Shorewall users - Apr 2004 - Named

Hi,
   currently i installed shorewall 2.0.1 to Redhat Linux 8.0.

services that run on the firewall server
1) Web Server
2) DNS server ( slave )

every time i restarted the firewall server, my named service is still  
running but it''s no response for any DNS request. i need to manually  
restart the named service only it will working. how i''m going to fix  
this problem. please help.
------------------------------------------------------------------------ 
-------
Best Regards
Liew Toh Seng
Icq No: >> 36835809 <<
MSN: >> tohseng@hotmail.com <<
* .--.
* |o_o |
* |:_/ |
* //
* (| | )
* /''\_ _/` The Internet Solution Company
* \___)=(___   My Directory Sdn Bhd

Liew Toh Seng wrote:
> services that run on the firewall server
> 1) Web Server
> 2) DNS server ( slave )
> 
> every time i restarted the firewall server, my named service is still  
> running but it''s no response for any DNS request. i need to
manually
> restart the named service only it will working. how i''m going to
fix
> this problem.
I have no idea. Is Shorewall issuing any messages?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

no error messages.

On Apr 14, 2004, at 09:14 AM, Tom Eastep wrote:
> Liew Toh Seng wrote:
>
>> services that run on the firewall server
>> 1) Web Server
>> 2) DNS server ( slave )
>> every time i restarted the firewall server, my named service is still  
>>  running but it''s no response for any DNS request. i need to
manually
>>  restart the named service only it will working. how i''m going
to fix
>>  this problem.
>
> I have no idea. Is Shorewall issuing any messages?
>
> -Tom
> --  
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:  
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
------------------------------------------------------------------------ 
-------
Best Regards
Liew Toh Seng
Icq No: >> 36835809 <<
MSN: >> tohseng@hotmail.com <<
* .--.
* |o_o |
* |:_/ |
* //
* (| | )
* /''\_ _/` The Internet Solution Company
* \___)=(___   My Directory Sdn Bhd

Liew Toh Seng wrote:
> no error messages.
>
Then I have no idea. I know of nothing that Shorewall could do that 
would break a running server.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 2004-04-14 at 09:16, Liew Toh Seng wrote:
> no error messages.
OK....but can you clear things up a bit?

You said...
> >> services that run on the firewall server
> >> 1) Web Server
> >> 2) DNS server ( slave )
> >> every time i restarted the firewall server, my named service is
still
> >>  running but it''s no response for any DNS request. i need
to manually
> >>  restart the named service only it will working. how i''m
going to fix
> >>  this problem.
So, the "named" process is on the same physical server that is acting
as
your "shorewall firewall".  Then when you reboot this server your
"named" process doesn''t respond until you manually restart
"named".
Yes?

And you have looked in the messages log and found no shorewall
messages...

And you have looked in your named logs as well?

FWIW, if all this is correct it sounds like an initial named startup
problem.

-- 
"An opinion is like an asshole - everybody has one."
    - Clint Eastwood as Harry Callahan, The Dead Pool - 1988.

pr 11 12:50:48 beta kernel: ip_conntrack: table full, dropping packet.
Apr 11 12:50:53 beta kernel: NET: 10 messages suppressed.
Apr 11 12:50:53 beta kernel: ip_conntrack: table full, dropping packet.
Apr 11 12:50:58 beta kernel: NET: 10 messages suppressed.
Apr 11 12:50:58 beta kernel: ip_conntrack: table full, dropping packet.
Apr 11 12:51:04 beta kernel: NET: 9 messages suppressed.
Apr 11 12:51:04 beta kernel: ip_conntrack: table full, dropping packet.
Apr 11 12:51:08 beta kernel: NET: 7 messages suppressed.
Apr 11 12:51:08 beta kernel: ip_conntrack: table full, dropping packet.
Apr 11 12:51:13 beta kernel: NET: 4 messages suppressed.
Apr 11 12:51:13 beta kernel: ip_conntrack: table full, dropping packet.
Apr 11 12:51:18 beta kernel: NET: 9 messages suppressed.
Apr 11 12:51:18 beta kernel: ip_conntrack: table full, dropping packet.
Apr 11 12:51:23 beta kernel: NET: 8 messages suppressed.
Apr 11 12:51:23 beta kernel: ip_conntrack: table full, dropping packet.
Apr 11 12:51:28 beta kernel: NET: 11 messages suppressed.
Apr 11 12:51:28 beta kernel: ip_conntrack: table full, dropping packet.
Apr 11 12:51:33 beta kernel: NET: 8 messages suppressed.
Apr 11 12:51:33 beta kernel: ip_conntrack: table full, dropping packet.
Apr 11 12:51:38 beta kernel: NET: 10 messages suppressed.
Apr 11 12:51:38 beta kernel: ip_conntrack: table full, dropping packet.

On Apr 14, 2004, at 09:27 AM, Ed Greshko wrote:
> On Wed, 2004-04-14 at 09:16, Liew Toh Seng wrote:
>> no error messages.
>
> OK....but can you clear things up a bit?
>
> You said...
>
>>>> services that run on the firewall server
>>>> 1) Web Server
>>>> 2) DNS server ( slave )
>>>> every time i restarted the firewall server, my named service is
>>>> still
>>>>  running but it''s no response for any DNS request. i
need to
>>>> manually
>>>>  restart the named service only it will working. how
i''m going to
>>>> fix
>>>>  this problem.
>
> So, the "named" process is on the same physical server that is
acting
> as
> your "shorewall firewall".  Then when you reboot this server your
> "named" process doesn''t respond until you manually
restart "named".
> Yes?
>
> And you have looked in the messages log and found no shorewall
> messages...
>
> And you have looked in your named logs as well?
>
> FWIW, if all this is correct it sounds like an initial named startup
> problem.
>
> --  
> "An opinion is like an asshole - everybody has one."
>     - Clint Eastwood as Harry Callahan, The Dead Pool - 1988.
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:  
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
------------------------------------------------------------------------ 
-------
Best Regards
Liew Toh Seng
Icq No: >> 36835809 <<
MSN: >> tohseng@hotmail.com <<
* .--.
* |o_o |
* |:_/ |
* //
* (| | )
* /''\_ _/` The Internet Solution Company
* \___)=(___   My Directory Sdn Bhd

can i disable the shorewall to load this module
Can''t locate module ipt_conntrack

what is it for ?

On Apr 14, 2004, at 10:15 AM, Liew Toh Seng wrote:
> pr 11 12:50:48 beta kernel: ip_conntrack: table full, dropping packet.
> Apr 11 12:50:53 beta kernel: NET: 10 messages suppressed.
> Apr 11 12:50:53 beta kernel: ip_conntrack: table full, dropping packet.
> Apr 11 12:50:58 beta kernel: NET: 10 messages suppressed.
> Apr 11 12:50:58 beta kernel: ip_conntrack: table full, dropping packet.
> Apr 11 12:51:04 beta kernel: NET: 9 messages suppressed.
> Apr 11 12:51:04 beta kernel: ip_conntrack: table full, dropping packet.
> Apr 11 12:51:08 beta kernel: NET: 7 messages suppressed.
> Apr 11 12:51:08 beta kernel: ip_conntrack: table full, dropping packet.
> Apr 11 12:51:13 beta kernel: NET: 4 messages suppressed.
> Apr 11 12:51:13 beta kernel: ip_conntrack: table full, dropping packet.
> Apr 11 12:51:18 beta kernel: NET: 9 messages suppressed.
> Apr 11 12:51:18 beta kernel: ip_conntrack: table full, dropping packet.
> Apr 11 12:51:23 beta kernel: NET: 8 messages suppressed.
> Apr 11 12:51:23 beta kernel: ip_conntrack: table full, dropping packet.
> Apr 11 12:51:28 beta kernel: NET: 11 messages suppressed.
> Apr 11 12:51:28 beta kernel: ip_conntrack: table full, dropping packet.
> Apr 11 12:51:33 beta kernel: NET: 8 messages suppressed.
> Apr 11 12:51:33 beta kernel: ip_conntrack: table full, dropping packet.
> Apr 11 12:51:38 beta kernel: NET: 10 messages suppressed.
> Apr 11 12:51:38 beta kernel: ip_conntrack: table full, dropping packet.
>
> On Apr 14, 2004, at 09:27 AM, Ed Greshko wrote:
>
>> On Wed, 2004-04-14 at 09:16, Liew Toh Seng wrote:
>>> no error messages.
>>
>> OK....but can you clear things up a bit?
>>
>> You said...
>>
>>>>> services that run on the firewall server
>>>>> 1) Web Server
>>>>> 2) DNS server ( slave )
>>>>> every time i restarted the firewall server, my named
service is
>>>>> still
>>>>>  running but it''s no response for any DNS request.
i need to
>>>>> manually
>>>>>  restart the named service only it will working. how
i''m going to
>>>>> fix
>>>>>  this problem.
>>
>> So, the "named" process is on the same physical server that
is acting
>> as
>> your "shorewall firewall".  Then when you reboot this server
your
>> "named" process doesn''t respond until you manually
restart "named".
>> Yes?
>>
>> And you have looked in the messages log and found no shorewall
>> messages...
>>
>> And you have looked in your named logs as well?
>>
>> FWIW, if all this is correct it sounds like an initial named startup
>> problem.
>>
>> -- "An opinion is like an asshole - everybody has one."
>>     - Clint Eastwood as Harry Callahan, The Dead Pool - 1988.
>>
>> _______________________________________________
>> Shorewall-users mailing list
>> Post: Shorewall-users@lists.shorewall.net
>> Subscribe/Unsubscribe:  
>> https://lists.shorewall.net/mailman/listinfo/shorewall-users
>> Support: http://www.shorewall.net/support.htm
>> FAQ: http://www.shorewall.net/FAQ.htm
>>
> ----------------------------------------------------------------------- 
> --------
> Best Regards
> Liew Toh Seng
> Icq No: >> 36835809 <<
> MSN: >> tohseng@hotmail.com <<
> * .--.
> * |o_o |
> * |:_/ |
> * //
> * (| | )
> * /''\_ _/` The Internet Solution Company
> * \___)=(___   My Directory Sdn Bhd
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:  
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
------------------------------------------------------------------------ 
-------
Best Regards
Liew Toh Seng
Icq No: >> 36835809 <<
MSN: >> tohseng@hotmail.com <<
* .--.
* |o_o |
* |:_/ |
* //
* (| | )
* /''\_ _/` The Internet Solution Company
* \___)=(___   My Directory Sdn Bhd

Liew Toh Seng wrote:
> pr 11 12:50:48 beta kernel: ip_conntrack: table full, dropping packet.
You need to increase the size of your connection tracking table. Add an 
entry in /etc/sysctl.conf for net.ipv4.ip_conntrack_max and reboot. You can

	cat /proc/sys/net/ipv4/ip_conntrack_max

to see what the current setting is. The default setting is based on the 
amount of memory on the system and may be increased if needed. Note that 
the size of the connection tracking hash table will not be increased 
accordingly. You can set that parameter by adding an entry to 
/etc/modules.conf (module ip_conntrack, parameter "hashsize").

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Liew Toh Seng wrote:
> can i disable the shorewall to load this module
> Can''t locate module ipt_conntrack
> 
No -- Shorewall tries to load it and if it doesn''t exist, Shorewall 
won''t use it.
> what is it for ?
There''s a long note about this in the 1.4.6 Release Notes available at 
http://shorewall.net/News.htm

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> Liew Toh Seng wrote:
> 
>> pr 11 12:50:48 beta kernel: ip_conntrack: table full, dropping packet.
> 
> 
> You need to increase the size of your connection tracking table. Add an 
> entry in /etc/sysctl.conf for net.ipv4.ip_conntrack_max and reboot. You can
> 
>     cat /proc/sys/net/ipv4/ip_conntrack_max
> 
Note that you can also alter this dynamically by using echo. Such 
changes won''t survive a reboot though.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

how to do that and how much i should increase.

On Apr 14, 2004, at 10:43 AM, Tom Eastep wrote:
> Tom Eastep wrote:
>
>> Liew Toh Seng wrote:
>>> pr 11 12:50:48 beta kernel: ip_conntrack: table full, dropping  
>>> packet.
>> You need to increase the size of your connection tracking table. Add  
>> an entry in /etc/sysctl.conf for net.ipv4.ip_conntrack_max and  
>> reboot. You can
>>     cat /proc/sys/net/ipv4/ip_conntrack_max
>
> Note that you can also alter this dynamically by using echo. Such  
> changes won''t survive a reboot though.
>
> -Tom
> --  
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:  
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
------------------------------------------------------------------------ 
-------
Best Regards
Liew Toh Seng
Icq No: >> 36835809 <<
MSN: >> tohseng@hotmail.com <<
* .--.
* |o_o |
* |:_/ |
* //
* (| | )
* /''\_ _/` The Internet Solution Company
* \___)=(___   My Directory Sdn Bhd

Liew Toh Seng wrote:
> how to do that and how much i should increase.
> 
It''s time for you to do something by yourself -- I''ve done
nothing all
evening but hold your hand.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> Liew Toh Seng wrote:
> 
>> how to do that and how much i should increase.
>>
> 
> It''s time for you to do something by yourself -- I''ve
done nothing all
> evening but hold your hand.
> 
In other words, you can do a Google search for ip_conntrack_max and get 
an answer faster than I can type you one.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

thanks a lot
On Apr 14, 2004, at 11:01 AM, Tom Eastep wrote:
>  ip_conntrack_max
------------------------------------------------------------------------ 
-------
Best Regards
Liew Toh Seng
Icq No: >> 36835809 <<
MSN: >> tohseng@hotmail.com <<
* .--.
* |o_o |
* |:_/ |
* //
* (| | )
* /''\_ _/` The Internet Solution Company
* \___)=(___   My Directory Sdn Bhd