hi all- I''m using 1.4.6c version. I have found a awkward thing about creating virtual interfaces. The only time my virtual interfaces will ever work after I restart shorewall is when I do: # ifdown eth0:2 # ifup eth0:2 I have read thru the support docs and did not find anything which would explain this: Here is my output! HAs anyone see this problem..... My rules files show me typical DNAT example: /etc/shorewall/rules ----- DNAT wan loc:192.168.33.15 tcp 993 - 209.135.130.83 My /etc/sysconfig/network-scripts/ifcfg-eth0:2 ----- DEVICE=eth0:2 ONBOOT=yes BOOTPROTO=static IPADDR=209.135.130.83 NETMASK=255.255.255.240 NO_ALIASROUTING=yes shorewall.conf, and I have enable ADD_IP_ALIASES=Yes Anyone..... see this problem..... thanks hallian _________________________________________________________________ Learn to simplify your finances and your life in Streamline Your Life from MSN Money. http://special.msn.com/money/0405streamline.armx
hallian hallian wrote:> The only time my virtual interfaces will ever work > after I restart shorewall is when I do: > > # ifdown eth0:2 > # ifup eth0:2 > > I have read thru the support docs and did not find anything which would > explain this: Here is my output! > > HAs anyone see this problem..... > > My rules files show me typical DNAT example: /etc/shorewall/rules > ----- > DNAT wan loc:192.168.33.15 tcp 993 - 209.135.130.83 > > My /etc/sysconfig/network-scripts/ifcfg-eth0:2 > ----- > DEVICE=eth0:2 > ONBOOT=yes > BOOTPROTO=static > IPADDR=209.135.130.83 > NETMASK=255.255.255.240 > NO_ALIASROUTING=yes > > shorewall.conf, and I have enable ADD_IP_ALIASES=Yesa) Is 209.135.130.83 mentioned in /etc/shorewall/nat? b) After a "shorewall [re]start", what does "ip addr ls dev eth0" show? Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
hallian hallian wrote:>The only time my virtual interfaces will ever work after I restart >shorewall is when I do: > ># ifdown eth0:2 ># ifup eth0:2 > >I have read thru the support docs and did not find anything which would >explain this: Here is my output! > >HAs anyone see this problem..... > >My rules files show me typical DNAT example: /etc/shorewall/rules >----- >DNAT wan loc:192.168.33.15 tcp 993 - 209.135.130.83 > >My /etc/sysconfig/network-scripts/ifcfg-eth0:2 >----- >DEVICE=eth0:2 >ONBOOT=yes >BOOTPROTO=static >IPADDR=209.135.130.83 >NETMASK=255.255.255.240 >NO_ALIASROUTING=yes > >shorewall.conf, and I have enable ADD_IP_ALIASES=Yes>>a) Is 209.135.130.83 mentioned in /etc/shorewall/nat? >>b) After a "shorewall [re]start", what does "ip addr ls dev eth0" show?>>Thanks, >>-Tombefore RESTARTING SHOREWALL: ip addr ls dev eth0 ---- 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:40:f4:8a:23:5f brd ff:ff:ff:ff:ff:ff inet 209.135.130.83/28 brd 209.135.130.95 scope global eth0 inet 209.135.130.84/28 brd 209.135.130.95 scope global secondary eth0:2 inet 209.135.130.85/28 brd 209.135.130.95 scope global secondary eth0:3 inet 209.135.130.86/28 brd 209.135.130.95 scope global secondary eth0:4 Well, it was my understaing that I was using port forwarding from my rules files which states: DNAT wan loc:192.168.33.15 tcp 993 - 209.135.130.83 that traffic for 993 for 209.135.130.83 should be redirected to local machine 192.168.33.15. Infact, I have 209.135.130.83-86 IP all binding as virtual addresses as above which are pretty much port forwards on diff. ports too. Then i read your statement: If all you want to do is forward ports to servers behind your firewall, you do NOT want to use one-to-one NAT. Port forwarding can be accomplished with simple entries in the rules file. a) Now, isnt that what I''m doing here..... if that is the case, why do I need "1-to-1 nat" unless I''m missing the point here with "1-to-1 nat" b) Does the 1-to-1 nat mean all tarffic is allowed on all port or can you you conduct 1-to-1 nat on specfic ports too? thanks hallian _________________________________________________________________ Best Restaurant Giveaway Ever! Vote for your favorites for a chance to win $1 million! http://local.msn.com/special/giveaway.asp
hallian hallian wrote:> > >>> a) Is 209.135.130.83 mentioned in /etc/shorewall/nat? >>> b) After a "shorewall [re]start", what does "ip addr ls dev eth0" show? > > >>> Thanks, >>> -Tom > > > before RESTARTING SHOREWALL: ip addr ls dev eth0 > ---- > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:40:f4:8a:23:5f brd ff:ff:ff:ff:ff:ff > inet 209.135.130.83/28 brd 209.135.130.95 scope global eth0 > inet 209.135.130.84/28 brd 209.135.130.95 scope global secondary eth0:2 > inet 209.135.130.85/28 brd 209.135.130.95 scope global secondary eth0:3 > inet 209.135.130.86/28 brd 209.135.130.95 scope global secondary eth0:4 > > Well, it was my understaing that I was using port forwarding from my > rules files which states: > > DNAT wan loc:192.168.33.15 tcp 993 - 209.135.130.83 > > that traffic for 993 for 209.135.130.83 should be redirected to local > machine 192.168.33.15. Infact, I have 209.135.130.83-86 IP all binding > as virtual addresses as above which are pretty much port forwards on > diff. ports too. > > Then i read your statement: > If all you want to do is forward ports to servers behind your firewall, > you do NOT want to use one-to-one NAT. Port forwarding can be > accomplished with simple entries in the rules file. > > a) Now, isnt that what I''m doing here..... if that is the case, why do I > need "1-to-1 nat" unless I''m missing the point here with "1-to-1 nat" > > b) Does the 1-to-1 nat mean all tarffic is allowed on all port or can > you you conduct 1-to-1 nat on specfic ports too?You didn''t answer either of my questions. a) I asked for "ip addr ls dev eth0" AFTER shorewall [re]start. You gave me that output BEFORE shorewall [re]start. b) I asked if 209.135.130.83 was mented in /etc/shorewall/nat. I didn''t say that it should be mentioned; I just asked if it was and all I wanted was a simple yes or no answer. Instead I got a lot of information and questions that I didn''t want or understand. The reason that I am asking this question is that *you* volunteered that you have ADD_IP_ALIASES=Yes in shorewall.conf and that setting only applies to /etc/shorewall/nat entries. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
ok.... Tom .... here you go with the answer! A) Is 209.135.130.83 mentioned in /etc/shorewall/nat? No. B) After a "shorewall [re]start", what does "ip addr ls dev eth0" show? here is the output: -- ip addr ls dev eth0 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:40:f4:8a:27:5f brd ff:ff:ff:ff:ff:ff inet 209.135.130.83/28 brd 209.135.130.95 scope global eth0 inet 209.135.130.86/28 brd 209.135.130.95 scope global secondary eth0:4 inet 209.135.130.85/28 brd 209.135.130.95 scope global secondary eth0:3 inet 209.135.130.84/28 brd 209.135.130.95 scope global secondary eth0:2 thanks hallian _________________________________________________________________ Get 200+ ad-free, high-fidelity stations and LIVE Major League Baseball Gameday Audio! http://radio.msn.click-url.com/go/onm00200491ave/direct/01/
hallian hallian wrote:> ok.... Tom .... > > here you go with the answer! > > A) Is 209.135.130.83 mentioned in /etc/shorewall/nat? > > No. > > B) After a "shorewall [re]start", what does "ip addr ls dev eth0" show? > > here is the output: > -- > ip addr ls dev eth0 > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:40:f4:8a:27:5f brd ff:ff:ff:ff:ff:ff > inet 209.135.130.83/28 brd 209.135.130.95 scope global eth0 > inet 209.135.130.86/28 brd 209.135.130.95 scope global secondary eth0:4 > inet 209.135.130.85/28 brd 209.135.130.95 scope global secondary eth0:3 > inet 209.135.130.84/28 brd 209.135.130.95 scope global secondary eth0:2 >Hmmm -- I don''t know what to make of that. There''s nothing wrong with that output but the order of the secondary IP addresses has been reversed. Please get a trace of "shorewall restart" (see http://shorewall.net/troubleshoot.htm) and forward it to me as a text attachment. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> hallian hallian wrote: > >> ok.... Tom .... >> >> here you go with the answer! >> >> A) Is 209.135.130.83 mentioned in /etc/shorewall/nat?I just realized -- there was an implication in your first post that 209.135.130.83 was the IP address with label eth0:2 which is not the case!!! I guess the DNAT rule you gave us was just to add more smoke to the haze... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
hi tom - I''m not sure whether my last email went out or not..... as my browser zapped away...... But I''m sending it again...... Thanks, shazad _________________________________________________________________ Learn to simplify your finances and your life in Streamline Your Life from MSN Money. http://special.msn.com/money/0405streamline.armx
hallian hallian wrote:> hi tom - > > I''m not sure whether my last email went out or not..... as my browser > zapped away...... But I''m sending it again...... >Shorewall is not changing the configuration of eth0 in any way during "shorewall restart". And since "shorewall restart" is the same as "shorewall start" except for the messages generated, I''ll assert that "shorewall start" isn''t changing the configuration either. So exactly how are you seeing this problem? a) Is it only at boot? Or does "shorewall restart" also cause the problem? b) If "restart" doesn''t break eth0:2 then have you actually verified that eth0:2 "works" (whatever that means) before Shorewall is started? c) Is "shorewall start" the only thing that occurs between the time when eth0:2 "works" and when it "doesn''t work"? d) Is it only eth0:2 or is it all secondary ip addresses on eth0 that "don''t work"? e) (You knew it was coming) What distinguished "it works" from "it doesn''t work"? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Resending with Subject restored (don''t know how I managed to erase it) hallian hallian wrote:> hi tom - > > I''m not sure whether my last email went out or not..... as my browser > zapped away...... But I''m sending it again...... >Shorewall is not changing the configuration of eth0 in any way during "shorewall restart". And since "shorewall restart" is the same as "shorewall start" except for the messages generated, I''ll assert that "shorewall start" isn''t changing the configuration either. So exactly how are you seeing this problem? a) Is it only at boot? Or does "shorewall restart" also cause the problem? b) If "restart" doesn''t break eth0:2 then have you actually verified that eth0:2 "works" (whatever that means) before Shorewall is started? c) Is "shorewall start" the only thing that occurs between the time when eth0:2 "works" and when it "doesn''t work"? d) Is it only eth0:2 or is it all secondary ip addresses on eth0 that "don''t work"? e) (You knew it was coming) What distinguished "it works" from "it doesn''t work"? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > So exactly how are you seeing this problem? > > a) Is it only at boot? Or does "shorewall restart" also cause the problem? > b) If "restart" doesn''t break eth0:2 then have you actually verified > that eth0:2 "works" (whatever that means) before Shorewall is started? > c) Is "shorewall start" the only thing that occurs between the time when > eth0:2 "works" and when it "doesn''t work"? > d) Is it only eth0:2 or is it all secondary ip addresses on eth0 that > "don''t work"? > e) (You knew it was coming) What distinguished "it works" from "it > doesn''t work"? >I went back and read the original post and believe that I can answer: a) restart causes the problem. b) N/A d) All secondary ip addresses. Although it is unclear if it is only necessary to restart eth0:2 to correct the problem or if all secondary interfaces need restarting (in which case, restarting the primary interface would be faster). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:>> > > I went back and read the original post and believe that I can answer: > > a) restart causes the problem. > b) N/A > d) All secondary ip addresses. Although it is unclear if it is only > necessary to restart eth0:2 to correct the problem or if all secondary > interfaces need restarting (in which case, restarting the primary > interface would be faster). >I went through the trace again and notice that you are restarting ipsec in /etc/shorewall/start. Please confirm that the problem still occurs if you leave ipsec stopped throughout (stop ipsec before restarting shorewall and don''t include the restart command in /etc/shorewall/start). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net