Linux Ethernet Bridging - Apr 2007 - [Bridge] Error in Bridge Settings!!

Kirti S. Bajwa wrote:
> 
> PROBLEM:
> -------------
> When I boot one of the servers, I get the following errors:
>
> eth1: received packet with own address as source address
> eth0: received packet with own address as source address
> 
> What are these errors & why they are appearing? 
> 
> If I no-op (#) the following lines, the error disappear:
> 
> # ifconfig   tibbr1  up
> # ifconfig   tibbr1  12.21.237.2   netmask   255.255.255.0
> 
That question is pretty off-topic for this list -- I haven''t any idea
why you
are getting the message.

But as a general principle, when reporting a problem it is always good to
include the output of commands that display system state (e.g., "ip addr
ls",
"ip link ls", "brctl show"). By including just the commands
that you are using,
you force us to guess what those commands will end up doing and to guess what
the state of the system was before the commands were executed.
>  
> 
> FYI, my current hardware setup is as follows:
> 
>                        T1 Line
>                          |
>                   Cisco 26XX Router
>                          |
>                         HUB -------> HUB (Current Network)
>                          |
>      ---------------------------------------
>     |                  eth0                |
>    fw1                                   fw2
>     |                  eth1                |
>      ---------------------------------------
>                         |
>                        HUB
>                         |
>            (Future: additional Servers)
I have serious doubts about that working when you add stateful iptables
filtering to the firewalls.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Tom Eastep wrote:
>          (Future: additional Servers)
>   
>
> I have serious doubts about that working when you add stateful iptables
> filtering to the firewalls.
>
> -Tom
>   
    Tom,

    You are absolutely right. It will not work because he has a 
recursive loop setup by using the two bridges. Packets are looping- 
hence the error. On hardware bridges that support it, the protocol used 
to detect redundant connections is spanning tree (802.1d I believe).

    At face value, based on his diagram, I would completely eliminate 
the Cisco 2600 in preference to building a true core router with 
Shorewall/routing. I''m also completely ignorant on spanning tree in 
regard to the Linux kernel, but I''d be suprised, in the extreme, if 
there were a way to make spanning tree work across two Linux boxes
(I''ll
stand for correction here if needed).

    HOWEVER- inserting a managed switch which supports spanning tree 
between the future servers and the firewalls, and the router and the 
firewalls, *might* make the thing work. However, it''s my guess that one
(or both) of the Linux boxes will be throwing errors, and if the box 
that has the current packet load is brought down, the other one may not 
take over.

    At any rate, given what I know about this gentleman''s network, this
is not a configuration I would attempt or recommend.

    As a side note, to my embarassment, I did try a configuration like 
this back in the 90''s with a couple of Compatible Systems routers in a 
time before I learned anything about OSI. It didn''t work then either.

--
Michael Cozzi
cozzi@cozziconsulting.com

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Michael Cozzi wrote:
>
> 
>     You are absolutely right. It will not work because he has a 
> recursive loop setup by using the two bridges. Packets are looping- 
> hence the error. On hardware bridges that support it, the protocol used 
> to detect redundant connections is spanning tree (802.1d I believe).
> 
Michael,

That was my original take also -- but Linux Bridging supports STP and the Kirti
is enabling it:
> brctl   stp   tibbr1    on
However, that is being done *after* the bridge is brought up so there is a
window when the STP is not enabled but the bridge is active.

It appears that STP can be enabled before the bridge is brought up and I would
recommend doing so in cases where there are potential loops.

wireless:~ # brctl addbr foo
wireless:~ # brctl stp foo on
wireless:~ #

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Tom Eastep wrote:
> That was my original take also -- but Linux Bridging supports STP and the
Kirti
> is enabling it:
My apologies -- the word "the" in the above sentence was
unintentional. I had
originally typed "the OP" and decided it would be more polite to use
Kirti''s
name. In making that change, I neglected to delete the article.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

I was wondering if Shorewall rules can be written with
users/groups from the loc zone, not from fw itself.
According to http://www.shorewall.net/UserSets.html
and /etc/shorewall/rules only firewall applications
can be filtered this way. I suppose detecting user
information from a loc or dmz zone is too complex.

Supposing one has added the shorewall router to an
Active Directory domain and winbind authenticates
correctly both Windows users and groups, is there a
way to filter local clients such as:
ACCEPT loc:10.215.144.12 dmz tcp 5900 - - :group
(only allow authenticated users within group GROUP VNC
traffic from 10.215.144.12 to dmz zone)

Shorewall alone might not be enough but has anyone
tried something of the sort?


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Vieri Di Paola wrote:
> I was wondering if Shorewall rules can be written with
> users/groups from the loc zone, not from fw itself.
> According to http://www.shorewall.net/UserSets.html
> and /etc/shorewall/rules only firewall applications
> can be filtered this way. I suppose detecting user
> information from a loc or dmz zone is too complex.
More like "too impossible". There is no way for Netfilter on the
firewall to
have knowledge of how clients on other systems are authenticated.
> 
> Supposing one has added the shorewall router to an
> Active Directory domain and winbind authenticates
> correctly both Windows users and groups, is there a
> way to filter local clients such as:
> ACCEPT loc:10.215.144.12 dmz tcp 5900 - - :group
> (only allow authenticated users within group GROUP VNC
> traffic from 10.215.144.12 to dmz zone)
> 
> Shorewall alone might not be enough but has anyone
> tried something of the sort?
Shorewall alone will *not* be enough.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

To All:

I resolved the problem as follows:

I left the commands in br1 (/etc/rc.local) to setup the bridge. I manually
entered the commands to setup the br2. NO ERROR!!

I think that when the second bridge is setup, it broadcast some messages and
they are picked up by the broadcasting bridge.


>It appears that STP can be enabled before the bridge is brought up and I
>would
>recommend doing so in cases where there are potential loops.
>wireless:~ # brctl addbr foo
>wireless:~ # brctl stp foo on
>wireless:~ #
I will try it.

Thanks.

Kirti




Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Also, *please* don''t hijack another thread -- start a new thread!

By replying to another post rather that creating a new message, you have caused
this thread entitled "users and groups" to be embedded in one that is
totally
unrelated ("[Bridge] Error in Bridge Settings!").

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

--- Tom Eastep <teastep@shorewall.net> wrote:
> Also, *please* don''t hijack another thread -- start
> a new thread!
> 
> By replying to another post rather that creating a
> new message, you have caused
> this thread entitled "users and groups" to be
> embedded in one that is totally
> unrelated ("[Bridge] Error in Bridge Settings!").

Sorry I didn''t realize.
Will keep that in mind next time.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Hello Bridge List:

 

Please help a newbie!

 

I have setup two freshly installed CentOS 4.3 servers and have setup
redundant BRIDGE. My plan is to have the 'redundant' BRIDGE working and
then
I will add 'Shorewall' Firewall to these two servers. On both machines,
I
have included the following lines in '/etc/rc.local' so that the BRIDGE
will
be ACTIVE after BOOT:

 

/etc/rc.local

========
 # Setup BRIDGE (First Bridge)

 brctl   addbr       tibbr1

 brctl   addif        tibbr1  eth0

 brctl   addif        tibbr1  eth1

 ifconfig   tibbr1  up

 ifconfig   tibbr1  12.21.237.2   netmask   255.255.255.0

 brctl   setageing   tibbr1  300

 brctl   stp   tibbr1    on

 brctl   setbridgeprio   tibbr1   100

 brctl   setpathcost  tibbr1  eth0  100

 brctl   setpathcost  tibbr1  eth1  100

 reboot 

 

========
Similar lines are included in the second server except the bridge name is
'tibbr2', IP addr is 12.21.237.4 & bridge & path costs are 200.

MAC addresses on each server are as follows:

 

Server 1:

eth0: 00:80:ad:16:f3:25

eth1: 00:30:1b:38:c6:41

 

Server 2:

eth0: 00:80:ad:16:e6:43

eth1: 00:30:1b:38:c4:c9

 

PROBLEM:

-------------

When I boot one of the servers, I get the following errors:

 

eth1: received packet with own address as source address

eth0: received packet with own address as source address

 

What are these errors & why they are appearing? 

 

If I no-op (#) the following lines, the error disappear:

 

# ifconfig   tibbr1  up

# ifconfig   tibbr1  12.21.237.2   netmask   255.255.255.0

 

 

FYI, my current hardware setup is as follows:

 

                              T1 Line

                                     |

                      Cisco 26XX Router

                                     |

                                 HUB -------> HUB (Current Network)

                                     |

               ----------------------------

               |                  eth0                |                    

             fw1                                   fw2              

               |                  eth1                |

              -----------------------------

                                     |

                                 HUB

                                     |

             (Future: additional Servers)

 

Please HELP! How can I fix the settings so the above listed PROBLEM is
resolved!!

 

Kirti

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.linux-foundation.org/pipermail/bridge/attachments/20060628/bcce89db/attachment-0002.htm

Let me first explain that I have the same problem in my Ethernet bridge 
setup.

What I have determined, that there is a loop in my network but STP is 
preventing a packet broacast storm. I have switches instead of hubs but 
my primary bridge is broadcasting packets somehow, because when I unplug 
the primary's Ethernet from our internal network then those messages 
stop appearing. I am in the process of re-setting up that bridge so that 
*hopefully* I wont be seeing this message in future. I wander if it 
might be the HUBs you using.... they might be broadcasting any packet to 
all ports and so your bridge will receive its own packets back to it? 
Like I said - I have the same problem, but the setup still works and I 
am trying to remove loops in my network to see if that *really* is the 
cause to the error message.

Kind Regards
Etienne


Kirti S. Bajwa wrote:
>
> Hello Bridge List:
>
>  
>
> Please help a newbie!
>
>  
>
> I have setup two freshly installed CentOS 4.3 servers and have setup 
> redundant BRIDGE. My plan is to have the 'redundant' BRIDGE working
> and then I will add 'Shorewall' Firewall to these two servers. On
both
> machines, I have included the following lines in '/etc/rc.local' so
> that the BRIDGE will be ACTIVE after BOOT:
>
>  
>
> /etc/rc.local
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D
>
> ** # ****Setup**** ****BRIDGE**** (****First**** ****Bridge****)**
>
> ** brctl   addbr       tibbr1**
>
> ** brctl   addif        tibbr1  eth0**
>
> ** brctl   addif        tibbr1  eth1**
>
> ** ifconfig   tibbr1  up**
>
> ** ifconfig   tibbr1  12.21.237.2   netmask   255.255.255.0**
>
> ** brctl   setageing   tibbr1  300**
>
> ** brctl   stp   tibbr1    on**
>
> ** brctl   setbridgeprio   tibbr1   100**
>
> ** brctl   setpathcost  tibbr1  eth0  100**
>
> ** brctl   setpathcost  tibbr1  eth1  100**
>
>  *reboot *
>
>  
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D
>
> Similar lines are included in the second server except the bridge name 
> is 'tibbr2', IP addr is 12.21.237.4 & bridge & path costs
are 200.
>
> MAC addresses on each server are as follows:
>
>  
>
> Server 1:
>
> eth0: 00:80:ad:16:f3:25
>
> eth1: 00:30:1b:38:c6:41
>
>  
>
> Server 2:
>
> eth0: 00:80:ad:16:e6:43
>
> eth1: 00:30:1b:38:c4:c9
>
>  
>
> PROBLEM:
>
> -------------
>
> When I boot one of the servers, I get the following errors:
>
>  
>
> eth1: received packet with own address as source address
>
> eth0: received packet with own address as source address
>
>  
>
> What are these errors & why they are appearing?
>
>  
>
> If I no-op (#) the following lines, the error disappear:
>
>  
>
> **# ifconfig   tibbr1  up**
>
> **# ifconfig   tibbr1  12.21.237.2   netmask   255.255.255.0**
>
>  
>
>  
>
> FYI, my current hardware setup is as follows:
>
>  
>
>                               T1 Line
>
>                                      |
>
>                       Cisco 26XX Router
>
>                                      |
>
>                                  HUB -----=E0 HUB (Current Network)
>
>                                      |
>
>                ----------------------------
>
>                |                  eth0   
>              |                   
>
>              fw1                                   fw2             
>
>                |                  eth1                |
>
>               -----------------------------
>
>                                      |
>
>                                  HUB
>
>                                      |
>
>              (Future: additional Servers)
>
>  
>
> Please HELP! How can I fix the settings so the above listed PROBLEM is 
> resolved!!
>
>  
>
> Kirti
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Bridge mailing list
> Bridge@lists.osdl.org
> https://lists.osdl.org/mailman/listinfo/bridge
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.linux-foundation.org/pipermail/bridge/attachments/20060629/135e375d/attachment-0002.htm