Shorewall users - Mar 2003 - losing connection

Tom, or whomever reads this, when I say disconnect I mean close out IE6, 
sorry for so unclear on this point. My IP address never changes unless I 
unplug the modem. I have had the same IP address for ... well since I 
had to reset it to hook it up to my Linux box.which was 2 weeks ago. If 
I set DHCP on my eth1 interface that will contradict the static address 
I have assigned to it, won''t it? I will attach the interface file this 
time, thought I had it in there last time...oops.
-------------- next part --------------
#
# Shorewall 1.3 -- Interfaces File
#
# /etc/shorewall/interfaces
#
#   You must add an entry in this file for each network interface on your
#   firewall system.
#
# Columns are:
#
#   ZONE        Zone for this interface. Must match the short name
#           of a zone defined in /etc/shorewall/zones.
#
#           If the interface serves multiple zones that will be
#           defined in the /etc/shorewall/hosts file, you should
#           place "-" in this column.
#   
#   INTERFACE   Name of interface. Each interface may be listed only
#           once in this file. You may NOT specify the name of
#           an alias (e.g., eth0:0) here; see
#           http://www.shorewall.net/FAQ.htm#faq18
#
#           DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
#
#   BROADCAST   The broadcast address for the subnetwork to which the
#           interface belongs. For P-T-P interfaces, this
#           column is left black.If the interface has multiple
#           addresses on multiple subnets then list the broadcast
#           addresses as a comma-separated list.
#                       
#           If you use the special value "detect", the firewall
#           will detect the broadcast address for you. If you
#           select this option, the interface must be up before
#           the firewall is started, you must have iproute
#           installed and the interface must only be associated
#           with a single subnet.
#           
#           If you don''t want to give a value for this column but
#           you want to enter a value in the OPTIONS column, enter
#           "-" in this column.
#
#   OPTIONS     A comma-separated list of options including the
#           following:
#
#           dhcp         - interface is managed by DHCP or used by
#                                      a DHCP server running on the firewall or
#                      you have a static IP but are on a LAN
#                      segment with lots of Laptop DHCP clients.
#           routestopped - (Deprecated -- use 
#                      /etc/shorewall/routestopped)
#                      When the firewall is stopped, allow
#                      and route traffic to and from this
#                      interface.
#           norfc1918    - This interface should not receive
#                      any packets whose source is in one
#                      of the ranges reserved by RFC 1918
#                      (i.e., private or "non-routable"
#                      addresses. If packet mangling is
#                      enabled in shorewall.conf, packets
#                      whose destination addresses are
#                      reserved by RFC 1918 are also rejected.
#           multi        - This interface has multiple IP
#                      addresses and you want to be able to
#                      route between them.
#           routefilter  - turn on kernel route filtering for this
#                      interface (anti-spoofing measure). This
#                                      option can also be enabled globally in
#                      the /etc/shorewall/shorewall.conf file.
#           dropunclean  - Logs and drops mangled/invalid packets
#
#           logunclean   - Logs mangled/invalid packets but does
#                      not drop them.
#           blacklist    - Check packets arriving on this interface
#                      against the /etc/shorewall/blacklist
#                      file.
#           maclist      - Connection requests from this interface
#                      are compared against the contents of
#                      /etc/shorewall/maclist. If this option
#                      is specified, the interface must be
#                      an ethernet NIC and must be up before
#                      Shorewall is started.
#           tcpflags     - Packets arriving on this interface are
#                      checked for certain illegal combinations
#                      of TCP flags. Packets found to have
#                      such a combination of flags are handled
#                      according to the setting of
#                      TCP_FLAGS_DISPOSITION after having been
#                      logged according to the setting of
#                      TCP_FLAGS_LOG_LEVEL.
#           proxyarp     - 
#               Sets 
#               /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
#               Do NOT use this option if you are
#               employing Proxy ARP through entries in
#               /etc/shorewall/proxyarp. This option is
#               intended soley for use with Proxy ARP
#               sub-networking as described at:
#               http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet
#           
#           The order in which you list the options is not
#           significant but the list should have no embedded white
#           space.
#
#   Example 1:  Suppose you have eth0 connected to a DSL modem and
#           eth1 connected to your local network and that your
#           local subnet is 192.168.1.0/24. The interface gets
#           it''s IP address via DHCP from subnet
#           206.191.149.192/27. You have a DMZ with subnet
#           192.168.2.0/24 using eth2. You want to be able to
#           access the firewall from the local network when the
#           firewall is stopped.
#
#           Your entries for this setup would look like:
#
#           net eth0    206.191.149.223 dhcp
#           local   eth1    192.168.1.255   routestopped
#           dmz eth2    192.168.2.255
#
#   Example 2:  The same configuration without specifying broadcast
#           addresses is:
#
#           net eth0    detect      dhcp
#           loc eth1    detect      routestopped
#           dmz eth2    detect
#
#   Example 3:  You have a simple dial-in system with no ethernet
#           connections.
#
#           net ppp0    -
##############################################################################
#ZONE   INTERFACE   BROADCAST   OPTIONS
net eth0            detect          dhcp,routefilter,norfc1918
loc eth1            detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

--On Tuesday, March 04, 2003 01:01:45 AM -0500 Jim Owen 
<moses6602@netscape.net> wrote:
> Tom, or whomever reads this, when I say disconnect I mean close out IE6,
> sorry for so unclear on this point. My IP address never changes unless I
> unplug the modem. I have had the same IP address for ... well since I had
> to reset it to hook it up to my Linux box.which was 2 weeks ago. If I set
> DHCP on my eth1 interface that will contradict the static address I have
> assigned to it, won''t it? I will attach the interface file this
time,
> thought I had it in there last time...oops.
Jim -- this doesn''t sound like a Shorewall configuration problem.

Can you give us the details of your physical network?

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

Tom, I think I may have it fixed.  (Jim crosses fingers). My setup is 
very simple, one linux box,AMDK6 233, 64 Mb ram two nics, cable modem, 
one 8 port 10 mbps hub, one (for now, soon to be at least 2), HP 
Pavilion 533 celeron, 128Mb ram one nic. see very simple setup.... John 
said something in a message to you about  needing dhcp in my interfaces 
file..... well I was trying to get it to work with a static address on 
the Pavilion, obtw I have win98 and server 2000 on the client box, and I 
got to thinking that since a stop and restart regained the connectivity 
it might be a lease problem, such as when the lease expired and dhcpcd 
requested a renew on the lease the client wasn''t being informed of 
it...hence no connectivity. So I setup a dhcp server on the linux box 
and went to dynamically assigned IPs
so far so good been up and running for 3 1/2 hours and hasn''t lost 
conection yet :-).
                                                                        
                                                                 Thanks 
for the time and effort
                                                                        
                                                                        
    Jim Owen

On 4 Mar 2003 at 21:42, Jim Owen wrote:
> Tom, I think I may have it fixed.  (Jim crosses fingers). My setup is
> very simple, one linux box,AMDK6 233, 64 Mb ram two nics, cable modem,
> one 8 port 10 mbps hub, one (for now, soon to be at least 2), HP
> Pavilion 533 celeron, 128Mb ram one nic. see very simple setup....
> John said something in a message to you about  needing dhcp in my
> interfaces file..... well I was trying to get it to work with a 
static
> address on the Pavilion, obtw I have win98 and server 2000 on the
> client box, and I got to thinking that since a stop and restart
> regained the connectivity it might be a lease problem, such as when
> the lease expired and dhcpcd requested a renew on the lease the 
client
> wasn''t being informed of it...hence no connectivity. So I setup a 
dhcp
> server on the linux box and went to dynamically assigned IPs so far 
so
> good been up and running for 3 1/2 hours and hasn''t lost conection
yet
> :-).
It just keeps getting wierder Jim ;-)

I misse the point of wether you have dhcp specified on
your interfaces file or not.....???

Serving your in-house machines with dhnamic IPs
should not affect loss of connectivity thur shorewall.

(I have a mix of dynamic and static IPs in my internal 
lan.)

But not having dhcp on your external interface in 
the shorewall interfaces file would matter.

Presumable since its working, you must have added
that parameter to that file - and I''m guessing to
both interfaces???

______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386_______________________________________
John S. Andersen
NORCOM  mailto:JAndersen@norcomsoftware.com
Juneau, Alaska
http://www.screenio.com/