This is probably a stupid question, but I''m stumped. Practically every time my firewall boots (not often, but still) eth0 and eth1 exchange places (internet and intranet). How do I lock them down? SuSE 9.2, Shorewall 2.2.3. Thanks! Mike- -- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments.
Michael W Cocke wrote:> This is probably a stupid question, but I''m stumped. Practically > every time my firewall boots (not often, but still) eth0 and eth1 > exchange places (internet and intranet). How do I lock them down? > SuSE 9.2, Shorewall 2.2.3. >Those of us who participated in the SuSE 9.3 Beta complained bitterly about this SuSE "Feature". The answer from SuSE -- "You Can''t!!" There is a way to lock down names but they can''t be the default names (e.g., "ethN"); check the SuSE documentation and if you can''t find out how to do it, I''ll try to find the email thread in my SuSE Beta folder. In short -- this is a problem that is unique to SuSE and there is nothing in Shorewall that you can do to prevent it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I use nameif(8) to assign the interfaces in a init script. Note, to rename eth0/eth1 you''ll need to assign the interfaces to "bogus" names first. Example: # First "un-assign" the interfaces /sbin/nameif -s foo0 <MAC address of 1st interface> /sbin/nameif -s foo1 <MAC address of 2nd interface> # Now "re-assign" the interfaces /sbin/nameif -s eth0 <MAC address of 1st interface> /sbin/nameif -s eth1 <MAC address of 2nd interface> Michael W Cocke wrote:> This is probably a stupid question, but I''m stumped. Practically > every time my firewall boots (not often, but still) eth0 and eth1 > exchange places (internet and intranet). How do I lock them down? > SuSE 9.2, Shorewall 2.2.3. > > Thanks! > > Mike- > > -- > Mornings: Evolution in action. Only the grumpy will survive. > -- > > Please note - Due to the intense volume of spam, we have installed site-wide spam > filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, > non-attachments. > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
--On Wednesday, April 27, 2005 11:34 -0700 Tom Eastep <teastep@shorewall.net> wrote:> Those of us who participated in the SuSE 9.3 Beta complained bitterly > about this SuSE "Feature". The answer from SuSE -- "You Can''t!!" > > There is a way to lock down names but they can''t be the default names > (e.g., "ethN"); check the SuSE documentation and if you can''t find out > how to do it, I''ll try to find the email thread in my SuSE Beta folder. > > In short -- this is a problem that is unique to SuSE and there is > nothing in Shorewall that you can do to prevent it.I''ll now present the award for ''stupidest decision by a distro for the year 2005'' to SuSE, on one hand, it''s nice to see someone other than RedHat win this award....on the other.....ohh nevermind. -- GPG/PGP --> 0xE736BD7E 5144 6A2D 977A 6651 DFBE 1462 E351 88B9 E736 BD7E
Mike
This problem has turned up on the SuSE mailing lists. I have attached
one thread that might help.
Steven.
>content of /etc/shorewall/interfaces :=3D20 >NET_INT=3D3D`getcfg-interface "eth-bus-pci-0000:02:01.0"` >NET_EXT=3D3D`getcfg-interface "eth-bus-pci-0000:03:0d.0"` >after all references to eth0 & eth1 is replaced by $NET_INT & $NET_EXT.this workaround make sense. annoying feature ..Im using SUSE 9.2 in a remote(!) firewall but I never see this behavior...t system always assign the same name to the interfaces . but its nice yo know about this. :S bye
On Wed, 27 Apr 2005 14:40:55 -0400, you wrote:>I use nameif(8) to assign the interfaces in a init script. >Note, to rename eth0/eth1 you''ll need to assign the interfaces to >"bogus" names first. > >Example: ># First "un-assign" the interfaces >/sbin/nameif -s foo0 <MAC address of 1st interface> >/sbin/nameif -s foo1 <MAC address of 2nd interface> > ># Now "re-assign" the interfaces >/sbin/nameif -s eth0 <MAC address of 1st interface> >/sbin/nameif -s eth1 <MAC address of 2nd interface>Perfect - Thanks John! Mike- -- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments.
On Wed, 27 Apr 2005 11:34:23 -0700, you wrote:>Michael W Cocke wrote: >> This is probably a stupid question, but I''m stumped. Practically >> every time my firewall boots (not often, but still) eth0 and eth1 >> exchange places (internet and intranet). How do I lock them down? >> SuSE 9.2, Shorewall 2.2.3. >> > >Those of us who participated in the SuSE 9.3 Beta complained bitterly >about this SuSE "Feature". The answer from SuSE -- "You Can''t!!" > >There is a way to lock down names but they can''t be the default names >(e.g., "ethN"); check the SuSE documentation and if you can''t find out >how to do it, I''ll try to find the email thread in my SuSE Beta folder. > >In short -- this is a problem that is unique to SuSE and there is >nothing in Shorewall that you can do to prevent it. >Tom Sivak already posted the solution, but thanks anyway. I suppose SuSE was due to do something stupid again - it''s been a while since 9.0... <sigh> Mike- -- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments.
On Wed, 27 Apr 2005 19:46:38 -0400, you wrote:>On Wed, 27 Apr 2005 14:40:55 -0400, you wrote: > >>I use nameif(8) to assign the interfaces in a init script. >>Note, to rename eth0/eth1 you''ll need to assign the interfaces to >>"bogus" names first. >> >>Example: >># First "un-assign" the interfaces >>/sbin/nameif -s foo0 <MAC address of 1st interface> >>/sbin/nameif -s foo1 <MAC address of 2nd interface> >> >># Now "re-assign" the interfaces >>/sbin/nameif -s eth0 <MAC address of 1st interface> >>/sbin/nameif -s eth1 <MAC address of 2nd interface> > > >Perfect - Thanks John! >I spoke too soon. I''m having trouble with putting this where it needs to be. boot.local looked like it worked, but no. boot.localnet, same. /etc/rc3.d/S06initiface - no. If the system comes up to run level 3 wrong, then I drop it back to 1 and run those commands, then back to 3, it works. I''d even be willing to script it that way, if I could see how. It''s not like this is going to happoen often, but I need to be able to depend on it happening right. I''m obviously stupider than I thought I was. Any more hints? Mike- -- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments.
> > I spoke too soon. I''m having trouble with putting this where it needs > to be. boot.local looked like it worked, but no. boot.localnet, > same. /etc/rc3.d/S06initiface - no.just an idea: why not putting something like: rcnetwork stop nameif -s eth0 xx:xx:xx:xx:xa nameif -s eth1 xx:xx:xx:xx:xb rcnetwork start into /etc/shorewall/init ? or use ifconfig eth0/1 down.> > If the system comes up to run level 3 wrong, then I drop it back to 1 > and run those commands, then back to 3, it works. I''d even be willing > to script it that way, if I could see how. It''s not like this is going > to happoen often, but I need to be able to depend on it happening > right.to switch runlevels seems to be a bit overkill HTH Alex
I''m using the nameif calls PRIOR to bringing up any of the ethX devices.. (I run Gentoo, so my init scripts/layout is different..) Alexander Wilms wrote:>>I spoke too soon. I''m having trouble with putting this where it needs >>to be. boot.local looked like it worked, but no. boot.localnet, >>same. /etc/rc3.d/S06initiface - no. > > > just an idea: why not putting something like: > > rcnetwork stop > nameif -s eth0 xx:xx:xx:xx:xa > nameif -s eth1 xx:xx:xx:xx:xb > rcnetwork start > > into /etc/shorewall/init ? > > or use ifconfig eth0/1 down. > > >>If the system comes up to run level 3 wrong, then I drop it back to 1 >>and run those commands, then back to 3, it works. I''d even be willing >>to script it that way, if I could see how. It''s not like this is going >>to happoen often, but I need to be able to depend on it happening >>right. > > > to switch runlevels seems to be a bit overkill > > HTH > Alex > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
On Thu, 28 Apr 2005 16:43:27 +0200, you wrote:> >> >> I spoke too soon. I''m having trouble with putting this where it needs >> to be. boot.local looked like it worked, but no. boot.localnet, >> same. /etc/rc3.d/S06initiface - no. > >just an idea: why not putting something like: > >rcnetwork stop >nameif -s eth0 xx:xx:xx:xx:xa >nameif -s eth1 xx:xx:xx:xx:xb >rcnetwork start > >into /etc/shorewall/init ? > >or use ifconfig eth0/1 down. >I figured out what I was missing - the default route needs to be re-added after the eth shuffle. (I was right, I am stupider than I thought.) For the archives, here''s the finished workaround for using shorewall with SuSE 9.3 Put the following in /etc/rc.d/S07shorewall, right after start) and before exec /sbin/shorewall -f start (Mind the word wrap - there are blank lines between each command) #----------------------------------------------------- echo "Stabilizing eth interface names" >/var/log/ifaceinit echo -n "Stabilizing eth interface names" echo "Before------------------------------" >>/var/log/ifaceinit /sbin/ifconfig >>/var/log/ifaceinit /sbin/ifconfig eth0 down >>/var/log/ifaceinit 2>>/var/log/ifaceinit /sbin/ifconfig eth1 down >>/var/log/ifaceinit 2>>/var/log/ifaceinit # remember to insert YOUR MAC ADDRESSES - these are mine! /sbin/nameif foo0 00:40:05:7A:E0:84 >> /var/log/ifaceinit 2>>/var/log/ifaceinit /sbin/nameif foo1 00:09:5B:BD:A5:98 >> /var/log/ifaceinit 2>>/var/log/ifaceinit /sbin/nameif eth0 00:40:05:7A:E0:84 >> /var/log/ifaceinit 2>> /var/log/ifaceinit /sbin/nameif eth1 00:09:5B:BD:A5:98 >> /var/log/ifaceinit 2>> /var/log/ifaceinit /sbin/ifconfig eth0 up >>/var/log/ifaceinit 2>>/var/log/ifaceinit /sbin/ifconfig eth1 up >>/var/log/ifaceinit 2>>/var/log/ifaceinit echo "After----------------------------" >>/var/log/ifaceinit /sbin/ifconfig>>/var/log/ifaceinit # assumes eth0 is your external interface - if it isn''t, change this line! route add default eth0 #put this here just to make me happy echo " - OK" sleep 10 #----------------------------------------------------------- Thanks! Mike- -- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments.
I think the other aprroach is better. edit /etc/shorewall/params add: NET_INT=`getcfg-interface "eth-bus-pci-0000:02:01.0"` NET_EXT=`getcfg-interface "eth-bus-pci-0000:03:0d.0"` where "eth-bus-pci-xxxxxxx" is the identification of your network interfaces. you found it on /etc/sysconfig/network/ifcfg-eth-* then modify /etc/shorewall/interfaces and replace it using $NET_INT and $NET_EXT when needed. and /etc/shorewall/masq replacing ethx with the adequate shell variable ($NET_EXT $NET_INT) modify the /etc/shorewall/routestopped file to fit your needs
On 28 Apr 2005 at 15:02, Cristian Rodriguez wrote:> I think the other aprroach is better. > > edit /etc/shorewall/params > add: > > NET_INT=`getcfg-interface "eth-bus-pci-0000:02:01.0"` > NET_EXT=`getcfg-interface "eth-bus-pci-0000:03:0d.0"` > > where "eth-bus-pci-xxxxxxx" is the identification of your network > interfaces. you found it on /etc/sysconfig/network/ifcfg-eth-* > > then modify /etc/shorewall/interfaces > > and replace it using $NET_INT and $NET_EXT when needed. > > and /etc/shorewall/masq > replacing ethx with the adequate shell variable ($NET_EXT$NET_INT)> > modify the /etc/shorewall/routestopped file to fit your needsBut surely this will be fixed by SuSE before long... How can they pretend to be a proper distro with interface names dancing around with each boot? Who could run a firewall of web server or anything with that happening? -- ______________________________________ John Andersen NORCOM / Juneau, Alaska http://www.screenio.com/ (907) 790-3386 .
I have seen this happen in the past so what i started doing is the following, i added the following to my ifcfg-ethx. DEVICE=eth0 BOOTPROTO=static BROADCAST=192.168.1.255 HWADDR=00:40:F4:88:86:C8 <--- By specifying the following your controlling what interface a particular card will be use. So i was told and it had solved my issue way back when. IPADDR=192.168.1.1 NETMASK=255.255.255.0 NETWORK=192.168.1.0 ONBOOT=yes TYPE=Ethernet ----- Original Message ----- From: "John S. Andersen" <jsa@norcomix.dyndns.org> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Thursday, April 28, 2005 3:40 PM Subject: Re: [Shorewall-users] [0T] eth0 & eth1 changing every boot> On 28 Apr 2005 at 15:02, Cristian Rodriguez wrote: > >> I think the other aprroach is better. >> >> edit /etc/shorewall/params >> add: >> >> NET_INT=`getcfg-interface "eth-bus-pci-0000:02:01.0"` >> NET_EXT=`getcfg-interface "eth-bus-pci-0000:03:0d.0"` >> >> where "eth-bus-pci-xxxxxxx" is the identification of your network >> interfaces. you found it on /etc/sysconfig/network/ifcfg-eth-* >> >> then modify /etc/shorewall/interfaces >> >> and replace it using $NET_INT and $NET_EXT when needed. >> >> and /etc/shorewall/masq >> replacing ethx with the adequate shell variable ($NET_EXT > $NET_INT) >> >> modify the /etc/shorewall/routestopped file to fit your needs > > But surely this will be fixed by SuSE before long... > How can they pretend to be a proper distro with interface names > dancing around with each boot? Who could run a firewall > of web server or anything with that happening? > > -- > ______________________________________ > John Andersen > NORCOM / Juneau, Alaska > http://www.screenio.com/ > (907) 790-3386 > > . > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Thu, 28 Apr 2005 11:40:33 -0800, you wrote:>On 28 Apr 2005 at 15:02, Cristian Rodriguez wrote: > >> I think the other aprroach is better. >> >> edit /etc/shorewall/params >> add: >> >> NET_INT=`getcfg-interface "eth-bus-pci-0000:02:01.0"` >> NET_EXT=`getcfg-interface "eth-bus-pci-0000:03:0d.0"` >> >> where "eth-bus-pci-xxxxxxx" is the identification of your network >> interfaces. you found it on /etc/sysconfig/network/ifcfg-eth-* >> >> then modify /etc/shorewall/interfaces >> >> and replace it using $NET_INT and $NET_EXT when needed. >> >> and /etc/shorewall/masq >> replacing ethx with the adequate shell variable ($NET_EXT >$NET_INT) >> >> modify the /etc/shorewall/routestopped file to fit your needs > >But surely this will be fixed by SuSE before long... >How can they pretend to be a proper distro with interface names >dancing around with each boot? Who could run a firewall >of web server or anything with that happening?I don''t know, but I mentioned it on the Suse-english list and got flamed and told that the problem wasn''t specific to Suse 9.3. Since I''ve never seen the problem before in Redhat 9 or SuSE 9.1 or 9.2, I don''t believe it, but... <shrug>>From the sound of the reaction in there they aren''t likely to fix it -just label it a feature and wait for the firewall people to build in workarounds. Mike- -- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments.
On Thu, 28 Apr 2005 15:02:20 -0400, you wrote:>I think the other aprroach is better. > >edit /etc/shorewall/params >add: > >NET_INT=`getcfg-interface "eth-bus-pci-0000:02:01.0"` >NET_EXT=`getcfg-interface "eth-bus-pci-0000:03:0d.0"` > >where "eth-bus-pci-xxxxxxx" is the identification of your network interfaces. >you found it on /etc/sysconfig/network/ifcfg-eth-* > >then modify /etc/shorewall/interfaces > >and replace it using $NET_INT and $NET_EXT when needed. > >and /etc/shorewall/masq >replacing ethx with the adequate shell variable ($NET_EXT $NET_INT) > >modify the /etc/shorewall/routestopped file to fit your needs >_______________________________________________I must disagree. That approach is probably more elegant, but I think the interface names will change with a reinstall, while the MAC adresses won''t change until you change the hardware. If I''m forced to a reinstall situation, I need fewer things to have to remember to fix, not more. I also have a general distrust of doing things like that with environment vars. Just paranoia on my part - I have a bad habit of setting a var, then forgetting WHERE I set it later. If everything is written down in a (one) script, there''s fewer ways for me to screw it up. Mike- -- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments.
Michael W Cocke wrote:> > I don''t know, but I mentioned it on the Suse-english list and got > flamed and told that the problem wasn''t specific to Suse 9.3. Since > I''ve never seen the problem before in Redhat 9 or SuSE 9.1 or 9.2, I > don''t believe it, but... <shrug>Sorry to disagree but I first saw the problem under 9.2 on the system that I''m typing this on. I believe that it only happens when you have NICs that require different drivers; SuSE are doing parallel driver determination so it''s a race to see which driver wins :-(> >>From the sound of the reaction in there they aren''t likely to fix it - > just label it a feature and wait for the firewall people to build in > workarounds. >Yep -- that''s the impression that I got. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Michael W Cocke wrote:> On Thu, 28 Apr 2005 15:02:20 -0400, you wrote: > >>I think the other aprroach is better. >> >>edit /etc/shorewall/params >>add: >> >>NET_INT=`getcfg-interface "eth-bus-pci-0000:02:01.0"` >>NET_EXT=`getcfg-interface "eth-bus-pci-0000:03:0d.0"` >> >>where "eth-bus-pci-xxxxxxx" is the identification of your network interfaces. >>you found it on /etc/sysconfig/network/ifcfg-eth-* >> >>then modify /etc/shorewall/interfaces >> >>and replace it using $NET_INT and $NET_EXT when needed. >> >>and /etc/shorewall/masq >>replacing ethx with the adequate shell variable ($NET_EXT $NET_INT) >> >>modify the /etc/shorewall/routestopped file to fit your needs >>_______________________________________________ > > I must disagree. That approach is probably more elegant, but I think > the interface names will change with a reinstall, while the MAC > adresses won''t change until you change the hardware. If I''m forced to > a reinstall situation, I need fewer things to have to remember to fix, > not more. I also have a general distrust of doing things like that > with environment vars. Just paranoia on my part - I have a bad habit > of setting a var, then forgetting WHERE I set it later. If everything > is written down in a (one) script, there''s fewer ways for me to screw > it up.But the script that you chose to modify gets replaced each time that you upgrade Shorewall! If you use ''getcfg-interface'' in /etc/shorewall/params, it''s a "set and forget" sort of thing. I''ve modified my backup firewall to use ''getcfg-interface''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Thu, 28 Apr 2005 15:38:58 -0700, you wrote:>Michael W Cocke wrote: > >> >> I don''t know, but I mentioned it on the Suse-english list and got >> flamed and told that the problem wasn''t specific to Suse 9.3. Since >> I''ve never seen the problem before in Redhat 9 or SuSE 9.1 or 9.2, I >> don''t believe it, but... <shrug> > >Sorry to disagree but I first saw the problem under 9.2 on the system >that I''m typing this on. I believe that it only happens when you have >NICs that require different drivers; SuSE are doing parallel driver >determination so it''s a race to see which driver wins :-(I never saw it until 9.3. Of course I accept your experience - you''ve got a lot more exposure than I - but it still seems darned odd that I never saw it before. My hardware hasn''t changed in years. I dunno. <wiping drool from chin> Mike- -- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments.
On Thu, 28 Apr 2005 15:43:04 -0700, you wrote:>Michael W Cocke wrote: >> On Thu, 28 Apr 2005 15:02:20 -0400, you wrote: >> >>>I think the other aprroach is better. >>> >>>edit /etc/shorewall/params >>>add: >>> >>>NET_INT=`getcfg-interface "eth-bus-pci-0000:02:01.0"` >>>NET_EXT=`getcfg-interface "eth-bus-pci-0000:03:0d.0"` >>> >>>where "eth-bus-pci-xxxxxxx" is the identification of your network interfaces. >>>you found it on /etc/sysconfig/network/ifcfg-eth-* >>> >>>then modify /etc/shorewall/interfaces >>> >>>and replace it using $NET_INT and $NET_EXT when needed. >>> >>>and /etc/shorewall/masq >>>replacing ethx with the adequate shell variable ($NET_EXT $NET_INT) >>> >>>modify the /etc/shorewall/routestopped file to fit your needs >>>_______________________________________________ >> >> I must disagree. That approach is probably more elegant, but I think >> the interface names will change with a reinstall, while the MAC >> adresses won''t change until you change the hardware. If I''m forced to >> a reinstall situation, I need fewer things to have to remember to fix, >> not more. I also have a general distrust of doing things like that >> with environment vars. Just paranoia on my part - I have a bad habit >> of setting a var, then forgetting WHERE I set it later. If everything >> is written down in a (one) script, there''s fewer ways for me to screw >> it up. > >But the script that you chose to modify gets replaced each time that you >upgrade Shorewall! If you use ''getcfg-interface'' in >/etc/shorewall/params, it''s a "set and forget" sort of thing. > >I''ve modified my backup firewall to use ''getcfg-interface''. > >-TomI hear what you''re saying, but realistically, how often do I upgrade Shorewall? Whenever I have to rebuild the whole firewall/web & mail server setup (every 5 years, more or less), unless I read something on this list that makes me think I NEED to upgrade (only once so far). Besides, wouldn''t I need to re-make those changes when I upgrade Shorewall too? It ain''t broke, so I don''t feel the urge to fix it. That''s why I use Shorewall - I went thru two other firewall packages first (and tried one of those linksys things), and the less said about those the better. I want a system that I can use, not one I have to keep beating on, but my needs are on the peculiar side. You do damned nice work, by the way. I''ll reconsider changing to the getcfg scheme, but later - right now I''m still reconfiguring things. I didn''t realize how much stuff I had on that machine. Mike- -- Mornings: Evolution in action. Only the grumpy will survive. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments.
On Thursday 28 April 2005 03:00 pm, Michael W Cocke wrote:> >Sorry to disagree but I first saw the problem under 9.2 on the system > >that I''m typing this on. I believe that it only happens when you have > >NICs that require different drivers; SuSE are doing parallel driver > >determination so it''s a race to see which driver wins :-( > > I never saw it until 9.3. Of course I accept your experience - you''ve > got a lot more exposure than I - but it still seems darned odd that I > never saw it before. My hardware hasn''t changed in years.Most of my shorewall machines are running 8.2 and this never happens. Its probably as Tom says, a race in newer releases with different nics, so unless your machine fits that description you might not see it as I have not. Still this seems a really odd thing to allow in a production machine or a production distro, and could lead to more than Just shorewall problems, such as when you start serving up rfc1918 IPs to your cable modem nic. -- John Andersen - NORCOM http://www.norcomsoftware.com/
Michael W Cocke wrote:> > I hear what you''re saying, but realistically, how often do I upgrade > Shorewall? Whenever I have to rebuild the whole firewall/web & mail > server setup (every 5 years, more or less), unless I read something on > this list that makes me think I NEED to upgrade (only once so far). > Besides, wouldn''t I need to re-make those changes when I upgrade > Shorewall too?Not if you follow the upgrade instructions. My /etc/shorewall/params file is a direct descendent from the first such file ever :-) If you follow the upgrade instructions, files in /etc/shorewall will never be replaced.> > It ain''t broke, so I don''t feel the urge to fix it. That''s why I use > Shorewall - I went thru two other firewall packages first (and tried > one of those linksys things), and the less said about those the > better. I want a system that I can use, not one I have to keep > beating on, but my needs are on the peculiar side. You do damned nice > work, by the way. >Thanks.> I''ll reconsider changing to the getcfg scheme, but later - right now > I''m still reconfiguring things. I didn''t realize how much stuff I had > on that machine.:-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
John Andersen wrote:> > Still this seems a really odd thing to allow in a production > machine or a production distro, and could lead to more than > Just shorewall problems, such as when you start serving > up rfc1918 IPs to your cable modem nic. >That can''t happen -- it''s only the device name that plays roulette. The /etc/sysconfig/hardware/ entry for the device determines which module needs to be loaded. That file maps the PCI address of the device to a driver. It is the timing of the loading of the drivers that determines the device name. The /etc/sysconfig/network entry maps the MAC address to a config file. That file determines what IP address the device gets. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key