Shorewall users - Jun 2004 - Re: Proxy arp users

Sorry, I have to start another thread:

For what I can understand there is no answer to a "who-has" request.
But,
as I said before, the firewall log is plenty of martian sources coming
from the network address, _especially_ when I try to connect the dmz from
the outside. Hope you can find something useful because I am well beyond
my network knowledge. Thank you for your kindness.

 tcpdump -nei eth1 host 80.23.252.59
tcpdump: listening on eth1
18:33:14.291690 0:50:da:d7:7f:ef 0:8:27:1b:98:3f 0800 74:
80.23.252.59.1082 > 193.166.3.2.21: S 3981211005:3981211005(0) win 5840
<mss 1460,nop,nop,timestamp 1438042 0,nop,wscale 0> (DF) [tos 0x10]
18:33:14.443987 0:8:27:1b:98:3f ff:ff:ff:ff:ff:ff 0806 60: arp who-has
80.23.252.59 tell 80.23.252.56
18:33:17.284754 0:50:da:d7:7f:ef 0:8:27:1b:98:3f 0800 74:
80.23.252.59.1082 > 193.166.3.2.21: S 3981211005:3981211005(0) win 5840
<mss 1460,nop,nop,timestamp 1438342 0,nop,wscale 0> (DF) [tos 0x10]
18:33:17.437942 0:8:27:1b:98:3f ff:ff:ff:ff:ff:ff 0806 60: arp who-has
80.23.252.59 tell 80.23.252.56
18:33:23.282712 0:50:da:d7:7f:ef 0:8:27:1b:98:3f 0800 74:
80.23.252.59.1082 > 193.166.3.2.21: S 3981211005:3981211005(0) win 5840
<mss 1460,nop,nop,timestamp 1438942 0,nop,wscale 0> (DF) [tos 0x10]
18:33:23.436445 0:8:27:1b:98:3f ff:ff:ff:ff:ff:ff 0806 60: arp who-has
80.23.252.59 tell 80.23.252.56
18:33:37.127374 0:8:27:1b:98:3f ff:ff:ff:ff:ff:ff 0806 60: arp who-has
80.23.252.59 tell 80.23.252.56
18:33:54.400787 0:8:27:1b:98:3f ff:ff:ff:ff:ff:ff 0806 60: arp who-has
80.23.252.59 tell 80.23.252.56
18:34:27.337888 0:8:27:1b:98:3f ff:ff:ff:ff:ff:ff 0806 60: arp who-has
80.23.252.59 tell 80.23.252.56
18:34:53.899833 0:8:27:1b:98:3f ff:ff:ff:ff:ff:ff 0806 60: arp who-has
80.23.252.59 tell 80.23.252.56
18:35:53.878592 0:8:27:1b:98:3f ff:ff:ff:ff:ff:ff 0806 60: arp who-has
80.23.252.59 tell 80.23.252.56



-- 
Ciao
Nico

Nico Alberti wrote:
> Sorry, I have to start another thread:
> 
> For what I can understand there is no answer to a "who-has"
request. But,
> as I said before, the firewall log is plenty of martian sources coming
> from the network address, _especially_ when I try to connect the dmz from
> the outside. Hope you can find something useful because I am well beyond
> my network knowledge. Thank you for your kindness.
> 
>  tcpdump -nei eth1 host 80.23.252.59
> tcpdump: listening on eth1
> 18:33:14.291690 0:50:da:d7:7f:ef 0:8:27:1b:98:3f 0800 74:
> 80.23.252.59.1082 > 193.166.3.2.21: S 3981211005:3981211005(0) win 5840
> <mss 1460,nop,nop,timestamp 1438042 0,nop,wscale 0> (DF) [tos 0x10]
> 18:33:14.443987 0:8:27:1b:98:3f ff:ff:ff:ff:ff:ff 0806 60: arp who-has
> 80.23.252.59 tell 80.23.252.56
> 18:33:17.284754 0:50:da:d7:7f:ef 0:8:27:1b:98:3f 0800 74:
> 80.23.252.59.1082 > 193.166.3.2.21: S 3981211005:3981211005(0) win 5840
> <mss 1460,nop,nop,timestamp 1438342 0,nop,wscale 0> (DF) [tos 0x10]
> 18:33:17.437942 0:8:27:1b:98:3f ff:ff:ff:ff:ff:ff 0806 60: arp who-has
> 80.23.252.59 tell 80.23.252.56
> 18:33:23.282712 0:50:da:d7:7f:ef 0:8:27:1b:98:3f 0800 74:
> 80.23.252.59.1082 > 193.166.3.2.21: S 3981211005:3981211005(0) win 5840
> <mss 1460,nop,nop,timestamp 1438942 0,nop,wscale 0> (DF) [tos 0x10]
> 18:33:23.436445 0:8:27:1b:98:3f ff:ff:ff:ff:ff:ff 0806 60: arp who-has
> 80.23.252.59 tell 80.23.252.56
> 18:33:37.127374 0:8:27:1b:98:3f ff:ff:ff:ff:ff:ff 0806 60: arp who-has
> 80.23.252.59 tell 80.23.252.56
> 18:33:54.400787 0:8:27:1b:98:3f ff:ff:ff:ff:ff:ff 0806 60: arp who-has
> 80.23.252.59 tell 80.23.252.56
> 18:34:27.337888 0:8:27:1b:98:3f ff:ff:ff:ff:ff:ff 0806 60: arp who-has
> 80.23.252.59 tell 80.23.252.56
> 18:34:53.899833 0:8:27:1b:98:3f ff:ff:ff:ff:ff:ff 0806 60: arp who-has
> 80.23.252.59 tell 80.23.252.56
> 18:35:53.878592 0:8:27:1b:98:3f ff:ff:ff:ff:ff:ff 0806 60: arp who-has
> 80.23.252.59 tell 80.23.252.56
The subnetting looks hosed -- 80.23.252.56 is your network address (your 
eth1 is configured as 80.23.252.58/29); there should be no host with 
that IP address. That is why you are getting the Martian messages. Why 
is the upstream router using that address in ARP who-has requests?

gateway:/etc/shorewall# shorewall ipcalc 80.23.252.58/29
    CIDR=80.23.252.58/29
    NETMASK=255.255.255.248
    NETWORK=80.23.252.56     <=============    BROADCAST=80.23.252.63
gateway:/etc/shorewall#

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> The subnetting looks hosed -- 80.23.252.56 is your network address (your 
> eth1 is configured as 80.23.252.58/29); there should be no host with 
> that IP address. That is why you are getting the Martian messages. Why 
> is the upstream router using that address in ARP who-has requests?
> 
> gateway:/etc/shorewall# shorewall ipcalc 80.23.252.58/29
>    CIDR=80.23.252.58/29
>    NETMASK=255.255.255.248
>    NETWORK=80.23.252.56     <=============>    BROADCAST=80.23.252.63
> gateway:/etc/shorewall#
> 
Who knows?
firewall# less ifcfg-eth1

DEVICE=eth1
USERCTL=no
ONBOOT=yes
BOOTPROTO=static
IPADDR=80.23.252.58
NETMASK=255.255.255.248
NETWORK=80.23.252.56
BROADCAST=80.23.252.63
DHCP_CLIENT=/sbin/dhcpcd


dmz-server## less /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
IPADDR=80.23.252.59
NETMASK=255.255.255.248
NETWORK=80.23.252.56
BROADCAST=80.23.252.63
ONBOOT=yes
MII_NOT_SUPPORTED=no

But from an external interface I can ping both 80.23.252.56 (network) 
than 80.23.252.57 (telco router). Can this one be misconfigured (I have 
no control over it.

Thank you for your invaluable help.

-- 
Ciao
Nico

Nico Alberti wrote:
> 
> But from an external interface I can ping both 80.23.252.56 (network) 
> than 80.23.252.57 (telco router). Can this one be misconfigured (I have 
> no control over it.
> 
Looks to me like it is -- possibly someone else on the list has an opinion.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Nico Alberti wrote:
> 
> But from an external interface I can ping both 80.23.252.56 (network) 
> than 80.23.252.57 (telco router). 
> 
When you ping the network, do you have to use the -b option to ping?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
>> But from an external interface I can ping both 80.23.252.56 (network) 
>> than 80.23.252.57 (telco router). Can this one be misconfigured (I 
>> have no control over it.
>>
> 
> Looks to me like it is -- possibly someone else on the list has an opinion.
> 
It was really a router problem. It was fixed and now everything works 
smoothly. Thank you very much for your help! You, and Shorewall, saved 
my day :-)

-- 
Ciao
Nico