Robin Mordasiewicz
2003-Aug-31 10:31 UTC
[Shorewall-users] linux-ha heartbeat .. failover firewall
I have searched your FAQ''s and read the documentation on your site as well as googling. I am not able to figure this out. If you have any ideas can you please help. I am using the linux-ha failover with redundant firewalls. As part of the function of the linux-ha software consists a service called heartbeat which is a connection from each failover node through a serial cable or ethernet. When the heartbeat runs over an ethernet cable it contacts the other node over udp on port 694. There is also some type of broadcast ping sent across. In my ha-log I see the error.... heartbeat:ERROR: Error sending packet: Operation not permitted heartbeat:ERROR: write failure on bcast eth2.: Operation not permitted I am able to manually ping the broadcast address and the other node replies. [castor ~]# ping 192.168.6.255 -b WARNING: pinging broadcast address 64 bytes from 192.168.6.3: icmp_seq=1 ttl=64 time=0.708 ms 64 bytes from 192.168.6.2: icmp_seq=1 ttl=64 time=0.988 ms (DUP!) I have eth0 as an external interface and eth1 as an internal interface. I have added a third nic dedicated for the heartbeat connection between the failover nodes. The other failover node has an address of 192.168.6.2 on its eth2. I have tried this without executing "shorewall clear" on the other node. I have created a zone called crs for the crossover connection between the nodes on eth2. I have in my /etc/shorewall/rules ACCEPT fw crs udp ha-cluster ACCEPT crs fw udp ha-cluster ACCEPT fw crs icmp 0 ACCEPT crs fw icmp 0 ACCEPT fw crs icmp 8 ACCEPT crs fw icmp 8 ACCEPT fw crs icmp 17 ACCEPT crs fw icmp 17 ACCEPT fw crs icmp 18 ACCEPT crs fw icmp 18 and in /etc/shorewall/policy I have added fw crs ACCEPT crs fw ACCEPT [castor ~]# shorewall version 1.4.6b [castor ~]# ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:01:03:34:a3:fc brd ff:ff:ff:ff:ff:ff inet 216.254.179.44/29 brd 216.254.179.47 scope global eth0 inet 216.254.179.42/29 brd 216.254.179.47 scope global secondary eth0:0 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:60:08:16:2f:cf brd ff:ff:ff:ff:ff:ff inet 192.168.5.3/24 brd 192.168.5.255 scope global eth1 inet 192.168.5.1/24 brd 192.168.5.255 scope global secondary eth1:2 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 link/ether 00:50:ba:72:a8:f1 brd ff:ff:ff:ff:ff:ff inet 192.168.6.3/24 brd 192.168.6.255 scope global eth2 [castor ~]# ip route show 216.254.179.40/29 dev eth0 scope link 192.168.6.0/24 dev eth2 scope link 192.168.5.0/24 dev eth1 scope link 127.0.0.0/8 dev lo scope link default via 216.254.179.41 dev eth0 [castor ~]# mii-tool eth0: negotiated 100baseTx-FD flow-control, link ok eth1: negotiated 100baseTx-FD, link ok eth2: negotiated 100baseTx-FD, link ok [castor ~]# ping 192.168.6.2 PING 192.168.6.2 (192.168.6.2) from 192.168.6.3 : 56(84) bytes of data. 64 bytes from 192.168.6.2: icmp_seq=1 ttl=64 time=1.23 ms 64 bytes from 192.168.6.2: icmp_seq=2 ttl=64 time=0.646 ms
Robin Mordasiewicz
2003-Aug-31 14:42 UTC
[Shorewall-users] Re: linux-ha heartbeat .. failover firewall
Please excuse me. I missed posting the results of /sbin/shorewall status > /tmp/status.txt now included in the attachment. Steve Herber has suggested leaving it out of the shorewall config but I would like to implement rules on this interface. Any suggestions are appreciated, as well if you have a failover implementation with a shorewall firewall your experiences would be interesting to me.> Date: Sun, 31 Aug 2003 13:31:00 -0400 (EDT) > From: Robin Mordasiewicz <robin@primustel.ca> > To: shorewall-users@lists.shorewall.net > Subject: linux-ha heartbeat .. failover firewall > > I have searched your FAQ''s and read the documentation on your site as well > as googling. I am not able to figure this out. If you have any ideas can > you please help. > I am using the linux-ha failover with redundant firewalls. > As part of the function of the linux-ha software consists a service called > heartbeat which is a connection from each failover node through a serial > cable or ethernet. When the heartbeat runs over an ethernet cable it > contacts the other node over udp on port 694. There is also some type of > broadcast ping sent across. In my ha-log I see the error.... > heartbeat:ERROR: Error sending packet: Operation not permitted > heartbeat:ERROR: write failure on bcast eth2.: Operation not permitted > > I am able to manually ping the broadcast address and the other node > replies. > [castor ~]# ping 192.168.6.255 -b > WARNING: pinging broadcast address > 64 bytes from 192.168.6.3: icmp_seq=1 ttl=64 time=0.708 ms > 64 bytes from 192.168.6.2: icmp_seq=1 ttl=64 time=0.988 ms (DUP!) > > I have eth0 as an external interface and eth1 as an internal interface. I > have added a third nic dedicated for the heartbeat connection between the > failover nodes. The other failover node has an address of 192.168.6.2 on > its eth2. I have tried this without executing "shorewall clear" on the > other node. I have created a zone called crs for the crossover connection between the nodes on eth2. > > I have in my /etc/shorewall/rules > ACCEPT fw crs udp ha-cluster > ACCEPT crs fw udp ha-cluster > ACCEPT fw crs icmp 0 > ACCEPT crs fw icmp 0 > ACCEPT fw crs icmp 8 > ACCEPT crs fw icmp 8 > ACCEPT fw crs icmp 17 > ACCEPT crs fw icmp 17 > ACCEPT fw crs icmp 18 > ACCEPT crs fw icmp 18 > > and in /etc/shorewall/policy I have added > fw crs ACCEPT > crs fw ACCEPT > > > [castor ~]# shorewall > version 1.4.6b > > [castor ~]# ip addr show > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:01:03:34:a3:fc brd ff:ff:ff:ff:ff:ff > inet 216.254.179.44/29 brd 216.254.179.47 scope global eth0 > inet 216.254.179.42/29 brd 216.254.179.47 scope global secondary eth0:0 > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:60:08:16:2f:cf brd ff:ff:ff:ff:ff:ff > inet 192.168.5.3/24 brd 192.168.5.255 scope global eth1 > inet 192.168.5.1/24 brd 192.168.5.255 scope global secondary eth1:2 > 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 > link/ether 00:50:ba:72:a8:f1 brd ff:ff:ff:ff:ff:ff > inet 192.168.6.3/24 brd 192.168.6.255 scope global eth2 > > [castor ~]# ip route show > 216.254.179.40/29 dev eth0 scope link > 192.168.6.0/24 dev eth2 scope link > 192.168.5.0/24 dev eth1 scope link > 127.0.0.0/8 dev lo scope link > default via 216.254.179.41 dev eth0 > > [castor ~]# mii-tool > eth0: negotiated 100baseTx-FD flow-control, link ok > eth1: negotiated 100baseTx-FD, link ok > eth2: negotiated 100baseTx-FD, link ok > > [castor ~]# ping 192.168.6.2 > PING 192.168.6.2 (192.168.6.2) from 192.168.6.3 : 56(84) bytes of data. > 64 bytes from 192.168.6.2: icmp_seq=1 ttl=64 time=1.23 ms > 64 bytes from 192.168.6.2: icmp_seq=2 ttl=64 time=0.646 ms > > >-------------- next part -------------- [H[JShorewall-1.4.6c Status at castor - Sun Aug 31 17:33:58 EDT 2003 Counters reset Sun Aug 31 13:46:47 EDT 2003 Chain INPUT (policy DROP 2 packets, 302 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 1532 98090 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 703 105K eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 6782 1196K eth2_in all -- eth2 * 0.0.0.0/0 0.0.0.0/0 0 0 ipsec0_in all -- ipsec0 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 33872 7806K eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0 38811 4358K eth1_fwd all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 eth2_fwd all -- eth2 * 0.0.0.0/0 0.0.0.0/0 0 0 ipsec0_fwd all -- ipsec0 * 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 10 packets, 1750 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 1518 130K fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 108 15644 fw2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0 6783 1196K fw2crs all -- * eth2 0.0.0.0/0 0.0.0.0/0 0 0 fw2vpn all -- * ipsec0 0.0.0.0/0 0.0.0.0/0 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'' 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain all2all (11 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 611 82406 common all -- * * 0.0.0.0/0 0.0.0.0/0 16 1264 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'' 16 1264 reject all -- * * 0.0.0.0/0 0.0.0.0/0 Chain common (5 references) pkts bytes target prot opt in out source destination 0 0 icmpdef icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:135 258 37853 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 0 0 reject udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 866 41592 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 0 0 DROP all -- * * 0.0.0.0/0 255.255.255.255 0 0 DROP all -- * * 0.0.0.0/0 224.0.0.0/4 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 state NEW 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x10/0x10 1 40 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x04/0x04 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x01/0x01 0 0 DROP all -- * * 0.0.0.0/0 216.254.179.47 347 44069 DROP all -- * * 0.0.0.0/0 192.168.5.255 0 0 DROP all -- * * 0.0.0.0/0 192.168.6.255 Chain crs2fw (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 6782 1196K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:694 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 17 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 18 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain dynamic (8 references) pkts bytes target prot opt in out source destination Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 33872 7806K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 6 360 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 33872 7806K net2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 net2all all -- * eth2 0.0.0.0/0 0.0.0.0/0 0 0 net2all all -- * ipsec0 0.0.0.0/0 0.0.0.0/0 Chain eth0_in (1 references) pkts bytes target prot opt in out source destination 1532 98090 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 1334 85158 rfc1918 all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW 1532 98090 net2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth1_fwd (1 references) pkts bytes target prot opt in out source destination 38811 4358K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 38811 4358K loc2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 all2all all -- * eth2 0.0.0.0/0 0.0.0.0/0 0 0 loc2vpn all -- * ipsec0 0.0.0.0/0 0.0.0.0/0 Chain eth1_in (1 references) pkts bytes target prot opt in out source destination 703 105K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 703 105K loc2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain eth2_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 all2all all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 all2all all -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 all2all all -- * ipsec0 0.0.0.0/0 0.0.0.0/0 Chain eth2_in (1 references) pkts bytes target prot opt in out source destination 6782 1196K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 6782 1196K crs2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2crs (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 6783 1196K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:694 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 17 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 18 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2loc (1 references) pkts bytes target prot opt in out source destination 106 15340 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 53,111,2049,3389 state NEW 2 304 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 53,111,2049,3389 state NEW 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2net (1 references) pkts bytes target prot opt in out source destination 1518 130K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT esp -- * * 0.0.0.0/0 66.207.210.130 0 0 ACCEPT ah -- * * 0.0.0.0/0 66.207.210.130 0 0 ACCEPT udp -- * * 0.0.0.0/0 66.207.210.130 udp spt:500 dpt:500 state NEW 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,22,25,53,80,110,123,443 state NEW 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 53,123 state NEW 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 17 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 18 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain fw2vpn (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain icmpdef (1 references) pkts bytes target prot opt in out source destination Chain ipsec0_fwd (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 all2all all -- * eth0 0.0.0.0/0 0.0.0.0/0 0 0 vpn2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 all2all all -- * eth2 0.0.0.0/0 0.0.0.0/0 Chain ipsec0_in (1 references) pkts bytes target prot opt in out source destination 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 vpn2fw all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2fw (1 references) pkts bytes target prot opt in out source destination 92 22392 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,1024,3000 state NEW 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 611 82406 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2net (1 references) pkts bytes target prot opt in out source destination 38506 4339K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 305 18868 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain loc2vpn (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain logdrop (30 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:'' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2all (4 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 901 45378 common all -- * * 0.0.0.0/0 0.0.0.0/0 24 2966 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'' 24 2966 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2fw (1 references) pkts bytes target prot opt in out source destination 198 12932 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT esp -- * * 66.207.210.130 0.0.0.0/0 0 0 ACCEPT ah -- * * 66.207.210.130 0.0.0.0/0 0 0 ACCEPT udp -- * * 66.207.210.130 0.0.0.0/0 udp spt:500 dpt:500 state NEW 0 0 ACCEPT tcp -- * * 0.0.0.0/0 216.254.179.44 state NEW tcp dpt:22 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0 433 39780 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 17 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 18 901 45378 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain net2loc (1 references) pkts bytes target prot opt in out source destination 33866 7806K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.5.4 multiport dports 21,25,53,80,110,143,389,443,636,993,995 state NEW 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.5.4 state NEW udp dpt:53 0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.5.50 state NEW tcp dpt:3389 6 360 ACCEPT tcp -- * * 0.0.0.0/0 192.168.5.4 state NEW tcp dpt:22 0 0 net2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject (11 references) pkts bytes target prot opt in out source destination 866 41592 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 274 39117 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain rfc1918 (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 255.255.255.255 0.0.0.0/0 0 0 DROP all -- * * 169.254.0.0/16 0.0.0.0/0 0 0 logdrop all -- * * 172.16.0.0/12 0.0.0.0/0 0 0 logdrop all -- * * 192.0.2.0/24 0.0.0.0/0 0 0 logdrop all -- * * 192.168.0.0/16 0.0.0.0/0 0 0 logdrop all -- * * 0.0.0.0/7 0.0.0.0/0 0 0 logdrop all -- * * 2.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 5.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 7.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 10.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 23.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 27.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 31.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 36.0.0.0/7 0.0.0.0/0 0 0 logdrop all -- * * 39.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 41.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 42.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 49.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 50.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 58.0.0.0/7 0.0.0.0/0 0 0 logdrop all -- * * 60.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 70.0.0.0/7 0.0.0.0/0 0 0 logdrop all -- * * 72.0.0.0/5 0.0.0.0/0 0 0 logdrop all -- * * 83.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 84.0.0.0/6 0.0.0.0/0 0 0 logdrop all -- * * 88.0.0.0/5 0.0.0.0/0 0 0 logdrop all -- * * 96.0.0.0/3 0.0.0.0/0 0 0 logdrop all -- * * 127.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 197.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 198.18.0.0/15 0.0.0.0/0 0 0 logdrop all -- * * 201.0.0.0/8 0.0.0.0/0 0 0 logdrop all -- * * 240.0.0.0/4 0.0.0.0/0 Chain shorewall (0 references) pkts bytes target prot opt in out source destination Chain vpn2fw (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 all2all all -- * * 0.0.0.0/0 0.0.0.0/0 Chain vpn2loc (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 Aug 31 16:05:29 net2all:DROP:IN=eth0 OUT= SRC=24.153.22.154 DST=216.254.179.42 LEN=110 TOS=0x00 PREC=0x00 TTL=247 ID=64047 DF PROTO=UDP SPT=8196 DPT=53 LEN=90 Aug 31 16:26:43 net2all:DROP:IN=eth0 OUT= SRC=24.153.23.16 DST=216.254.179.42 LEN=98 TOS=0x00 PREC=0x00 TTL=247 ID=36271 DF PROTO=UDP SPT=8305 DPT=53 LEN=78 Aug 31 16:26:44 net2all:DROP:IN=eth0 OUT= SRC=24.153.23.16 DST=216.254.179.42 LEN=98 TOS=0x00 PREC=0x00 TTL=247 ID=36272 DF PROTO=UDP SPT=8305 DPT=53 LEN=78 Aug 31 16:31:45 net2all:DROP:IN=eth0 OUT= SRC=24.153.22.153 DST=216.254.179.42 LEN=72 TOS=0x00 PREC=0x00 TTL=247 ID=4263 DF PROTO=UDP SPT=8196 DPT=53 LEN=52 Aug 31 16:36:41 net2all:DROP:IN=eth0 OUT= SRC=24.153.22.153 DST=216.254.179.42 LEN=58 TOS=0x00 PREC=0x00 TTL=247 ID=38199 DF PROTO=UDP SPT=8196 DPT=53 LEN=38 Aug 31 16:36:43 net2all:DROP:IN=eth0 OUT= SRC=24.153.22.153 DST=216.254.179.42 LEN=68 TOS=0x00 PREC=0x00 TTL=247 ID=38200 DF PROTO=UDP SPT=8196 DPT=53 LEN=48 Aug 31 16:55:19 net2all:DROP:IN=eth0 OUT= SRC=24.153.22.154 DST=216.254.179.42 LEN=69 TOS=0x00 PREC=0x00 TTL=247 ID=39841 DF PROTO=UDP SPT=8196 DPT=53 LEN=49 Aug 31 17:11:04 net2all:DROP:IN=eth0 OUT= SRC=211.154.223.93 DST=216.254.179.42 LEN=404 TOS=0x00 PREC=0x00 TTL=110 ID=46013 PROTO=UDP SPT=2978 DPT=1434 LEN=384 Aug 31 17:21:31 all2all:REJECT:IN=eth1 OUT= SRC=192.168.5.4 DST=216.254.179.42 LEN=134 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32775 DPT=53 LEN=114 Aug 31 17:21:31 all2all:REJECT:IN=eth1 OUT= SRC=192.168.5.4 DST=216.254.179.42 LEN=111 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32775 DPT=53 LEN=91 Aug 31 17:21:46 all2all:REJECT:IN=eth1 OUT= SRC=192.168.5.4 DST=216.254.179.42 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32775 DPT=53 LEN=42 Aug 31 17:21:46 all2all:REJECT:IN=eth1 OUT= SRC=192.168.5.4 DST=216.254.179.42 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32775 DPT=53 LEN=47 Aug 31 17:22:01 all2all:REJECT:IN=eth1 OUT= SRC=192.168.5.4 DST=216.254.179.42 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32775 DPT=53 LEN=42 Aug 31 17:22:01 all2all:REJECT:IN=eth1 OUT= SRC=192.168.5.4 DST=216.254.179.42 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32775 DPT=53 LEN=47 Aug 31 17:22:16 all2all:REJECT:IN=eth1 OUT= SRC=192.168.5.4 DST=216.254.179.42 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32775 DPT=53 LEN=42 Aug 31 17:22:16 all2all:REJECT:IN=eth1 OUT= SRC=192.168.5.4 DST=216.254.179.42 LEN=67 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32775 DPT=53 LEN=47 Aug 31 17:22:47 net2all:DROP:IN=eth0 OUT= SRC=62.2.105.66 DST=216.254.179.42 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=20737 DF PROTO=TCP SPT=1403 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 Aug 31 17:22:47 net2all:DROP:IN=eth0 OUT= SRC=62.2.105.66 DST=216.254.179.44 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=20739 DF PROTO=TCP SPT=1405 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 Aug 31 17:22:50 net2all:DROP:IN=eth0 OUT= SRC=62.2.105.66 DST=216.254.179.44 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=20795 DF PROTO=TCP SPT=1405 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 Aug 31 17:22:50 net2all:DROP:IN=eth0 OUT= SRC=62.2.105.66 DST=216.254.179.42 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=20798 DF PROTO=TCP SPT=1403 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0 NAT Table Chain PREROUTING (policy ACCEPT 35277 packets, 3024K bytes) pkts bytes target prot opt in out source destination 1340 85518 net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 21604 packets, 1564K bytes) pkts bytes target prot opt in out source destination 1115 49596 eth0_masq all -- * eth0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 7646 packets, 1007K bytes) pkts bytes target prot opt in out source destination Chain eth0_masq (1 references) pkts bytes target prot opt in out source destination 249 14956 SNAT all -- * * 192.168.5.0/24 0.0.0.0/0 to:216.254.179.42 Chain net_dnat (1 references) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 216.254.179.44 multiport dports 21,25,53,80,110,143,389,443,636,993,995 to:192.168.5.4 0 0 DNAT udp -- * * 0.0.0.0/0 216.254.179.44 udp dpt:53 to:192.168.5.4 0 0 DNAT tcp -- * * 0.0.0.0/0 216.254.179.42 tcp dpt:3389 to:192.168.5.50 6 360 DNAT tcp -- * * 0.0.0.0/0 216.254.179.42 tcp dpt:22 to:192.168.5.4 Mangle Table Chain PREROUTING (policy ACCEPT 487K packets, 139M bytes) pkts bytes target prot opt in out source destination 1340 85518 man1918 all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW 82386 14M pretos all -- * * 0.0.0.0/0 0.0.0.0/0 Chain INPUT (policy ACCEPT 69789 packets, 11M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 417K packets, 128M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 58817 packets, 9687K bytes) pkts bytes target prot opt in out source destination 8662 1388K outtos all -- * * 0.0.0.0/0 0.0.0.0/0 Chain POSTROUTING (policy ACCEPT 493K packets, 140M bytes) pkts bytes target prot opt in out source destination Chain logdrop (30 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:logdrop:DROP:'' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain man1918 (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 255.255.255.255 0 0 DROP all -- * * 0.0.0.0/0 169.254.0.0/16 0 0 logdrop all -- * * 0.0.0.0/0 172.16.0.0/12 0 0 logdrop all -- * * 0.0.0.0/0 192.0.2.0/24 0 0 logdrop all -- * * 0.0.0.0/0 192.168.0.0/16 0 0 logdrop all -- * * 0.0.0.0/0 0.0.0.0/7 0 0 logdrop all -- * * 0.0.0.0/0 2.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 5.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 7.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 10.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 23.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 27.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 31.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 36.0.0.0/7 0 0 logdrop all -- * * 0.0.0.0/0 39.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 41.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 42.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 49.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 50.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 58.0.0.0/7 0 0 logdrop all -- * * 0.0.0.0/0 60.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 70.0.0.0/7 0 0 logdrop all -- * * 0.0.0.0/0 72.0.0.0/5 0 0 logdrop all -- * * 0.0.0.0/0 83.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 84.0.0.0/6 0 0 logdrop all -- * * 0.0.0.0/0 88.0.0.0/5 0 0 logdrop all -- * * 0.0.0.0/0 96.0.0.0/3 0 0 logdrop all -- * * 0.0.0.0/0 127.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 197.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 198.18.0.0/15 0 0 logdrop all -- * * 0.0.0.0/0 201.0.0.0/8 0 0 logdrop all -- * * 0.0.0.0/0 240.0.0.0/4 Chain outtos (1 references) pkts bytes target prot opt in out source destination 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10 418 93580 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08 Chain pretos (1 references) pkts bytes target prot opt in out source destination 38293 3399K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10 29355 6683K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10 324 19494 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10 388 27268 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08 tcp 6 192967 ESTABLISHED src=192.168.5.50 dst=216.254.141.18 sport=2158 dport=22 src=216.254.141.18 dst=216.254.179.42 sport=22 dport=2158 [ASSURED] use=1 tcp 6 431999 ESTABLISHED src=192.168.5.50 dst=216.254.141.18 sport=2150 dport=22 src=216.254.141.18 dst=216.254.179.42 sport=22 dport=2150 [ASSURED] use=1 tcp 6 431999 ESTABLISHED src=216.254.141.18 dst=216.254.179.44 sport=47198 dport=22 src=216.254.179.44 dst=216.254.141.18 sport=22 dport=47198 [ASSURED] use=1 tcp 6 431289 ESTABLISHED src=216.254.141.18 dst=216.254.179.42 sport=47247 dport=22 src=192.168.5.4 dst=216.254.141.18 sport=22 dport=47247 [ASSURED] use=1 tcp 6 326180 ESTABLISHED src=192.168.5.50 dst=207.46.106.13 sport=1080 dport=1863 src=207.46.106.13 dst=216.254.179.42 sport=1863 dport=1080 [ASSURED] use=1 tcp 6 431659 ESTABLISHED src=216.254.141.18 dst=216.254.179.44 sport=47205 dport=22 src=216.254.179.44 dst=216.254.141.18 sport=22 dport=47205 [ASSURED] use=1 udp 17 21 src=192.168.5.4 dst=216.254.136.11 sport=123 dport=123 src=216.254.136.11 dst=216.254.179.42 sport=123 dport=123 use=1 udp 17 179 src=192.168.5.3 dst=192.168.5.4 sport=800 dport=2049 src=192.168.5.4 dst=192.168.5.3 sport=2049 dport=800 [ASSURED] use=1 udp 17 29 src=192.168.6.3 dst=192.168.6.255 sport=1031 dport=694 [UNREPLIED] src=192.168.6.255 dst=192.168.6.3 sport=694 dport=1031 use=1 tcp 6 326014 ESTABLISHED src=192.168.5.50 dst=192.168.5.1 sport=1090 dport=22 src=192.168.5.1 dst=192.168.5.50 sport=22 dport=1090 [ASSURED] use=1
Eduardo Ferreira
2003-Sep-01 10:04 UTC
[Shorewall-users] Re: linux-ha heartbeat .. failover firewall
Robin,
I don''t know anything about heartbeat (though I plan to use it in the
near
future, if I have the time to study it), but, AFAIK, your rules seem ok.
In your shorewall status output, you can see the same number of packets
entering INPUT chain, then eth2_in chain, then crs2fw chain - same number
of packets, same number of bytes all along. The same numbers appear on
the OUPUT, eth2_out and fw2crs chains. This doesn''t seem a shorewall
problem. Have you tried a shorewall clear?
[]s
Eduardo Ferreira
Counters reset Sun Aug 31 13:46:47 EDT 2003
Chain INPUT (policy DROP 2 packets, 302 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state
INVALID
1532 98090 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
703 105K eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0
6782 1196K eth2_in all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 ipsec0_in all -- ipsec0 * 0.0.0.0/0 0.0.0.0/0
[...]
Chain OUTPUT (policy DROP 10 packets, 1750 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state
INVALID
0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp
dpts:67:68
1518 130K fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0
108 15644 fw2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0
6783 1196K fw2crs all -- * eth2 0.0.0.0/0 0.0.0.0/0
[...]
Chain crs2fw (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
6782 1196K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state
NEW udp dpt:694
[...]
Chain eth2_in (1 references)
pkts bytes target prot opt in out source destination
6782 1196K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
6782 1196K crs2fw all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fw2crs (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
6783 1196K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state
NEW udp dpt:694
[...]
udp 17 29 src=192.168.6.3 dst=192.168.6.255 sport=1031 dport=694
[UNREPLIED] src=192.168.6.255 dst=192.168.6.3 sport=694 dport=1031 use=1
shorewall-users-bounces@lists.shorewall.net wrote on 31/08/2003 18:42:35:
> Please excuse me.
> I missed posting the results of /sbin/shorewall status > /tmp/status.txt
> now included in the attachment.
>
Robin Mordasiewicz
2003-Sep-01 20:45 UTC
[Shorewall-users] Re: linux-ha heartbeat .. failover firewall
Hi Eduardo when I clear the shorewall rules the heartbeat connection works fine. On Mon, 1 Sep 2003, Eduardo Ferreira wrote:> Date: Mon, 1 Sep 2003 14:03:18 -0300 > From: Eduardo Ferreira <duda@icatu.com.br> > To: Robin Mordasiewicz <robin@primustel.ca>, > Shorewall Users Mailing List <shorewall-users@lists.shorewall.net> > Subject: Re: [Shorewall-users] Re: linux-ha heartbeat .. failover firewall > > Robin, > > I don''t know anything about heartbeat (though I plan to use it in the near > future, if I have the time to study it), but, AFAIK, your rules seem ok. > In your shorewall status output, you can see the same number of packets > entering INPUT chain, then eth2_in chain, then crs2fw chain - same number > of packets, same number of bytes all along. The same numbers appear on > the OUPUT, eth2_out and fw2crs chains. This doesn''t seem a shorewall > problem. Have you tried a shorewall clear? > > []s > > Eduardo Ferreira > > Counters reset Sun Aug 31 13:46:47 EDT 2003 > > Chain INPUT (policy DROP 2 packets, 302 bytes) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 > 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state > INVALID > 1532 98090 eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0 > 703 105K eth1_in all -- eth1 * 0.0.0.0/0 0.0.0.0/0 > 6782 1196K eth2_in all -- eth2 * 0.0.0.0/0 0.0.0.0/0 > 0 0 ipsec0_in all -- ipsec0 * 0.0.0.0/0 0.0.0.0/0 > [...] > > Chain OUTPUT (policy DROP 10 packets, 1750 bytes) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 > 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state > INVALID > 0 0 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 udp > dpts:67:68 > 1518 130K fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0 > 108 15644 fw2loc all -- * eth1 0.0.0.0/0 0.0.0.0/0 > 6783 1196K fw2crs all -- * eth2 0.0.0.0/0 0.0.0.0/0 > [...] > > Chain crs2fw (1 references) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state > RELATED,ESTABLISHED > 6782 1196K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state > NEW udp dpt:694 > [...] > > Chain eth2_in (1 references) > pkts bytes target prot opt in out source destination > 6782 1196K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 > 6782 1196K crs2fw all -- * * 0.0.0.0/0 0.0.0.0/0 > > Chain fw2crs (1 references) > pkts bytes target prot opt in out source destination > 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state > RELATED,ESTABLISHED > 6783 1196K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state > NEW udp dpt:694 > [...] > > udp 17 29 src=192.168.6.3 dst=192.168.6.255 sport=1031 dport=694 > [UNREPLIED] src=192.168.6.255 dst=192.168.6.3 sport=694 dport=1031 use=1 > > shorewall-users-bounces@lists.shorewall.net wrote on 31/08/2003 18:42:35: > > > Please excuse me. > > I missed posting the results of /sbin/shorewall status > /tmp/status.txt > > now included in the attachment. > > >Robin Mordasiewicz 416-207-7012 UNIX System Developer Primus Canada
Tuomo Soini
2003-Sep-02 04:23 UTC
[Shorewall-users] Re: linux-ha heartbeat .. failover firewall
Robin Mordasiewicz wrote:> Hi Eduardo > when I clear the shorewall rules the heartbeat connection works fine.Please, don''t top-post. I''d advince change to unicast heartbeat. at /etc/ha.d/ha.cf: # unicast heartbeat on eth1 for 192.168.6.3 and 192.168.6.4 # you should add all members of cluster here on one line. ucast eth1 192.168.6.3 192.168.6.4 It''s really not documented well but it works, tested with heartbeat-1.0.3. -- Tuomo Soini <tis@foobar.fi> Linux and network services +358 40 5240030 Foobar Oy <http://foobar.fi/>