Shorewall users - Oct 2003 - Getting past "net unreachable" message(s)

My Shorewall installation was working great until yesterday when it started 
logging ''REJECT'' to packets that tried to cross the firewall
to the
internet.

I tried to work past the firewall by entering "shorewall clear" but I
still
can''t get past the gateway / firewall machine.  Does this mean the NIC
is
damaged? When Shorewall is running I can navigate freely through the local 
and DMZ.

I sent some mail to the list about this yesterday - Tom says its issuing a 
''net unreachable'' from the default gateway. But why? What has
changed? Does
this imply that the hardware is damaged?

Im sorry for sending a redundant message. Im hoping to gain some 
understanding as to what has changed on this machine.

_________________________________________________________________
Need more e-mail storage? Get 10MB with Hotmail Extra Storage.   
http://join.msn.com/?PAGE=features/es

On Fri, 2003-10-10 at 12:26, ether bunny wrote:
> My Shorewall installation was working great until yesterday when it started
> logging ''REJECT'' to packets that tried to cross the
firewall to the
> internet.
> 
> I tried to work past the firewall by entering "shorewall clear"
but I still
> can''t get past the gateway / firewall machine.  Does this mean the
NIC is
> damaged? When Shorewall is running I can navigate freely through the local 
> and DMZ.
So after a shorewall clear, if you try this on the Shorewall machine:

	ping -n 206.124.146.177

what exactly do you see?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

>shorewall restart
(.... appears to start ok..)
>ping -n 206.124.146.177
(.. no activity for 20+ second.. I hit ctrl-c)
----- 206.124.146.177 ping statistics ---
25 packets transmitted, 0 received, 100% packet loss. time 24013 ms
>shorewall clear
(.. shorewall clears...)
>ping -n 206.124.146.177
PING 206.124.146.177 (206.124.146.177 ) 56(84) bytes of data
from 192.168.1.231 icmp_seq=1 Destination Net Unreachable
from 192.168.1.231 icmp_seq=2 Destination Net Unreachable
from 192.168.1.231 icmp_seq=3 Destination Net Unreachable
.... and so on until cancelled.


NOTE: the shorewall commands are issued via SSH on the shorewall machine. 
The PING command comes from a wkstation in the LOCAL zone.


>From: Tom Eastep <teastep@shorewall.net>
>Reply-To: Shorewall Users Mailing List 
><shorewall-users@lists.shorewall.net>
>To: Shorewall Users Mailing List <shorewall-users@lists.shorewall.net>
>Subject: Re: [Shorewall-users] Getting past "net unreachable"
message(s)
>Date: 10 Oct 2003 12:33:11 -0700
>MIME-Version: 1.0
>Received: from lists.shorewall.net ([206.124.146.177]) by 
>mc12-f16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Fri, 10 Oct 
>2003 12:43:55 -0700
>Received: from wookie.shorewall.net (wookie.shorewall.net 
>[192.168.1.3])(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 
>bits))(No client certificate requested)by lists.shorewall.net (Postfix) 
>with ESMTP id B3E4A34026for <shorewall-users@lists.shorewall.net>;Fri,
10
>Oct 2003 12:33:11 -0700 (PDT)
>X-Message-Info: JGTYoYF78jFqAaC29fBlDgVjv8HGmwa+
>X-Original-To: shorewall-users@lists.shorewall.net
>Delivered-To: shorewall-users@lists.shorewall.net
>In-Reply-To: <Law9-F17yjH9kFSrobY00004c61@hotmail.com>
>References: <Law9-F17yjH9kFSrobY00004c61@hotmail.com>
>Organization: Message-Id:
<1065814390.4609.166.camel@wookie.shorewall.net>
>X-Mailer: Ximian Evolution 1.2.2 (1.2.2-5) X-BeenThere: 
>shorewall-users@lists.shorewall.net
>X-Mailman-Version: 2.1.2
>Precedence: list
>List-Id: Shorewall Users Mailing List  
><shorewall-users.lists.shorewall.net>
>List-Unsubscribe: 
><https://lists.shorewall.net/mailman/listinfo/shorewall-users>, 
><mailto:shorewall-users-request@lists.shorewall.net?subject=unsubscribe>
>List-Archive: <http://lists.shorewall.net/pipermail/shorewall-users>
>List-Post: <mailto:shorewall-users@lists.shorewall.net>
>List-Help: 
><mailto:shorewall-users-request@lists.shorewall.net?subject=help>
>List-Subscribe: 
><https://lists.shorewall.net/mailman/listinfo/shorewall-users>, 
><mailto:shorewall-users-request@lists.shorewall.net?subject=subscribe>
>Sender: shorewall-users-bounces@lists.shorewall.net
>Errors-To: shorewall-users-bounces@lists.shorewall.net
>Return-Path: shorewall-users-bounces@lists.shorewall.net
>X-OriginalArrivalTime: 10 Oct 2003 19:43:57.0516 (UTC) 
>FILETIME=[D85178C0:01C38F66]
>
>On Fri, 2003-10-10 at 12:26, ether bunny wrote:
> > My Shorewall installation was working great until yesterday when it 
>started
> > logging ''REJECT'' to packets that tried to cross the
firewall to the
> > internet.
> >
> > I tried to work past the firewall by entering "shorewall
clear" but I
>still
> > can''t get past the gateway / firewall machine.  Does this
mean the NIC
>is
> > damaged? When Shorewall is running I can navigate freely through the 
>local
> > and DMZ.
>
>So after a shorewall clear, if you try this on the Shorewall machine:
>
>	ping -n 206.124.146.177
>
>what exactly do you see?
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>
>
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe: 
>https://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
_________________________________________________________________
Help protect your PC.  Get a FREE computer virus scan online from McAfee. 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

On Fri, 2003-10-10 at 13:23, ether bunny wrote:
> >shorewall restart
> (.... appears to start ok..)
> >ping -n 206.124.146.177
> (.. no activity for 20+ second.. I hit ctrl-c)
> ----- 206.124.146.177 ping statistics ---
> 25 packets transmitted, 0 received, 100% packet loss. time 24013 ms
> 
> >shorewall clear
> (.. shorewall clears...)
> >ping -n 206.124.146.177
> PING 206.124.146.177 (206.124.146.177 ) 56(84) bytes of data
> from 192.168.1.231 icmp_seq=1 Destination Net Unreachable
> from 192.168.1.231 icmp_seq=2 Destination Net Unreachable
> from 192.168.1.231 icmp_seq=3 Destination Net Unreachable
> .... and so on until cancelled.
> 
> 
> NOTE: the shorewall commands are issued via SSH on the shorewall machine. 
> The PING command comes from a wkstation in the LOCAL zone.
I specifically asked you to ping from the Shorewall system. With
Shorewall cleared, I already knwo that you would have no internet access
from the local zone.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

>shorewall clear
>ping -n 206.134.146.177
connect: Network is unreachable

>
>On Fri, 2003-10-10 at 13:23, ether bunny wrote:
> > >shorewall restart
> > (.... appears to start ok..)
> > >ping -n 206.124.146.177
> > (.. no activity for 20+ second.. I hit ctrl-c)
> > ----- 206.124.146.177 ping statistics ---
> > 25 packets transmitted, 0 received, 100% packet loss. time 24013 ms
> >
> > >shorewall clear
> > (.. shorewall clears...)
> > >ping -n 206.124.146.177
> > PING 206.124.146.177 (206.124.146.177 ) 56(84) bytes of data
> > from 192.168.1.231 icmp_seq=1 Destination Net Unreachable
> > from 192.168.1.231 icmp_seq=2 Destination Net Unreachable
> > from 192.168.1.231 icmp_seq=3 Destination Net Unreachable
> > .... and so on until cancelled.
> >
> >
> > NOTE: the shorewall commands are issued via SSH on the shorewall 
>machine.
> > The PING command comes from a wkstation in the LOCAL zone.
>
>I specifically asked you to ping from the Shorewall system. With
>Shorewall cleared, I already knwo that you would have no internet access
>from the local zone.
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>
>
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe: 
>https://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
_________________________________________________________________
Get MSN 8 Dial-up Internet Service FREE for one month.  Limited time offer-- 
sign up now!   http://join.msn.com/?page=dept/dialup

On Fri, 2003-10-10 at 13:58, ether bunny wrote:
> >shorewall clear
> >ping -n 206.134.146.177
Sigh -- the IP address is 206.124.146.177
                              ---
> connect: Network is unreachable
If you ping the correct address and still get ''Network is
unreachable''
then you will have conclusively proved that Shorewall has nothing to do
with your problem.

The next thing that I would check would be your routing although you
said that the IP address from which the logged ICMP packets were being
returned was in fact the IP address of your default gateway. Is another
host on that lan segment answering to that IP address?

To check that, ping your default gateway and check its MAC address using
"arp -na" on the Shorewall system. Confirm that what you see in the
ARP
cache really is the MAC address of the gateway''s interface that faces
the Shorewall system.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

>shorewall clear
>ping -n 206.134.146.177
connect: Network is unreachable

>
>On Fri, 2003-10-10 at 13:23, ether bunny wrote:
> > >shorewall restart
> > (.... appears to start ok..)
> > >ping -n 206.124.146.177
> > (.. no activity for 20+ second.. I hit ctrl-c)
> > ----- 206.124.146.177 ping statistics ---
> > 25 packets transmitted, 0 received, 100% packet loss. time 24013 ms
> >
> > >shorewall clear
> > (.. shorewall clears...)
> > >ping -n 206.124.146.177
> > PING 206.124.146.177 (206.124.146.177 ) 56(84) bytes of data
> > from 192.168.1.231 icmp_seq=1 Destination Net Unreachable
> > from 192.168.1.231 icmp_seq=2 Destination Net Unreachable
> > from 192.168.1.231 icmp_seq=3 Destination Net Unreachable
> > .... and so on until cancelled.
> >
> >
> > NOTE: the shorewall commands are issued via SSH on the shorewall 
>machine.
> > The PING command comes from a wkstation in the LOCAL zone.
>
>I specifically asked you to ping from the Shorewall system. With
>Shorewall cleared, I already knwo that you would have no internet access
>from the local zone.
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>
>
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe: 
>https://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
_________________________________________________________________
Get MSN 8 Dial-up Internet Service FREE for one month.  Limited time offer-- 
sign up now!   http://join.msn.com/?page=dept/dialup

(The IP address was entered correctly - transcribed incorrectly)

Ok. So ''arp -na'' from the shorewall system shows some (but not
all) of the
connected machines.

''arp -na'' from a machine in the local zone shows the MAC
address of the
gateway NIC. None of the other MAC addresses match this address.

At what point can I start to think this is a hardware problem?

Thank you for suffering my foolishness.
>
>On Fri, 2003-10-10 at 13:58, ether bunny wrote:
> > >shorewall clear
> > >ping -n 206.134.146.177
>
>Sigh -- the IP address is 206.124.146.177
>                               ---
>
> > connect: Network is unreachable
>
>If you ping the correct address and still get ''Network is
unreachable''
>then you will have conclusively proved that Shorewall has nothing to do
>with your problem.
>
>The next thing that I would check would be your routing although you
>said that the IP address from which the logged ICMP packets were being
>returned was in fact the IP address of your default gateway. Is another
>host on that lan segment answering to that IP address?
>
>To check that, ping your default gateway and check its MAC address using
>"arp -na" on the Shorewall system. Confirm that what you see in
the ARP
>cache really is the MAC address of the gateway''s interface that
faces
>the Shorewall system.
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>
>
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe: 
>https://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
_________________________________________________________________
Frustrated with dial-up? Get high-speed for as low as $29.95/month 
(depending on the local service providers in your area).  
https://broadband.msn.com

On Fri, 2003-10-10 at 14:52, ether bunny wrote:
> (The IP address was entered correctly - transcribed incorrectly)
> 
> Ok. So ''arp -na'' from the shorewall system shows some
(but not all) of the
> connected machines.
Did it correctly show the MAC and IP of its default gateway?
> 
> ''arp -na'' from a machine in the local zone shows the MAC
address of the
> gateway NIC. None of the other MAC addresses match this address.
Do you mean the ''gateway'' that is defined as the default
gateway to the
Shorewall machine or do you mean the MAC of the Shorewall machine''s
local interface? If the former, then something is really wrong with the
network configuration since I assume that the ''gateway''
isn''t on the
same LAN segment as the local zone systems.
> 
> At what point can I start to think this is a hardware problem?
> 
Still sounds like a configuration problem that was installed when you
rebooted after the pfail.
> Thank you for suffering my foolishness.
Any time...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

calling "arp -na" from the shorewall system *did not* show the any of
the
NICs installed on that machine. It showed several connected machines.

calling "arp -na" from a machine in the local zone showed several
machines
in the local zone including the shorewall system. The MAC address of the 
shorewall system matches the NIC that is the default gateway.

Im assuming (naively) that ''arp -na'' doesn''t show the
interfaces on the box
calling arp but rather those of interfaces connected to that machine (via 
lan). At least thats what appears to be happening here.

>Do you mean the ''gateway'' that is defined as the default
gateway to the
>Shorewall machine or do you mean the MAC of the Shorewall machine''s
>local interface? If the former, then something is really wrong with the
>network configuration since I assume that the ''gateway''
isn''t on the
>same LAN segment as the local zone systems.
I mean that calling ''arp -na'' from a machine in the local zone
shows several
addresses of connected systems - one of which is the NIC acting as the 
default gateway on the shorewall machine. In no instance does
''arp'' show the
NIC''s in the box from which ''arp'' is called.






>On Fri, 2003-10-10 at 14:52, ether bunny wrote:
> > (The IP address was entered correctly - transcribed incorrectly)
> >
> > Ok. So ''arp -na'' from the shorewall system shows
some (but not all) of
>the
> > connected machines.
>
>Did it correctly show the MAC and IP of its default gateway?
>
> >
> > ''arp -na'' from a machine in the local zone shows the
MAC address of the
> > gateway NIC. None of the other MAC addresses match this address.
>
>Do you mean the ''gateway'' that is defined as the default
gateway to the
>Shorewall machine or do you mean the MAC of the Shorewall machine''s
>local interface? If the former, then something is really wrong with the
>network configuration since I assume that the ''gateway''
isn''t on the
>same LAN segment as the local zone systems.
>
> >
> > At what point can I start to think this is a hardware problem?
> >
>
>Still sounds like a configuration problem that was installed when you
>rebooted after the pfail.
>
> > Thank you for suffering my foolishness.
>
>Any time...
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>
>
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe: 
>https://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
_________________________________________________________________
Add MSN 8 Internet Software to your existing Internet access and enjoy 
patented spam protection and more.  Sign up now!   
http://join.msn.com/?page=dept/byoa

On Fri, 2003-10-10 at 15:18, ether bunny wrote:
> calling "arp -na" from the shorewall system *did not* show the
any of the
> NICs installed on that machine. It showed several connected machines.
> 
> calling "arp -na" from a machine in the local zone showed several
machines
> in the local zone including the shorewall system. The MAC address of the 
> shorewall system matches the NIC that is the default gateway.
Look carefully at the output of "ip addr ls" on the Shorewall box. Is
the IP address of the Gateway system listed there?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

I see 4 entries:


1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:d0:a8:00:63:c2 brd ff:ff:ff:ff:ff:ff
        inet 155.229.27.55/24 brd 192.168.1.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:d0:a8:00:63:c3 brd ff:ff:ff:ff:ff:ff
        inet 192.168.1.231/24 brd 192.168.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:10:5a:a9:e0:e0 brd ff:ff:ff:ff:ff:ff
        inet 192.168.100.1/24 brd 192.168.100.255 scope global eth2

(this is copied from the shorewall machine)

Im curious to know why the ''brd'' (on the
''inet'' lines)  for eth0 and eth1
are the same.  Does this mean they have the same netmask? Surely thats not 
ok.

To answer your question - yes. ''eth1'' is the correct address
for the nic
that is the default gateway.





>On Fri, 2003-10-10 at 15:18, ether bunny wrote:
> > calling "arp -na" from the shorewall system *did not* show
the any of
>the
> > NICs installed on that machine. It showed several connected machines.
> >
> > calling "arp -na" from a machine in the local zone showed
several
>machines
> > in the local zone including the shorewall system. The MAC address of
the
> > shorewall system matches the NIC that is the default gateway.
>
>Look carefully at the output of "ip addr ls" on the Shorewall box.
Is
>the IP address of the Gateway system listed there?
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>
>
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe: 
>https://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
_________________________________________________________________
Help protect your PC.  Get a FREE computer virus scan online from McAfee. 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

On Fri, 10 Oct 2003, ether bunny wrote:
> I see 4 entries:
> 
> 
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>         inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:d0:a8:00:63:c2 brd ff:ff:ff:ff:ff:ff
>         inet 155.229.27.55/24 brd 192.168.1.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:d0:a8:00:63:c3 brd ff:ff:ff:ff:ff:ff
>         inet 192.168.1.231/24 brd 192.168.1.255 scope global eth1
> 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
>     link/ether 00:10:5a:a9:e0:e0 brd ff:ff:ff:ff:ff:ff
>         inet 192.168.100.1/24 brd 192.168.100.255 scope global eth2
> 
> (this is copied from the shorewall machine)
> 
> Im curious to know why the ''brd'' (on the
''inet'' lines)  for eth0 and eth1
> are the same.  Does this mean they have the same netmask? Surely thats not 
> ok.
It''s not.

 
> To answer your question - yes. ''eth1'' is the correct
address for the nic
> that is the default gateway.
> 
And what does the routing table look like on this box? (ip route ls)

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

>
> > I see 4 entries:
> >
> >
> > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> >     link/loopback 00:00:00:00:00:00 brd
00:00:00:00:00:00
> >         inet 127.0.0.1/8 brd 127.255.255.255 scope host
lo
> > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
> >     link/ether 00:d0:a8:00:63:c2 brd ff:ff:ff:ff:ff:ff
> >         inet 155.229.27.55/24 brd 192.168.1.255 scope
global eth0
> > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
> >     link/ether 00:d0:a8:00:63:c3 brd ff:ff:ff:ff:ff:ff
> >         inet 192.168.1.231/24 brd 192.168.1.255 scope
global eth1
> > 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
> >     link/ether 00:10:5a:a9:e0:e0 brd ff:ff:ff:ff:ff:ff
> >         inet 192.168.100.1/24 brd 192.168.100.255 scope
global eth2
> >
> > (this is copied from the shorewall machine)
> >
> > Im curious to know why the ''brd'' (on the
''inet'' lines)
for eth0 and eth1
> > are the same.  Does this mean they have the same
netmask? Surely thats not
> > ok.
>
> It''s not.
>
>
> > To answer your question - yes. ''eth1'' is the correct
address for the nic
> > that is the default gateway.
> >
>
> And what does the routing table look like on this box? (ip
route ls)
>
> -Tom
> --
I''d check the config file for that nic..
Why is there a 192. broadcast for a 155. network?
Anybody, is there a vaild reason to have it set like that?
For my own information, I''d like to know, to me that looks
incorrect.

Jerry Vonau

>ip route ls
192.168.100.0/24 dev eth2 scope link
155.229.27.0/24 dev eth0 scope link
192.168.1.0/24 dev eth1 scope link
127.0.0.0/8 dev lo scope link


>
>On Fri, 10 Oct 2003, ether bunny wrote:
>
> > I see 4 entries:
> >
> >
> > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> >     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> >         inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
> > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
100
> >     link/ether 00:d0:a8:00:63:c2 brd ff:ff:ff:ff:ff:ff
> >         inet 155.229.27.55/24 brd 192.168.1.255 scope global eth0
> > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
100
> >     link/ether 00:d0:a8:00:63:c3 brd ff:ff:ff:ff:ff:ff
> >         inet 192.168.1.231/24 brd 192.168.1.255 scope global eth1
> > 4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen
100
> >     link/ether 00:10:5a:a9:e0:e0 brd ff:ff:ff:ff:ff:ff
> >         inet 192.168.100.1/24 brd 192.168.100.255 scope global eth2
> >
> > (this is copied from the shorewall machine)
> >
> > Im curious to know why the ''brd'' (on the
''inet'' lines)  for eth0 and
>eth1
> > are the same.  Does this mean they have the same netmask? Surely thats
>not
> > ok.
>
>It''s not.
>
>
> > To answer your question - yes. ''eth1'' is the correct
address for the nic
> > that is the default gateway.
> >
>
>And what does the routing table look like on this box? (ip route ls)
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe: 
>https://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
_________________________________________________________________
Frustrated with dial-up? Get high-speed for as low as $29.95/month 
(depending on the local service providers in your area).  
https://broadband.msn.com

On Mon, 2003-10-13 at 07:14, ether bunny wrote:
> >ip route ls
> 192.168.100.0/24 dev eth2 scope link
> 155.229.27.0/24 dev eth0 scope link
> 192.168.1.0/24 dev eth1 scope link
> 127.0.0.0/8 dev lo scope link
There''s no default route!!!!!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Ok - so I have *two* problems? no default route and a bad netmask for my 
eth0?
>On Mon, 2003-10-13 at 07:14, ether bunny wrote:
> > >ip route ls
> > 192.168.100.0/24 dev eth2 scope link
> > 155.229.27.0/24 dev eth0 scope link
> > 192.168.1.0/24 dev eth1 scope link
> > 127.0.0.0/8 dev lo scope link
>
>There''s no default route!!!!!
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>
>
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe: 
>https://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
_________________________________________________________________
Express yourself with MSN Messenger 6.0 -- download now! 
http://www.msnmessenger-download.com/tracking/reach_general

On Mon, 2003-10-13 at 07:41, ether bunny wrote:
> Ok - so I have *two* problems? no default route and a bad netmask for my 
> eth0?
Your networking configuration on the Shorewall box has problems, Yes.

The two external manifestations may be from the same cause or there may
be, as you say, two different problems.

Those manifestations are:

a) Incorrect broadcast address on your external interface.
b) No default route.

Quirk (a) may be causing the creation of the default route to fail;
check your boot log or restart the external interface and look for error
messages.

Since my role here is to support Shorewall and is not to spent my time
fixing people''s broken basic networking configurations on their Linux
boxes, I''ll not be contributing any more to this thread.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thank you for your able and expert advice.
>
>Your networking configuration on the Shorewall box has problems, Yes.
>
>The two external manifestations may be from the same cause or there may
>be, as you say, two different problems.
>
>Those manifestations are:
>
>a) Incorrect broadcast address on your external interface.
>b) No default route.
>
>Quirk (a) may be causing the creation of the default route to fail;
>check your boot log or restart the external interface and look for error
>messages.
>
>Since my role here is to support Shorewall and is not to spent my time
>fixing people''s broken basic networking configurations on their
Linux
>boxes, I''ll not be contributing any more to this thread.
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>
>
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe: 
>https://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
_________________________________________________________________
Use custom emotions -- try MSN Messenger 6.0! 
http://www.msnmessenger-download.com/tracking/reach_emoticon