Shorewall users - Jul 2005 - Strange ProxyARP-Problem: some hosts can be reached, some not!

Hi!

During to some hardwaretroubles I set up a new firewall (and upgraded
shorewall). during the firewall being down the servers that usually reside
in the dmz were directly connected to the internet.

the firewall is the typical dmz via proxyarp setup: eth0 -> lan, eth1 ->
net, eth2 -> dmz. everything worked before the hw-crash, but after
replugging the dmz to the firewall, the following things happen:

all masqueraded traffic works (eth0 <-> eth1)
all traffic from/to the firewall in any net works
all traffic from the lan to the dmz works (eth0 <-> eth2)

ALL traffic from the dmz to the net works,
BUT traffic from the net to the dmz DOES not work.

when running a tcpdump I noticed, that traffic to IPs that are not yet
assigned to a server (.45-.62) are routed through, but the packets to
existing IPs(.36-.44)/machines just vanishes!  I changed one of the IPs in
the dmz to a prios not assigned one(.50) and voila: this machines can be
reached without any troubles. one thing more: pinging to one of the old IPs
(.36-.44) I get no response .. nothing. pinging one of the other IPs
results in a "destination unreachable"

since everything works with the one IP(.50) (and others I tried), I assume
that the firewall is configured correctly. since the packets for the IPs
(.36-.44) arrive at the external interface and don''t show up in the
logs
als rejected/dropped, I assume the firewall is not configured correctly.

Asu you might have already guessed at this point - I''m absolutly
clueless,
but becoming desperate.

Has anyone got an idea what I could try? could have done wrong? missed? I
would be thankful for _any_ hint! If you need any details of my
configuration just let me know!

+Martin

-- 

*********************************************************************
*                                                                   *
*  Martin Schipany        email: elcondor(at)warum.net              *
*                         IRC  : ElCondor on channel #diddl         *
*                                                                   *
*******************************************************************''



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click

Martin Schipany wrote:
>
> when running a tcpdump I noticed, that traffic to IPs that are not yet
> assigned to a server (.45-.62) are routed through, but the packets to
> existing IPs(.36-.44)/machines just vanishes!  I changed one of the IPs in
> the dmz to a prios not assigned one(.50) and voila: this machines can be
> reached without any troubles. one thing more: pinging to one of the old IPs
> (.36-.44) I get no response .. nothing. pinging one of the other IPs
> results in a "destination unreachable"
>
Run tcpdump with the -e option and look carefully at the link level
addresses (the Shorewall Proxy ARP docs show you what to look for). You may
have a stale ARP cache in the upstream router. Also, if DMZ->NET traffic
works from all DMZ system, you are probably (incorrectly)
masquerading/snating those connections (e.g., you have an entry in
/etc/shorewall/masq that covers DMZ->NET connections).

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

>
> when running a tcpdump I noticed, that traffic to IPs that are not yet
> assigned to a server (.45-.62) are routed through, but the packets to
> existing IPs(.36-.44)/machines just vanishes!  I changed one of the IPs
in
> the dmz to a prios not assigned one(.50) and voila: this machines can be
> reached without any troubles. one thing more: pinging to one of the old
IPs
> (.36-.44) I get no response .. nothing. pinging one of the other IPs
> results in a "destination unreachable"
>
> since everything works with the one IP(.50) (and others I tried), I
assume
> that the firewall is configured correctly. since the packets for the IPs
> (.36-.44) arrive at the external interface and don''t show up in
the logs
> als rejected/dropped, I assume the firewall is not configured correctly.
>
> Asu you might have already guessed at this point - I''m absolutly
clueless,
> but becoming desperate.
>
> Has anyone got an idea what I could try? could have done wrong? missed? I
> would be thankful for _any_ hint! If you need any details of my
> configuration just let me know!
>
> +Martin
Stale arp cache, maybe..

see:
http://www.shorewall.net/ProxyARP.htm
ARP cache


Jerry



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click