processing /etc/shorewall/start ... Shorewall Restarted Details of log trace : + shift + nolock+ ''['' 1 -gt 1 '']'' + trap ''my_mutex_off; exit 2'' 1 2 3 4 5 6 9 + command=start + ''['' 1 -ne 1 '']'' + do_initialize + export LC_ALL=C + LC_ALL=C + PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin + terminator=startup_error + version+ FW+ SUBSYSLOCK+ STATEDIR+ ALLOWRELATED=Yes + LOGRATE+ LOGBURST+ LOGPARMS+ ADD_IP_ALIASES+ ADD_SNAT_ALIASES+ TC_ENABLED+ LOGUNCLEAN+ BLACKLIST_DISPOSITION+ BLACKLIST_LOGLEVEL+ CLAMPMSS+ ROUTE_FILTER+ NAT_BEFORE_RULES+ DETECT_DNAT_IPADDRS+ MUTEX_TIMEOUT+ NEWNOTSYN+ LOGNEWNOTSYN+ FORWARDPING+ MACLIST_DISPOSITION+ MACLIST_LOG_LEVEL+ TCP_FLAGS_DISPOSITION+ TCP_FLAGS_LOG_LEVEL+ RFC1918_LOG_LEVEL+ MARK_IN_FORWARD_CHAIN+ SHARED_DIR=/usr/share/shorewall + FUNCTIONS+ VERSION_FILE+ LOGFORMAT+ LOGRULENUMBERS+ stopping+ have_mutex+ masq_seq=1 + nonat_seq=1 + aliases_to_add+ TMP_DIR=/tmp/shorewall-25579 + rm -rf /tmp/shorewall-25579 + mkdir -p /tmp/shorewall-25579 + chmod 700 /tmp/shorewall-25579 + trap ''rm -rf /tmp/shorewall-25579; my_mutex_off; exit 2'' 1 2 3 4 5 6 9 "/tmp/trace" 902L, 24038C The network is A router running RH 9.0, connected to four networks: 1. WAN External IP. 2. DMZ (192.168.2.X) 3. NET B (192.168.11.x) 4. NET C (192.168.168.x) The setup is complete, and seems to be working. But it seems something is wrong with my setup, that after some time, all the client machines started to get ip conflit and the get disconnected from the network imediately, where they have to reconnect again. All clients connected to the router, with net C, (didn''t yet connect any computer to net B) keep getting the ip conflict, even if i change to any other ip (tried even to change it to 192.168.7.7, just any other network, but still get the same error). I am not sure where to look or where to start changing things. using 255.255.255.0 for all the interfaces. Appreciate your help. This message was sent through MyMail http://www.mymail.com.au
Tom Eastep
2003-Aug-12 15:24 UTC
[Shorewall-announce] Shorewall Keeps sending false IP Address Conflict
On Tue, 2003-08-12 at 14:45, deya@ozemail.com.au wrote:> Dear All, > > After installing Shorewall, on a router with 4 NIC, seems running ok. > Next day, when connecting from clients, (MS) we keep getting ip conflict for non-conflicting ip addresses. > > > Any help is appreciated. >> > Loading /usr/share/shorewall/functions... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Restarting Shorewall... > Loading Modules... > Initializing... > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Connection Tracking Match: Available > Determining Zones... > Zones: net wst dmz svr > Validating interfaces file... > Validating hosts file... > Validating Policy file... > Determining Hosts in Zones... > Net Zone: eth0:0.0.0.0/0 > Local-Wst Zone: eth2:0.0.0.0/0 > DMZ Zone: eth1:0.0.0.0/0 > Local-Srv Zone: eth3:0.0.0.0/0 > Processing /etc/shorewall/init ... > Deleting user chains... > Creating Interface Chains... > Configuring Proxy ARP > Host 81.10.4.178 connected to eth0 added to ARP on eth0 > Host 81.10.4.178 connected to eth0 added to ARP on eth3 > Host 192.168.2.3 connected to eth1 added to ARP on eth3 > Setting up NAT... > Adding Common Rules > /usr/share/shorewall/firewall: line 1: /etc/shorewall/common.def: Permission deniedThe above is a problem -- You need to correct the permissions for that file.> Masqueraded Subnets and Hosts: > To 0.0.0.0/0 from 192.168.168.0/24 through eth0 using 81.10.4.178 > To 0.0.0.0/0 from 192.168.2.0/24 through eth0 using 81.10.4.178Can you explain to me your Proxy ARP strategy? You are adding an ARP entry on an interface that apparently already has that IP address. And why are you adding 81.10.4.178 on eth3? Ditto 192.168.2.3? I''m asking because IP address conflict is detected by doing an ARP who-has" of your own address and seeing if anyone answers. Also, do you have more than one of your firewall interfaces connected to the same HUB/SWITCH as eth3? Please forward the output from the following commands: a) arp -na b) route -n c) for f in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo $f; cat $f; done -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net