We just went to replace the bridge/firewall services one one server with
the same on another. It's pretty simple, and I literally cloned (w/ rsync)
a third server that does this onto the one that will be the new one. Then
copied the /etc/sysconfig/iptables from the one being replaced, and
brought it up this morning.
Nope. We had to put everything back the way it was.
The new one sees the two or three servers behind the firewall, and we can
ping them, from the new box. On one, we see IPP broadcasts; in fact, we
see lots of broadcast packets using tcpdump. From outside, though, you
can't see the servers. Trying to ping them, they see nothing. It seems to
be the case that tcp and icmp packets are blocked, and we can't figure out
why.
CentOS 5.6.
ifcfg-eth0
DEVICE=eth0
BRIDGE=br3
BOOTPROTO=dhcp
HWADDR=aa:bb:cc:dd:ee:ff
ONBOOT=yes
ifcfg-eth1
DEVICE=eth1
BRIDGE=br3
HWADDR=aa:bb:cc:dd:ee:gg
ONBOOT=yes
ifcfg-br3
DEVICE=br3
ONBOOT=yes
TYPE=Bridge
BOOTPROTO=static
IPADDR=<our ip>
NETMASK=255.255.254.0
NETWORK=<our nw>
GATEWAY=<our gw>
Any ideas?
mark
I thought all we were going to is remove the IA_REMOTE Banner for the BYG-1
Display applications.
-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
Behalf Of m.roth at 5-cent.us
Sent: Monday, June 13, 2011 2:02 PM
To: CentOS mailing list
Subject: EXTERNAL: [CentOS] A bridge problem
We just went to replace the bridge/firewall services one one server with
the same on another. It's pretty simple, and I literally cloned (w/ rsync)
a third server that does this onto the one that will be the new one. Then
copied the /etc/sysconfig/iptables from the one being replaced, and
brought it up this morning.
Nope. We had to put everything back the way it was.
The new one sees the two or three servers behind the firewall, and we can
ping them, from the new box. On one, we see IPP broadcasts; in fact, we
see lots of broadcast packets using tcpdump. From outside, though, you
can't see the servers. Trying to ping them, they see nothing. It seems to
be the case that tcp and icmp packets are blocked, and we can't figure out
why.
CentOS 5.6.
ifcfg-eth0
DEVICE=eth0
BRIDGE=br3
BOOTPROTO=dhcp
HWADDR=aa:bb:cc:dd:ee:ff
ONBOOT=yes
ifcfg-eth1
DEVICE=eth1
BRIDGE=br3
HWADDR=aa:bb:cc:dd:ee:gg
ONBOOT=yes
ifcfg-br3
DEVICE=br3
ONBOOT=yes
TYPE=Bridge
BOOTPROTO=static
IPADDR=<our ip>
NETMASK=255.255.254.0
NETWORK=<our nw>
GATEWAY=<our gw>
Any ideas?
mark
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos
On Monday 13 June 2011 14:02, the following was written:> We just went to replace the bridge/firewall services one one server with > the same on another. It's pretty simple, and I literally cloned (w/ rsync) > a third server that does this onto the one that will be the new one. Then > copied the /etc/sysconfig/iptables from the one being replaced, and > brought it up this morning. > > Nope. We had to put everything back the way it was. > > The new one sees the two or three servers behind the firewall, and we can > ping them, from the new box. On one, we see IPP broadcasts; in fact, we > see lots of broadcast packets using tcpdump. From outside, though, you > can't see the servers. Trying to ping them, they see nothing. It seems to > be the case that tcp and icmp packets are blocked, and we can't figure out > why.Is the firewall IP or port based or a combo of both? Is the firewall setup on the bridge interface or on each individual server interface i.e., eth0, eth1 etc.. What does ifconfig show you? Are all the interfaces started? Do the DHCP interfaces receive a DHCP address? -- Regards Robert Linux The adventure of a lifetime. Linux User #296285 Get Counted http://counter.li.org/
On 6/13/2011 1:02 PM, m.roth at 5-cent.us wrote:> We just went to replace the bridge/firewall services one one server with > the same on another. It's pretty simple, and I literally cloned (w/ rsync) > a third server that does this onto the one that will be the new one. Then > copied the /etc/sysconfig/iptables from the one being replaced, and > brought it up this morning. > > Nope. We had to put everything back the way it was. > > The new one sees the two or three servers behind the firewall, and we can > ping them, from the new box. On one, we see IPP broadcasts; in fact, we > see lots of broadcast packets using tcpdump. From outside, though, you > can't see the servers. Trying to ping them, they see nothing. It seems to > be the case that tcp and icmp packets are blocked, and we can't figure out > why. > > CentOS 5.6. > > ifcfg-eth0 > > DEVICE=eth0 > BRIDGE=br3 > BOOTPROTO=dhcp > HWADDR=aa:bb:cc:dd:ee:ff > ONBOOT=yes > > ifcfg-eth1 > > DEVICE=eth1 > BRIDGE=br3 > HWADDR=aa:bb:cc:dd:ee:gg > ONBOOT=yes > > ifcfg-br3 > > DEVICE=br3 > ONBOOT=yes > TYPE=Bridge > BOOTPROTO=static > IPADDR=<our ip> > NETMASK=255.255.254.0 > NETWORK=<our nw> > GATEWAY=<our gw> > > Any ideas?Are the HWADDR= entries fixed up to match the actual hardware after the copy? And does ifconfig show that your config actually set up what you expected? CentOS isn't very predictable in terms of which NIC gets which interface name. -- Les Mikesell lesmikesell at gmail.com
On 06/13/2011 11:02 AM, m.roth at 5-cent.us wrote:> We just went to replace the bridge/firewall services one one server with > the same on another. It's pretty simple, and I literally cloned (w/ rsync) > a third server that does this onto the one that will be the new one. Then > copied the /etc/sysconfig/iptables from the one being replaced, and > brought it up this morning.Specifically what did you rsync? If you copied the ifcfg files, you probably need to adjust the HWADDR in each. If you didn't get all of /etc, you might need sysctl.conf. I'm guessing that's the case, given the symptoms and the fact that you had to also copy the iptables file.> ifcfg-eth0 > > DEVICE=eth0 > BRIDGE=br3 > BOOTPROTO=dhcp > HWADDR=aa:bb:cc:dd:ee:ff > ONBOOT=yesThere should not be a BOOTPROTO in this file.> ifcfg-br3 > > DEVICE=br3 > ONBOOT=yes > TYPE=Bridge > BOOTPROTO=static > IPADDR=<our ip> > NETMASK=255.255.254.0 > NETWORK=<our nw> > GATEWAY=<our gw>You don't need NETWORK here. It would also be helpful to see the contents of /etc/sysctl.conf or the output of: # cat /proc/sys/net/ipv4/ip_forward # cat /proc/sys/net/bridge/bridge-nf-call-* # brctl show