Shorewall users - Jan 2003 - expect connect timeout, but don''t get one

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings

I''m having a network problem that I don''t understand. It
involves/hinges
upon an internal router running the latest Shorewall. We make weather
radar control and networking software. Our customers are experiencing a
connection timeout, but here in the office we are not. I have some
slight suspicions as to why they see a timeout, but I have no idea why
we don''t.

More specifically, the part of the software in question opens a tcp
socket and tries to connect to a port on another workstation. The
problem at the customer site is that this connection hangs for 30
seconds (connect''s default timeout) when a) the machine being connected
to is on a different LAN--crossing switches and/or routers and b) the
machine being connected to is physically powered off.

In house, we have three lans on the shorewall box:

eth0 192.168.9.2/255.255.255.0
eth1 192.168.12.1/255.255.255.0
eth2 192.168.11.92/255.255.255.0

eth0 is on a lan occupied by only 1 other machine: the gateway to the
internet. Workstations on eth1 run our software, as do workstations on
eth2. All workstations on lan 12 and 11 have the shorewall box as their
default route. All have netmasks 255.255.255.0.

So here''s the deal: internally, when we try to replicate what happens
at
the customer site, well, we fail. A workstation on network 12 tries to
connect to a workstation on network 11, but the remote one is powered
off. Instead of seeing a 30 second timeout, instantly we get a result of
not making the connection. A warning in our software notifying that this
occured comes nearly immediately.

At first, the network engineers at the customer site informed us that
since the connect is going through routers and switches it times out
because no ARPs are sent across such network devices. They said that our
linux box must be proxying ARPs. However, my proxyarp file in
/etc/shorewall is empty, so I assume (shoot me!) that we are not
proxying ARPs. Perhaps I am wrong here?

I''m not sure what more information you need to be able to help with
this
problem. I hope that someone out there can help, though. Thanks for your
time.

Sincerely
Ben

- --
- ----------------------------------------

(o__      Benjamin Collar
//\       GAMIC mbH  ++49 (0)241 889 110
V_/_      Developer/System Administrator


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+Lmxf6BghCGhQmsURAifoAJ4vqsCKJC4FuuoXjy3t/DWUKncU1wCgpwUr
sU6W/D5UeivEpHoB3JgP4Yo=7RtC
-----END PGP SIGNATURE-----

--On Wednesday, January 22, 2003 11:03 AM +0100 Benjamin Collar 
<collar@gamic.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> At first, the network engineers at the customer site informed us that
> since the connect is going through routers and switches it times out
> because no ARPs are sent across such network devices. They said that our
> linux box must be proxying ARPs. However, my proxyarp file in
> /etc/shorewall is empty, so I assume (shoot me!) that we are not
> proxying ARPs. Perhaps I am wrong here?
A tcpdump of ARP traffic on the Shorewall box in question can certainly 
answer that question. In addition to the proxyarp file, you should check 
that "/proc/sys/net/ipv4/conf/*/proxy_arp" are all zero.

e.g.,

[root@mail postfix]# cat /proc/sys/net/ipv4/conf/*/proxy_arp 

0
0
0
0
[root@mail postfix]#

These are set by the ''proxyarp'' option in
/etc/shorewall/interfaces as well
as by entries in the proxyarp file. They of course may also be set by the 
customer''s init scripts.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
AIM: teastep  \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net