I am not subscribed to the mailing list at this time.
I think my problem relates to ip aliasing. I have read through the FAQ,
Trouble shooting and the Aliased Interface
(http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) guide
on the site. My system information is below. This may not be a
shorwall related issue.
When I have the ip addresses below aliased on eth1 I cannot access some
sites. Many sites work just fine, but there are a handful (bestbuy.com,
jordan-cu.org, and some others) that will not come up. Others load very
slow. With shorwall running and no IP aliasing I can access them. If
you have any suggestions I would be very appreciative...
eth1 is the outside connection and eth0 the internal network. I
RedHat 9
Shorwall Version 2.0.1
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:0c:f1:87:6d:42 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/24 brd 10.0.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:90:27:1a:c3:21 brd ff:ff:ff:ff:ff:ff
inet 166.70.187.66/29 brd 166.70.187.71 scope global eth1
inet 166.70.187.68/16 brd 166.70.255.255 scope global eth1:0
inet 166.70.187.69/16 brd 166.70.255.255 scope global secondary
eth1:1
inet 166.70.187.70/16 brd 166.70.255.255 scope global secondary
eth1:2
166.70.187.64/29 dev eth1 scope link
10.0.0.0/24 dev eth0 scope link
169.254.0.0/16 dev eth1 scope link
166.70.0.0/16 dev eth1 proto kernel scope link src 166.70.187.68
127.0.0.0/8 dev lo scope link
default via 166.70.187.65 dev eth1
/etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth1 eth0 166.70.187.66
/etc/shorewall/policy
# LEVEL
fw net ACCEPT
loc net ACCEPT
loc fw ACCEPT
net all DROP info
all all REJECT info
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER
# PORT PORT(S) DEST
LIMIT
ACCEPT all all tcp 22
ACCEPT net fw tcp 80
ACCEPT net fw tcp 443
ACCEPT net fw tcp 2401
ACCEPT all all icmp echo-request
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth1 166.70.187.71 routefilter
loc eth0 10.0.0.255
/etc/shorewall/shorewall.conf
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGRATELOGBURSTLOGUNCLEAN=info
BLACKLIST_LOGLEVELLOGNEWNOTSYN=info
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/lib/shorewall
MODULESDIRFW=fw
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=no
TC_ENABLED=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=YES
ROUTE_FILTER=No
NAT_BEFORE_RULES=Yes
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
NEWNOTSYN=No
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE
Daniel Watrous
Daniel.watrous@maintainfit.com
Daniel Watrous wrote:> I am not subscribed to the mailing list at this time. > > I think my problem relates to ip aliasing. I have read through the FAQ, > Trouble shooting and the Aliased Interface > (http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) guide > on the site. My system information is below. This may not be a > shorwall related issue. > > When I have the ip addresses below aliased on eth1 I cannot access some > sites. Many sites work just fine, but there are a handful (bestbuy.com, > jordan-cu.org, and some others) that will not come up. Others load very > slow. With shorwall running and no IP aliasing I can access them. If > you have any suggestions I would be very appreciative... > > eth1 is the outside connection and eth0 the internal network. I > > RedHat 9 > > Shorwall Version 2.0.1 > > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:0c:f1:87:6d:42 brd ff:ff:ff:ff:ff:ff > inet 10.0.0.1/24 brd 10.0.0.255 scope global eth0 > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:90:27:1a:c3:21 brd ff:ff:ff:ff:ff:ff > inet 166.70.187.66/29 brd 166.70.187.71 scope global eth1 > inet 166.70.187.68/16 brd 166.70.255.255 scope global eth1:0 > inet 166.70.187.69/16 brd 166.70.255.255 scope global secondary > eth1:1 > inet 166.70.187.70/16 brd 166.70.255.255 scope global secondary > eth1:2The subnetting on your aliases is wrong (/16 vs /29). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Maybe I can beat Tom to the punch.... ;--)
I had the same problem...check your masq /16 Do you really need that
big a chunk of the internet ? Note the IP of your credit union starts
the same way... 66.170 You did not give the exact shorewall log
entry, but I''m willing to be a full quarter, that it thinks
it''s within
your own intranet LAN and NOT coming from the outside.
- Bill
(Waiting to see if I beat Tom)
===========================================================
I am not subscribed to the mailing list at this time.
I think my problem relates to ip aliasing. I have read through the FAQ,
Trouble shooting and the Aliased Interface
(http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) guide
on the site. My system information is below. This may not be a
shorwall related issue.
When I have the ip addresses below aliased on eth1 I cannot access some
sites. Many sites work just fine, but there are a handful (bestbuy.com,
jordan-cu.org, and some others) that will not come up. Others load very
slow. With shorwall running and no IP aliasing I can access them. If
you have any suggestions I would be very appreciative...
eth1 is the outside connection and eth0 the internal network. I
RedHat 9
Shorwall Version 2.0.1
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:0c:f1:87:6d:42 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/24 brd 10.0.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:90:27:1a:c3:21 brd ff:ff:ff:ff:ff:ff
inet 166.70.187.66/29 brd 166.70.187.71 scope global eth1
inet 166.70.187.68/16 brd 166.70.255.255 scope global eth1:0
inet 166.70.187.69/16 brd 166.70.255.255 scope global secondary
eth1:1
inet 166.70.187.70/16 brd 166.70.255.255 scope global secondary
eth1:2
166.70.187.64/29 dev eth1 scope link
10.0.0.0/24 dev eth0 scope link
169.254.0.0/16 dev eth1 scope link
166.70.0.0/16 dev eth1 proto kernel scope link src 166.70.187.68
127.0.0.0/8 dev lo scope link
default via 166.70.187.65 dev eth1
/etc/shorewall/masq
#INTERFACE SUBNET ADDRESS
eth1 eth0 166.70.187.66
/etc/shorewall/policy
# LEVEL
fw net ACCEPT
loc net ACCEPT
loc fw ACCEPT
net all DROP info
all all REJECT info
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE
ORIGINAL RATE USER
# PORT PORT(S) DEST
LIMIT
ACCEPT all all tcp 22
ACCEPT net fw tcp 80
ACCEPT net fw tcp 443
ACCEPT net fw tcp 2401
ACCEPT all all icmp echo-request
/etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
net eth1 166.70.187.71 routefilter
loc eth0 10.0.0.255
/etc/shorewall/shorewall.conf
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGRATELOGBURSTLOGUNCLEAN=info
BLACKLIST_LOGLEVELLOGNEWNOTSYN=info
MACLIST_LOG_LEVEL=info
TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/lib/shorewall
MODULESDIRFW=fw
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=no
TC_ENABLED=No
CLEAR_TC=Yes
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=YES
ROUTE_FILTER=No
NAT_BEFORE_RULES=Yes
DETECT_DNAT_IPADDRS=No
MUTEX_TIMEOUT=60
NEWNOTSYN=No
ADMINISABSENTMINDED=Yes
BLACKLISTNEWONLY=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
#LAST LINE -- DO NOT REMOVE
Daniel Watrous
Daniel.watrous@maintainfit.com
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm
Tom Eastep wrote:> Daniel Watrous wrote: > >> >> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue >> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 >> inet 127.0.0.1/8 brd 127.255.255.255 scope host lo >> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 >> link/ether 00:0c:f1:87:6d:42 brd ff:ff:ff:ff:ff:ff >> inet 10.0.0.1/24 brd 10.0.0.255 scope global eth0 >> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 >> link/ether 00:90:27:1a:c3:21 brd ff:ff:ff:ff:ff:ff >> inet 166.70.187.66/29 brd 166.70.187.71 scope global eth1 >> inet 166.70.187.68/16 brd 166.70.255.255 scope global eth1:0 >> inet 166.70.187.69/16 brd 166.70.255.255 scope global secondary >> eth1:1 >> inet 166.70.187.70/16 brd 166.70.255.255 scope global secondary >> eth1:2 > > > The subnetting on your aliases is wrong (/16 vs /29). >While I don''t guarantee that fixing that will solve your problem, it is definitely wrong and can cause problems accessing certain addresses. Hopefully the following hint will be helpful: gateway:~# shorewall ipcalc 166.70.187.66/29 CIDR=166.70.187.66/29 NETMASK=255.255.255.248 NETWORK=166.70.187.64 BROADCAST=166.70.187.71 gateway:~# -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net