Paul Seniuk
2002-Nov-04 20:21 UTC
[Shorewall-users] Problem with Shorewall 1.38 DNAT on reboot.
=20 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I have added some DNAT entries to my /etc/shorewall/rules: DNAT net loc:192.168.3.1 tcp 443 It appears to be working fine; however, no reboot /var/log/messages produces The following output on startup: Nov 4 10:02:57 gw1 random: Initializing random number generator: succeeded Nov 4 10:02:57 gw1 netfs: Mounting other filesystems: succeeded Nov 4 10:02:57 gw1 shorewall: Processing /etc/shorewall/shorewall.conf ... Nov 4 10:02:57 gw1 shorewall: Processing /etc/shorewall/params ... Nov 4 10:02:58 gw1 kernel: ip_tables: (C) 2000-2002 Netfilter core team Nov 4 10:02:58 gw1 shorewall: Starting Shorewall... Nov 4 10:02:58 gw1 shorewall: Loading Modules... Nov 4 10:02:58 gw1 kernel: ip_conntrack (767 buckets, 6136 max) Nov 4 10:02:58 gw1 shorewall: Initializing... Nov 4 10:02:58 gw1 shorewall: Determining Zones... Nov 4 10:02:58 gw1 shorewall: Zones: net loc dmz vpn Nov 4 10:02:58 gw1 shorewall: Validating interfaces file... Nov 4 10:02:58 gw1 shorewall: Validating hosts file... Nov 4 10:02:58 gw1 shorewall: Validating Policy file... Nov 4 10:02:58 gw1 shorewall: Determining Hosts in Zones... Nov 4 10:02:58 gw1 shorewall: Net Zone: eth0:0.0.0.0/0 Nov 4 10:02:58 gw1 shorewall: Local Zone: eth1:0.0.0.0/0 Nov 4 10:02:58 gw1 shorewall: Warning: Zone dmz is empty Nov 4 10:02:58 gw1 shorewall: vpn Zone: ipsec0:0.0.0.0/0 Nov 4 10:02:58 gw1 shorewall: Deleting user chains... Nov 4 10:02:47 gw1 rc.sysinit: Mounting proc filesystem: succeeded . . Nov 4 10:02:53 gw1 ifup: Error, some other host already uses address 216.x.x.x Nov 4 10:02:53 gw1 network: Bringing up interface eth0: failed Nov 4 10:02:56 gw1 network: Bringing up interface eth1: succeeded Nov 4 10:02:58 gw1 shorewall: Creating input Chains... Nov 4 10:02:59 gw1 shorewall: Configuring Proxy ARP Nov 4 10:02:59 gw1 shorewall: Setting up NAT... Nov 4 10:02:59 gw1 shorewall: Adding Common Rules As a result, the firewall cannot be contacted since eth0 is down. Upon Further investigation by my ISP, they seen that the MAC address of eth1 was Attempting to use eth0 ip address (which is static) as well (they verified this by checking the MAC Addresses on my NICS). - From this evidence, it appears that DNAT is binding to the address before eth0 is up? How can I fix this?? ...My Detect_DNAT_ADDRS=3DNo..should be =3Dyes?? I did read the documentation, but not 100% clear so that I can explain this=20 IP address conflict. Any help would be appreciated. Paul Seniuk Freestyle Networks v: 780-919-3629=20 -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 (Build 294) Beta iQA/AwUBPcbWr5yuXG5q0QKsEQLHFQCg8NDLUyIZyNc6aSafcL2pZ/jJ5TwAn1m/ P6imqQHhxC9jCgQvlClJUeE9 =3DLa5W -----END PGP SIGNATURE-----
Tom Eastep
2002-Nov-05 03:43 UTC
[Shorewall-users] Problem with Shorewall 1.38 DNAT on reboot.
--On Monday, November 04, 2002 1:21 PM -0700 Paul Seniuk <paul@freestylenetworks.com> wrote:> > How can I fix this?? ...My Detect_DNAT_ADDRS=No..should be =yes?? > > I did read the documentation, but not 100% clear so that I can explain > this IP address conflict. > > Any help would be appreciated. >Do you have both eth0 and eth1 connected to the same hub or switch? -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net