Shorewall users - May 2004 - alias interface not functioning after restart

hi all-

I''m using 1.4.6c version.   I have found a awkward thing about creating
virtual interfaces.  The only time my virtual interfaces will ever work 
after I restart shorewall is when I do:

# ifdown eth0:2
# ifup eth0:2

I have read thru the support docs and did not find anything which would 
explain this:  Here is my output!

HAs anyone see this problem.....

My rules files show me typical DNAT example: /etc/shorewall/rules
-----
DNAT    wan     loc:192.168.33.15  tcp     993        -      209.135.130.83

My /etc/sysconfig/network-scripts/ifcfg-eth0:2
-----
DEVICE=eth0:2
ONBOOT=yes
BOOTPROTO=static
IPADDR=209.135.130.83
NETMASK=255.255.255.240
NO_ALIASROUTING=yes

shorewall.conf, and I have enable  ADD_IP_ALIASES=Yes

Anyone..... see this problem.....
thanks
hallian

_________________________________________________________________
Learn to simplify your finances and your life in Streamline Your Life from 
MSN Money. http://special.msn.com/money/0405streamline.armx

hallian hallian wrote:
> The only time my virtual interfaces will ever work 
> after I restart shorewall is when I do:
> 
> # ifdown eth0:2
> # ifup eth0:2
> 
> I have read thru the support docs and did not find anything which would 
> explain this:  Here is my output!
> 
> HAs anyone see this problem.....
> 
> My rules files show me typical DNAT example: /etc/shorewall/rules
> -----
> DNAT    wan     loc:192.168.33.15  tcp     993        -      209.135.130.83
> 
> My /etc/sysconfig/network-scripts/ifcfg-eth0:2
> -----
> DEVICE=eth0:2
> ONBOOT=yes
> BOOTPROTO=static
> IPADDR=209.135.130.83
> NETMASK=255.255.255.240
> NO_ALIASROUTING=yes
> 
> shorewall.conf, and I have enable  ADD_IP_ALIASES=Yes
a) Is 209.135.130.83 mentioned in /etc/shorewall/nat?
b) After a "shorewall [re]start", what does "ip addr ls dev
eth0" show?

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

hallian hallian wrote:
>The only time my virtual interfaces will ever work after I restart 
>shorewall is when I do:
>
># ifdown eth0:2
># ifup eth0:2
>
>I have read thru the support docs and did not find anything which would 
>explain this:  Here is my output!
>
>HAs anyone see this problem.....
>
>My rules files show me typical DNAT example: /etc/shorewall/rules
>-----
>DNAT    wan     loc:192.168.33.15  tcp     993        -      209.135.130.83
>
>My /etc/sysconfig/network-scripts/ifcfg-eth0:2
>-----
>DEVICE=eth0:2
>ONBOOT=yes
>BOOTPROTO=static
>IPADDR=209.135.130.83
>NETMASK=255.255.255.240
>NO_ALIASROUTING=yes
>
>shorewall.conf, and I have enable  ADD_IP_ALIASES=Yes
>>a) Is 209.135.130.83 mentioned in /etc/shorewall/nat?
>>b) After a "shorewall [re]start", what does "ip addr ls
dev eth0" show?
>>Thanks,
>>-Tom
before RESTARTING SHOREWALL:  ip addr ls dev eth0
----
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:40:f4:8a:23:5f brd ff:ff:ff:ff:ff:ff
    inet 209.135.130.83/28 brd 209.135.130.95 scope global eth0
    inet 209.135.130.84/28 brd 209.135.130.95 scope global secondary eth0:2
    inet 209.135.130.85/28 brd 209.135.130.95 scope global secondary eth0:3
    inet 209.135.130.86/28 brd 209.135.130.95 scope global secondary eth0:4

Well, it was my understaing that I was using port forwarding from my rules 
files which states:

DNAT    wan     loc:192.168.33.15  tcp     993        -      209.135.130.83

that traffic for 993 for 209.135.130.83 should be redirected to local 
machine 192.168.33.15.  Infact, I have 209.135.130.83-86 IP all binding as 
virtual addresses as above which are pretty much port forwards on diff. 
ports too.

Then i read your statement:
If all you want to do is forward ports to servers behind your firewall, you 
do NOT want to use one-to-one NAT. Port forwarding can be accomplished with 
simple entries in the rules file.

a) Now, isnt that what I''m doing here..... if that is the case, why do
I
need "1-to-1 nat" unless I''m missing the point here with
"1-to-1 nat"

b) Does the 1-to-1 nat mean all tarffic is allowed on all port or can you 
you conduct 1-to-1 nat on specfic ports too?

thanks
hallian

_________________________________________________________________
Best Restaurant Giveaway Ever! Vote for your favorites for a chance to win 
$1 million! http://local.msn.com/special/giveaway.asp

hallian hallian wrote:
> 
> 
>>> a) Is 209.135.130.83 mentioned in /etc/shorewall/nat?
>>> b) After a "shorewall [re]start", what does "ip addr
ls dev eth0" show?
> 
> 
>>> Thanks,
>>> -Tom
> 
> 
> before RESTARTING SHOREWALL:  ip addr ls dev eth0
> ----
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>    link/ether 00:40:f4:8a:23:5f brd ff:ff:ff:ff:ff:ff
>    inet 209.135.130.83/28 brd 209.135.130.95 scope global eth0
>    inet 209.135.130.84/28 brd 209.135.130.95 scope global secondary eth0:2
>    inet 209.135.130.85/28 brd 209.135.130.95 scope global secondary eth0:3
>    inet 209.135.130.86/28 brd 209.135.130.95 scope global secondary eth0:4
> 
> Well, it was my understaing that I was using port forwarding from my 
> rules files which states:
> 
> DNAT    wan     loc:192.168.33.15  tcp     993        -      209.135.130.83
> 
> that traffic for 993 for 209.135.130.83 should be redirected to local 
> machine 192.168.33.15.  Infact, I have 209.135.130.83-86 IP all binding 
> as virtual addresses as above which are pretty much port forwards on 
> diff. ports too.
> 
> Then i read your statement:
> If all you want to do is forward ports to servers behind your firewall, 
> you do NOT want to use one-to-one NAT. Port forwarding can be 
> accomplished with simple entries in the rules file.
> 
> a) Now, isnt that what I''m doing here..... if that is the case,
why do I
> need "1-to-1 nat" unless I''m missing the point here with
"1-to-1 nat"
> 
> b) Does the 1-to-1 nat mean all tarffic is allowed on all port or can 
> you you conduct 1-to-1 nat on specfic ports too?
You didn''t answer either of my questions.

a) I asked for "ip addr ls dev eth0" AFTER shorewall [re]start. You
gave
me that output BEFORE shorewall [re]start.

b) I asked if 209.135.130.83 was mented in /etc/shorewall/nat. I didn''t
say that it should be mentioned; I just asked if it was and all I wanted 
was a simple yes or no answer. Instead I got a lot of information and 
questions that I didn''t want or understand. The reason that I am asking
this question is that *you* volunteered that you have ADD_IP_ALIASES=Yes 
in shorewall.conf and that setting only applies to /etc/shorewall/nat 
entries.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

ok.... Tom ....

here you go with the answer!

A) Is 209.135.130.83 mentioned in /etc/shorewall/nat?

No.

B) After a "shorewall [re]start", what does "ip addr ls dev
eth0" show?

here is the output:
--
ip addr ls dev eth0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:40:f4:8a:27:5f brd ff:ff:ff:ff:ff:ff
    inet 209.135.130.83/28 brd 209.135.130.95 scope global eth0
    inet 209.135.130.86/28 brd 209.135.130.95 scope global secondary eth0:4
    inet 209.135.130.85/28 brd 209.135.130.95 scope global secondary eth0:3
    inet 209.135.130.84/28 brd 209.135.130.95 scope global secondary eth0:2

thanks
hallian

_________________________________________________________________
Get 200+ ad-free, high-fidelity stations and LIVE Major League Baseball 
Gameday Audio! http://radio.msn.click-url.com/go/onm00200491ave/direct/01/

hallian hallian wrote:
> ok.... Tom ....
> 
> here you go with the answer!
> 
> A) Is 209.135.130.83 mentioned in /etc/shorewall/nat?
> 
> No.
> 
> B) After a "shorewall [re]start", what does "ip addr ls dev
eth0" show?
> 
> here is the output:
> -- 
> ip addr ls dev eth0
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
>    link/ether 00:40:f4:8a:27:5f brd ff:ff:ff:ff:ff:ff
>    inet 209.135.130.83/28 brd 209.135.130.95 scope global eth0
>    inet 209.135.130.86/28 brd 209.135.130.95 scope global secondary eth0:4
>    inet 209.135.130.85/28 brd 209.135.130.95 scope global secondary eth0:3
>    inet 209.135.130.84/28 brd 209.135.130.95 scope global secondary eth0:2
> 
Hmmm -- I don''t know what to make of that. There''s nothing
wrong with
that output but the order of the secondary IP addresses has been reversed.


Please get a trace of "shorewall restart" (see 
http://shorewall.net/troubleshoot.htm) and forward it to me as a text 
attachment.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> hallian hallian wrote:
> 
>> ok.... Tom ....
>>
>> here you go with the answer!
>>
>> A) Is 209.135.130.83 mentioned in /etc/shorewall/nat?
I just realized -- there was an implication in your first post that 
209.135.130.83 was the IP address with label eth0:2 which is not the 
case!!! I guess the DNAT rule you gave us was just to add more smoke to 
the haze...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

hi tom -

I''m not sure whether my last email went out or not..... as my browser
zapped
away...... But I''m sending it again......

Thanks,
shazad

_________________________________________________________________
Learn to simplify your finances and your life in Streamline Your Life from 
MSN Money. http://special.msn.com/money/0405streamline.armx

hallian hallian wrote:
> hi tom -
> 
> I''m not sure whether my last email went out or not..... as my
browser
> zapped away...... But I''m sending it again......
> 
Shorewall is not changing the configuration of eth0 in any way during 
"shorewall restart". And since "shorewall restart" is the
same as
"shorewall start" except for the messages generated, I''ll
assert that
"shorewall start" isn''t changing the configuration either.

So exactly how are you seeing this problem?

a) Is it only at boot? Or does "shorewall restart" also cause the
problem?
b) If "restart" doesn''t break eth0:2 then have you actually
verified
that eth0:2 "works" (whatever that means) before Shorewall is started?
c) Is "shorewall start" the only thing that occurs between the time
when
eth0:2 "works" and when it "doesn''t work"?
d) Is it only eth0:2 or is it all secondary ip addresses on eth0 that 
"don''t work"?
e) (You knew it was coming) What distinguished "it works" from
"it
doesn''t work"?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Resending with Subject restored (don''t know how I managed to erase it)

hallian hallian wrote:
> hi tom -
> 
> I''m not sure whether my last email went out or not..... as my
browser
> zapped away...... But I''m sending it again......
> 
Shorewall is not changing the configuration of eth0 in any way during
"shorewall restart". And since "shorewall restart" is the
same as
"shorewall start" except for the messages generated, I''ll
assert that
"shorewall start" isn''t changing the configuration either.

So exactly how are you seeing this problem?

a) Is it only at boot? Or does "shorewall restart" also cause the
problem?
b) If "restart" doesn''t break eth0:2 then have you actually
verified
that eth0:2 "works" (whatever that means) before Shorewall is started?
c) Is "shorewall start" the only thing that occurs between the time
when
eth0:2 "works" and when it "doesn''t work"?
d) Is it only eth0:2 or is it all secondary ip addresses on eth0 that
"don''t work"?
e) (You knew it was coming) What distinguished "it works" from
"it
doesn''t work"?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> 
> So exactly how are you seeing this problem?
> 
> a) Is it only at boot? Or does "shorewall restart" also cause the
problem?
> b) If "restart" doesn''t break eth0:2 then have you
actually verified
> that eth0:2 "works" (whatever that means) before Shorewall is
started?
> c) Is "shorewall start" the only thing that occurs between the
time when
> eth0:2 "works" and when it "doesn''t work"?
> d) Is it only eth0:2 or is it all secondary ip addresses on eth0 that
> "don''t work"?
> e) (You knew it was coming) What distinguished "it works" from
"it
> doesn''t work"?
> 
I went back and read the original post and believe that I can answer:

a) restart causes the problem.
b) N/A
d) All secondary ip addresses. Although it is unclear if it is only 
necessary to restart eth0:2 to correct the problem or if all secondary 
interfaces need restarting (in which case, restarting the primary 
interface would be faster).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
>>
> 
> I went back and read the original post and believe that I can answer:
> 
> a) restart causes the problem.
> b) N/A
> d) All secondary ip addresses. Although it is unclear if it is only 
> necessary to restart eth0:2 to correct the problem or if all secondary 
> interfaces need restarting (in which case, restarting the primary 
> interface would be faster).
> 
I went through the trace again and notice that you are restarting ipsec 
in /etc/shorewall/start. Please confirm that the problem still occurs if 
you leave ipsec stopped throughout (stop ipsec before restarting 
shorewall and don''t include the restart command in
/etc/shorewall/start).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net