I have tried unsuccessfully to run both Shorewall 1.2.x, 1.3.x with Proxy ARP on a Red Hat 7.2 machine. The machine was configured as the external firewall as per the ''belt and suspenders'' layout given at http://www.skippy.net/linux/firewall/ The firewall appeared to function correctly in all functions except proxy ARP, however I must say I did not test exhaustively. After attempting a connection to the Internet from a DMZ server, I could observe (using tcpdump) packets entering then leaving the firewall. The reply packets then came back to the external NIC but were never routed back to the internal NIC. No messages were logged to indicate dropped / rejected packets. Log messages were generated normally for other traffic types. I checked the routing table and Shorewall was generating the correct entry. The proxy ARP was setup in /etc/shorewall/proxyarp with ''no'' in the HAVEROUTE column. The firewall had both the latest versions of shorewall and RH errata. I upgraded iptables to the version given on the shorewall FTP site. Anyway.. no luck there. In desperation I upgraded to RH 7.3, and proxy ARP was working however the firewall machine was hanging after a few minutes of operation. I then changed my ethernet driver from eepro100 to e100 and everything suddenly works! Not sure what the problem actually was (Is it possible that the eepro100 driver was the cause of the problems as noted above? Or was it just an unrelated issue?) but figured it was worth noting on the mailing list in case others are in the same situation.
On 12 Aug 2002, Shane Ayerst wrote:> I have tried unsuccessfully to run both Shorewall 1.2.x, 1.3.x with > Proxy ARP on a Red Hat 7.2 machine. > > The machine was configured as the external firewall as per the ''belt and > suspenders'' layout given at http://www.skippy.net/linux/firewall/ > > The firewall appeared to function correctly in all functions except > proxy ARP, however I must say I did not test exhaustively. > > After attempting a connection to the Internet from a DMZ server, I could > observe (using tcpdump) packets entering then leaving the firewall. The > reply packets then came back to the external NIC but were never routed > back to the internal NIC. No messages were logged to indicate dropped / > rejected packets. Log messages were generated normally for other traffic > types. >See the startup guide -- this is usually because you just moved the system from parallel to your firewall to behind it and your ISP''s router still has a stale cache entry. Since ISPs typically configure their routers to retain cache entries for HOURS, it can take a long time (last time I made such a switch it took almost 6 hours!).> I checked the routing table and Shorewall was generating the correct > entry. The proxy ARP was setup in /etc/shorewall/proxyarp with ''no'' in > the HAVEROUTE column. > > The firewall had both the latest versions of shorewall and RH errata. I > upgraded iptables to the version given on the shorewall FTP site. > > Anyway.. no luck there. In desperation I upgraded to RH 7.3, and proxy > ARP was working however the firewall machine was hanging after a few > minutes of operation. I then changed my ethernet driver from eepro100 to > e100 and everything suddenly works! > > Not sure what the problem actually was (Is it possible that the eepro100 > driver was the cause of the problems as noted above? Or was it just an > unrelated issue?) but figured it was worth noting on the mailing list in > case others are in the same situation.I think that two things happened: a) The gateway router finally sent an ARP "who-has" and updated it''s cache (your original problem). b) You changed your NIC (cause of your hang problems). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Sun, 11 Aug 2002, Tom Eastep wrote:> > See the startup guideMake that "setup guide" -- I seem to be prone to that typo all of a sudden :-) -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Shane Ayerst schrieb:> > I have tried unsuccessfully to run both Shorewall 1.2.x, 1.3.x with > Proxy ARP on a Red Hat 7.2 machine. > > The machine was configured as the external firewall as per the ''belt and > suspenders'' layout given at http://www.skippy.net/linux/firewall/ > > The firewall appeared to function correctly in all functions except > proxy ARP, however I must say I did not test exhaustively. > > After attempting a connection to the Internet from a DMZ server, I could > observe (using tcpdump) packets entering then leaving the firewall. The > reply packets then came back to the external NIC but were never routed > back to the internal NIC. No messages were logged to indicate dropped / > rejected packets. Log messages were generated normally for other traffic > types. > > I checked the routing table and Shorewall was generating the correct > entry. The proxy ARP was setup in /etc/shorewall/proxyarp with ''no'' in > the HAVEROUTE column. > > The firewall had both the latest versions of shorewall and RH errata. I > upgraded iptables to the version given on the shorewall FTP site. > > Anyway.. no luck there. In desperation I upgraded to RH 7.3, and proxy > ARP was working however the firewall machine was hanging after a few > minutes of operation. I then changed my ethernet driver from eepro100 to > e100 and everything suddenly works!Older Intel cards were having a bug and you could see a message like ''Receiver lock-up workaround activated.'' when the card was initialized. It seems to me that some cards still don''t work correctly. First it looks like they work okay but suddenly they stop or almost stop responding. Simon> > Not sure what the problem actually was (Is it possible that the eepro100 > driver was the cause of the problems as noted above? Or was it just an > unrelated issue?) but figured it was worth noting on the mailing list in > case others are in the same situation. > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
On Mon, 12 Aug 2002, Simon Matter wrote:> > > > Anyway.. no luck there. In desperation I upgraded to RH 7.3, and proxy > > ARP was working however the firewall machine was hanging after a few > > minutes of operation. I then changed my ethernet driver from eepro100 to > > e100 and everything suddenly works! > > Older Intel cards were having a bug and you could see a message like > ''Receiver lock-up workaround activated.'' when the card was initialized. > It seems to me that some cards still don''t work correctly. First it > looks like they work okay but suddenly they stop or almost stop > responding. >I''ve had mixed results over the years with Intel cards, especially on SMP systems. OTOH, my server uses one of those cards with the eepro100 driver and it has been rock solid. As I recall when I saw failures with the card though, they weren''t silent -- there were always console messages (and lots of them). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net