Kirti S. Bajwa wrote:> > PROBLEM: > ------------- > When I boot one of the servers, I get the following errors: > > eth1: received packet with own address as source address > eth0: received packet with own address as source address > > What are these errors & why they are appearing? > > If I no-op (#) the following lines, the error disappear: > > # ifconfig tibbr1 up > # ifconfig tibbr1 12.21.237.2 netmask 255.255.255.0 >That question is pretty off-topic for this list -- I haven''t any idea why you are getting the message. But as a general principle, when reporting a problem it is always good to include the output of commands that display system state (e.g., "ip addr ls", "ip link ls", "brctl show"). By including just the commands that you are using, you force us to guess what those commands will end up doing and to guess what the state of the system was before the commands were executed.> > > FYI, my current hardware setup is as follows: > > T1 Line > | > Cisco 26XX Router > | > HUB -------> HUB (Current Network) > | > --------------------------------------- > | eth0 | > fw1 fw2 > | eth1 | > --------------------------------------- > | > HUB > | > (Future: additional Servers)I have serious doubts about that working when you add stateful iptables filtering to the firewalls. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> (Future: additional Servers) > > > I have serious doubts about that working when you add stateful iptables > filtering to the firewalls. > > -Tom >Tom, You are absolutely right. It will not work because he has a recursive loop setup by using the two bridges. Packets are looping- hence the error. On hardware bridges that support it, the protocol used to detect redundant connections is spanning tree (802.1d I believe). At face value, based on his diagram, I would completely eliminate the Cisco 2600 in preference to building a true core router with Shorewall/routing. I''m also completely ignorant on spanning tree in regard to the Linux kernel, but I''d be suprised, in the extreme, if there were a way to make spanning tree work across two Linux boxes (I''ll stand for correction here if needed). HOWEVER- inserting a managed switch which supports spanning tree between the future servers and the firewalls, and the router and the firewalls, *might* make the thing work. However, it''s my guess that one (or both) of the Linux boxes will be throwing errors, and if the box that has the current packet load is brought down, the other one may not take over. At any rate, given what I know about this gentleman''s network, this is not a configuration I would attempt or recommend. As a side note, to my embarassment, I did try a configuration like this back in the 90''s with a couple of Compatible Systems routers in a time before I learned anything about OSI. It didn''t work then either. -- Michael Cozzi cozzi@cozziconsulting.com Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Michael Cozzi wrote:> > > You are absolutely right. It will not work because he has a > recursive loop setup by using the two bridges. Packets are looping- > hence the error. On hardware bridges that support it, the protocol used > to detect redundant connections is spanning tree (802.1d I believe). >Michael, That was my original take also -- but Linux Bridging supports STP and the Kirti is enabling it:> brctl stp tibbr1 onHowever, that is being done *after* the bridge is brought up so there is a window when the STP is not enabled but the bridge is active. It appears that STP can be enabled before the bridge is brought up and I would recommend doing so in cases where there are potential loops. wireless:~ # brctl addbr foo wireless:~ # brctl stp foo on wireless:~ # -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> That was my original take also -- but Linux Bridging supports STP and the Kirti > is enabling it:My apologies -- the word "the" in the above sentence was unintentional. I had originally typed "the OP" and decided it would be more polite to use Kirti''s name. In making that change, I neglected to delete the article. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
I was wondering if Shorewall rules can be written with users/groups from the loc zone, not from fw itself. According to http://www.shorewall.net/UserSets.html and /etc/shorewall/rules only firewall applications can be filtered this way. I suppose detecting user information from a loc or dmz zone is too complex. Supposing one has added the shorewall router to an Active Directory domain and winbind authenticates correctly both Windows users and groups, is there a way to filter local clients such as: ACCEPT loc:10.215.144.12 dmz tcp 5900 - - :group (only allow authenticated users within group GROUP VNC traffic from 10.215.144.12 to dmz zone) Shorewall alone might not be enough but has anyone tried something of the sort? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Vieri Di Paola wrote:> I was wondering if Shorewall rules can be written with > users/groups from the loc zone, not from fw itself. > According to http://www.shorewall.net/UserSets.html > and /etc/shorewall/rules only firewall applications > can be filtered this way. I suppose detecting user > information from a loc or dmz zone is too complex.More like "too impossible". There is no way for Netfilter on the firewall to have knowledge of how clients on other systems are authenticated.> > Supposing one has added the shorewall router to an > Active Directory domain and winbind authenticates > correctly both Windows users and groups, is there a > way to filter local clients such as: > ACCEPT loc:10.215.144.12 dmz tcp 5900 - - :group > (only allow authenticated users within group GROUP VNC > traffic from 10.215.144.12 to dmz zone) > > Shorewall alone might not be enough but has anyone > tried something of the sort?Shorewall alone will *not* be enough. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
To All: I resolved the problem as follows: I left the commands in br1 (/etc/rc.local) to setup the bridge. I manually entered the commands to setup the br2. NO ERROR!! I think that when the second bridge is setup, it broadcast some messages and they are picked up by the broadcasting bridge.>It appears that STP can be enabled before the bridge is brought up and I >would >recommend doing so in cases where there are potential loops.>wireless:~ # brctl addbr foo >wireless:~ # brctl stp foo on >wireless:~ #I will try it. Thanks. Kirti Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Also, *please* don''t hijack another thread -- start a new thread! By replying to another post rather that creating a new message, you have caused this thread entitled "users and groups" to be embedded in one that is totally unrelated ("[Bridge] Error in Bridge Settings!"). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
--- Tom Eastep <teastep@shorewall.net> wrote:> Also, *please* don''t hijack another thread -- start > a new thread! > > By replying to another post rather that creating a > new message, you have caused > this thread entitled "users and groups" to be > embedded in one that is totally > unrelated ("[Bridge] Error in Bridge Settings!").Sorry I didn''t realize. Will keep that in mind next time. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Hello Bridge List: Please help a newbie! I have setup two freshly installed CentOS 4.3 servers and have setup redundant BRIDGE. My plan is to have the 'redundant' BRIDGE working and then I will add 'Shorewall' Firewall to these two servers. On both machines, I have included the following lines in '/etc/rc.local' so that the BRIDGE will be ACTIVE after BOOT: /etc/rc.local ======== # Setup BRIDGE (First Bridge) brctl addbr tibbr1 brctl addif tibbr1 eth0 brctl addif tibbr1 eth1 ifconfig tibbr1 up ifconfig tibbr1 12.21.237.2 netmask 255.255.255.0 brctl setageing tibbr1 300 brctl stp tibbr1 on brctl setbridgeprio tibbr1 100 brctl setpathcost tibbr1 eth0 100 brctl setpathcost tibbr1 eth1 100 reboot ======== Similar lines are included in the second server except the bridge name is 'tibbr2', IP addr is 12.21.237.4 & bridge & path costs are 200. MAC addresses on each server are as follows: Server 1: eth0: 00:80:ad:16:f3:25 eth1: 00:30:1b:38:c6:41 Server 2: eth0: 00:80:ad:16:e6:43 eth1: 00:30:1b:38:c4:c9 PROBLEM: ------------- When I boot one of the servers, I get the following errors: eth1: received packet with own address as source address eth0: received packet with own address as source address What are these errors & why they are appearing? If I no-op (#) the following lines, the error disappear: # ifconfig tibbr1 up # ifconfig tibbr1 12.21.237.2 netmask 255.255.255.0 FYI, my current hardware setup is as follows: T1 Line | Cisco 26XX Router | HUB -------> HUB (Current Network) | ---------------------------- | eth0 | fw1 fw2 | eth1 | ----------------------------- | HUB | (Future: additional Servers) Please HELP! How can I fix the settings so the above listed PROBLEM is resolved!! Kirti -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.linux-foundation.org/pipermail/bridge/attachments/20060628/bcce89db/attachment-0002.htm
Let me first explain that I have the same problem in my Ethernet bridge setup. What I have determined, that there is a loop in my network but STP is preventing a packet broacast storm. I have switches instead of hubs but my primary bridge is broadcasting packets somehow, because when I unplug the primary's Ethernet from our internal network then those messages stop appearing. I am in the process of re-setting up that bridge so that *hopefully* I wont be seeing this message in future. I wander if it might be the HUBs you using.... they might be broadcasting any packet to all ports and so your bridge will receive its own packets back to it? Like I said - I have the same problem, but the setup still works and I am trying to remove loops in my network to see if that *really* is the cause to the error message. Kind Regards Etienne Kirti S. Bajwa wrote:> > Hello Bridge List: > > > > Please help a newbie! > > > > I have setup two freshly installed CentOS 4.3 servers and have setup > redundant BRIDGE. My plan is to have the 'redundant' BRIDGE working > and then I will add 'Shorewall' Firewall to these two servers. On both > machines, I have included the following lines in '/etc/rc.local' so > that the BRIDGE will be ACTIVE after BOOT: > > > > /etc/rc.local > > =3D=3D=3D=3D=3D=3D=3D=3D=3D > > ** # ****Setup**** ****BRIDGE**** (****First**** ****Bridge****)** > > ** brctl addbr tibbr1** > > ** brctl addif tibbr1 eth0** > > ** brctl addif tibbr1 eth1** > > ** ifconfig tibbr1 up** > > ** ifconfig tibbr1 12.21.237.2 netmask 255.255.255.0** > > ** brctl setageing tibbr1 300** > > ** brctl stp tibbr1 on** > > ** brctl setbridgeprio tibbr1 100** > > ** brctl setpathcost tibbr1 eth0 100** > > ** brctl setpathcost tibbr1 eth1 100** > > *reboot * > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D > > Similar lines are included in the second server except the bridge name > is 'tibbr2', IP addr is 12.21.237.4 & bridge & path costs are 200. > > MAC addresses on each server are as follows: > > > > Server 1: > > eth0: 00:80:ad:16:f3:25 > > eth1: 00:30:1b:38:c6:41 > > > > Server 2: > > eth0: 00:80:ad:16:e6:43 > > eth1: 00:30:1b:38:c4:c9 > > > > PROBLEM: > > ------------- > > When I boot one of the servers, I get the following errors: > > > > eth1: received packet with own address as source address > > eth0: received packet with own address as source address > > > > What are these errors & why they are appearing? > > > > If I no-op (#) the following lines, the error disappear: > > > > **# ifconfig tibbr1 up** > > **# ifconfig tibbr1 12.21.237.2 netmask 255.255.255.0** > > > > > > FYI, my current hardware setup is as follows: > > > > T1 Line > > | > > Cisco 26XX Router > > | > > HUB -----=E0 HUB (Current Network) > > | > > ---------------------------- > > | eth0 > | > > fw1 fw2 > > | eth1 | > > ----------------------------- > > | > > HUB > > | > > (Future: additional Servers) > > > > Please HELP! How can I fix the settings so the above listed PROBLEM is > resolved!! > > > > Kirti > > ------------------------------------------------------------------------ > > _______________________________________________ > Bridge mailing list > Bridge@lists.osdl.org > https://lists.osdl.org/mailman/listinfo/bridge >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.linux-foundation.org/pipermail/bridge/attachments/20060629/135e375d/attachment-0002.htm