Shorewall users - Aug 2002 - Could dhcp failure be a problem with my Shorewall setup?

I have a computer with RedHat 7.2 install on it (w/all latest updates).  I
have it configured as a firewall for my home network of Win98 PCs.  I
recently installed a dhcp server and shorewall.  The idea is that the Linux
box will serve up ip addresses to the Win98 boxes and provide masq services
for their connection to the network.  After a little work (and help from
others), I have it working.

Here''s the problem...

After rebooting the Linux box, the Win98 boxes can''t get an ip address
via
dhcp.  I can get dhcp to work after a Linux reboot if I cycle power on the
100Mb switch serving my local network.  I''ve tried two different
switches
with the same result.  One is a Netgear DS104 and the other is an SMC
EZ6505TX.  All switches and NICs are 10/100Mb.  All wiring is Cat5.  All
wires are less than 10-ft long.

Another way I can get it to work is to plug the Linux box''s network
cable
into a different port on the switch.  Unplugging and plugging the cable into
the same port has no effect.  Replugging a Win98 box into the same or
different port has no effect.

I know this sounds bizarre, but I''ve verified it by rebooting several
times.

Any suggestions?

here is my /etc/shorewall/interfaces (comments removed) ...
#ZONE    INTERFACE      BROADCAST       OPTIONS
net     eth0            detect          dhcp
loc     eth1            detect          routestopped,dhcp

and my /etc/shorewall/policy (comments removed) ...
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
...
loc             net             ACCEPT
fw              net             ACCEPT
net             all             DROP            info
all             all             REJECT          info

and my /etc/shorewall/rules (comments removed) ...
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL
ACCEPT          fw        net           tcp     53
ACCEPT          fw        net           udp     53
ACCEPT          loc       fw            tcp     22
ACCEPT          net       fw            tcp     80
ACCEPT          loc       fw            tcp     80
ACCEPT          fw        loc           tcp     6000:6010
ACCEPT          net       fw            tcp     514
ACCEPT          loc       fw            tcp     514
ACCEPT          fw        loc           udp     137:139
ACCEPT          fw        loc           tcp     137,139
ACCEPT          fw        loc           udp     1024:   137
ACCEPT          loc       fw            udp     137:139
ACCEPT          loc       fw            tcp     137,139
ACCEPT          loc       fw            udp     1024:   137
ACCEPT          loc       fw            tcp     25

On Fri, 2002-08-16 at 14:57, Mark Champion wrote:
> 
> Another way I can get it to work is to plug the Linux box''s
network cable
> into a different port on the switch.  Unplugging and plugging the cable
into
> the same port has no effect.  Replugging a Win98 box into the same or
> different port has no effect.
> 
Sounds more like an autosense failure/weirdness to me. Had similar
problems with a linux server (AMD PCNET based) and a cisco 10mbit
switch. I had to turn off auto-negiotation on the card and hard code the
10mbit connection rate. Perhaps not, but I''m a hardware guy, so that
the
first thing I check.

Z

On 16 Aug 2002, Zachariah Mully wrote:
> On Fri, 2002-08-16 at 14:57, Mark Champion wrote:
> 
> > 
> > Another way I can get it to work is to plug the Linux box''s
network cable
> > into a different port on the switch.  Unplugging and plugging the
cable into
> > the same port has no effect.  Replugging a Win98 box into the same or
> > different port has no effect.
> > 
> 
> Sounds more like an autosense failure/weirdness to me. Had similar
> problems with a linux server (AMD PCNET based) and a cisco 10mbit
> switch. I had to turn off auto-negiotation on the card and hard code the
> 10mbit connection rate. Perhaps not, but I''m a hardware guy, so
that the
> first thing I check.
> 
I think you''re right -- this is a layer 1 or layer 2 problem max. After
a
reboot, "tcpdump -nei eth1" may show Mark something....

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

I tried the "tcpdump -nei eth1" command, but I don''t know
what to look for.  I saw nothing until I tried to renew the ip address
(unsuccessfully) on a Win98 box.  I saw the following output ...

15:23:44.218939 0:80:ad:42:89:3e Broadcast ip 255: 192.168.0.1.netbios-dgm >
192.168.0.255.netbios-dgm: NBT UDP PACKET(138) (DF)

This kept repeating every 5 minutes or so.  Then I cycled power on the 10/100Mb
switch and renewed the ip address (successfully) on the Win98 box.  I saw the
following output ...

15:27:37.980341 0:50:bf:74:6f:9a Broadcast ip 342: 0.0.0.0.bootpc >
255.255.255.255.bootps:  xid:0xd0038c3c file ""[|bootp]
15:27:37.997737 0:80:ad:42:89:3e Broadcast arp 42: arp who-has 192.168.0.10 tell
192.168.0.1
15:27:38.988103 0:80:ad:42:89:3e Broadcast arp 42: arp who-has 192.168.0.10 tell
192.168.0.1
15:27:38.988882 0:80:ad:42:89:3e Broadcast ip 342: 192.168.0.1.bootps >
255.255.255.255.bootpc:  xid:0xd0038c3c Y:192.168.0.10 S:192.168.0.1 ether
0:50:bf:74:6f:9a file ""[|bootp] (DF)=20
15:27:38.989209 0:50:bf:74:6f:9a Broadcast ip 350: 0.0.0.0.bootpc >
255.255.255.255.bootps:  xid:0xd0038c3c file ""[|bootp]
15:27:39.004416 0:80:ad:42:89:3e Broadcast ip 342: 192.168.0.1.bootps >
255.255.255.255.bootpc:  xid:0xd0038c3c Y:192.168.0.10 S:192.168.0.1 ether
0:50:bf:74:6f:9a file ""[|bootp] (DF)
15:27:39.005366 0:50:bf:74:6f:9a Broadcast arp 60: arp who-has 192.168.0.10 tell
192.168.0.10
15:27:39.005495 0:80:ad:42:89:3e 0:50:bf:74:6f:9a ip 62: 192.168.0.1 >
192.168.0.10: icmp: echo request (DF)

Regarding a possible autosensing problem, both the 10/100Mb switch and the NIC
have indicator lights.  The 10/100Mb switch has three lights which indicate
100Mb speed, Link, and Full Duplex.  All three are constantly lit and never
change.  The NIC has four lights which indicate 10Mb, 100Mb, FDX, and ACT. 
After a Linux boot, the 10Mb and FDX lights are lit with an occaisional blip on
the ACT light.  When I cycle power to the 10/100Mb switch, the 10Mb light goes
out and the 100Mb light comes on.  The FDX light goes out and comes back on.

This confirms that it''s an autosensing problem, right?  Maybe I can
swap my NICs around.  I''m not sure how to do this.  Maybe the best
solution is to buy a new NIC card.  They are cheap.

Also, I substituted a 10Mb hub for the 10/100Mb switch and that works fine. 
However, I would like move my local traffic at 100Mb if possible.

Thanks for your comments and suggestions.

Mark


> On 16 Aug 2002, Zachariah Mully wrote:
>=20
> > On Fri, 2002-08-16 at 14:57, Mark Champion wrote:
> >=20
> > >=20
> > > Another way I can get it to work is to plug the Linux
box''s network cable
> > > into a different port on the switch.  Unplugging and plugging the
cable into
> > > the same port has no effect.  Replugging a Win98 box into the
same or
> > > different port has no effect.
> > >=20
> >=20
> > Sounds more like an autosense failure/weirdness to me. Had similar
> > problems with a linux server (AMD PCNET based) and a cisco 10mbit
> > switch. I had to turn off auto-negiotation on the card and hard code
the
> > 10mbit connection rate. Perhaps not, but I''m a hardware guy,
so that the
> > first thing I check.
> >=20
>=20
> I think you''re right -- this is a layer 1 or layer 2 problem max.
After a=20
> reboot, "tcpdump -nei eth1" may show Mark something....
>=20
> -Tom
> --=20
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
>=20

Quick update...

I replaced the NIC with a new one and that solved the problem.

The old (screwy) NIC has no manufacturer''s name on it, but contains a
couple chips with the names ASIX and DAVICOM on them.  The new NIC is an
SMC1244TX.

Thanks for the help.

Mark

On Fri, 16 Aug 2002, Mark Champion wrote:
> Quick update...
>
> I replaced the NIC with a new one and that solved the problem.
>
> The old (screwy) NIC has no manufacturer''s name on it, but
contains a couple chips with the names ASIX and DAVICOM on them.  The new NIC is
an SMC1244TX.
>
> Thanks for the help.
>
Thanks for the update...

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net