First some background: My cable provider offers three simultaneous external DHCP-assigned IP addresses. I have shorewall running on a system with 5 nics in it. Eth0, eth1, and eth2 are connected to the cable modem through a switch. They each get their IP addresses through DHCP from the cable provider. Eth3 is my internal wired interface which is statically configured to 192.168.0.1. Eth4 is wireless and is statically configured to 192.168.1.1. Here is what I want to accomplish: I am trying to setup shorewall with multiple providers so that all traffic originating on 192.168.0.254 (one of my internal PCs) is masqueraded on eth0, all traffic originating on 192.168.0.253 (another internal PC) is masqueraded on eth1, and all traffic originating from PCs connected to eth3 (192.168.0.0/24) and eth4 (192.168.1.0/24) is masqueraded on eth2. Here is what I think works properly: I believe that shorewall tries to masquerade 192.168.0.254 on eth0, 192.168.0.253 on eth1, and all else on eth2. I know that everything that goes out on eth2 works. For example, when I change my IP address to 192.168.0.x (where 1<x<253) I get internet connectivity. 192.168.0.253 and 192.168.0.254 get nothing. Where I think my problem lies: I don''t think I have the correct routes configured. This is where I get confused. Do I have to build routing tables and then configure them in my providers file? I have been just duplicating the main table for all three provider entries in this file. Also, if I have shorewall attempt to detect my gateway address, it fails on eth0 and eth1, but can detect eth2''s gateway address. I can open the /var/lib/dhcp/dhclient-eth0.leases and get my gateway address manually and then enter it into the providers file. This allows shorewall to start, but since my IP addresses are DHCP assigned, and since my cable provider has more than one gateway address, this would be a temporary solution that might only last as long as my DHCP lease. That would be acceptable, but not ideal. I have no need for load balancing, but definitely want all traffic from 192.168.0.254 to go through eth0, 192.168.0.253 to go through eth1 and all else to go through eth2. Any help is much appreciated. I have attached my relevant configuration files. Any help would be much appreciated. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.361 / Virus Database: 267.12.5/147 - Release Date: 10/24/2005
Jerry Vonau
2005-Oct-25 09:46 UTC
Re: Shorewall with mulitple providers - basically three-in-one
> First some background: > My cable provider offers three simultaneous external DHCP-assigned IP > addresses. I have shorewall running on a system with 5 nics in it. Eth0, > eth1, and eth2 are connected to the cable modem through a switch. They each > get their IP addresses through DHCP from the cable provider. Eth3 is my > internal wired interface which is statically configured to 192.168.0.1. > Eth4 is wireless and is statically configured to 192.168.1.1. > > Here is what I want to accomplish: > I am trying to setup shorewall with multiple providers so that all traffic > originating on 192.168.0.254 (one of my internal PCs) is masqueraded on > eth0, all traffic originating on 192.168.0.253 (another internal PC) is > masqueraded on eth1, and all traffic originating from PCs connected to eth3 > (192.168.0.0/24) and eth4 (192.168.1.0/24) is masqueraded on eth2. > > Here is what I think works properly: > I believe that shorewall tries to masquerade 192.168.0.254 on eth0, > 192.168.0.253 on eth1, and all else on eth2. I know that everything that > goes out on eth2 works. For example, when I change my IP address to > 192.168.0.x (where 1<x<253) I get internet connectivity. 192.168.0.253 and > 192.168.0.254 get nothing. >Yea, there is no route to the providers table, where the gateways for eth0, and eth1 are.> Where I think my problem lies: > I don''t think I have the correct routes configured. This is where I get > confused. Do I have to build routing tables and then configure them in my > providers file? I have been just duplicating the main table for all three > provider entries in this file. Also, if I have shorewall attempt to detect > my gateway address, it fails on eth0 and eth1, but can detect eth2''s gateway > address. I can open the /var/lib/dhcp/dhclient-eth0.leases and get my > gateway address manually and then enter it into the providers file. This > allows shorewall to start, but since my IP addresses are DHCP assigned, and > since my cable provider has more than one gateway address, this would be a > temporary solution that might only last as long as my DHCP lease. That > would be acceptable, but not ideal. >I just finished creating some patches for the network initcrtipts that deals with that issue. (want to bata test?)> I have no need for load balancing, but definitely want all traffic from > 192.168.0.254 to go through eth0, 192.168.0.253 to go through eth1 and all > else to go through eth2. Any help is much appreciated. >Well, the arpfilter option is needed for eth0,1,2 in the interfaces file, same hub/switch right? With the absence of balance, you need to override the routing table with the use of fwmarks, or everything travels out the default gateway in the main routing table. The tcrules file is used to define which fwmarks are placed on what traffic. There will be a ip rule for the provider that is used to direct the marked traffic to the provider''s alternate routing tables. This is the provider''s routing table that I mention earlier. 1:P 192.168.0.254 0.0.0.0/0 all 2:P 192.168.0.253 0.0.0.0/0 all The marks need to match the "provider" in the providers file. If these client machines accept inbound connections then "track" maybe needed for both eth0 and eth1. You may want to use snat in the masq file. Jerry ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information
Russel
2005-Oct-25 14:29 UTC
Re: Shorewall with mulitple providers - basically three-in-one
It will be a few days before I''m able to really test out your suggestions. I thought I might have to modify the networking init scripts to make everything work with DHCP, but I lack the talent to do so. I would definately be interested in beta testing the patches you''ve written. I''ve also thought about using SNAT for 192.168.0.253 and 192.168.0.254, but I''m not sure if there are any advangates to this. Thanks for your help. I''ll get back to you when I''ve had a chance to try your suggestions. Russel ----- Original Message ----- From: "Jerry Vonau" <jvonau@shaw.ca> To: <shorewall-users@lists.sourceforge.net> Sent: Tuesday, October 25, 2005 3:46 AM Subject: Re: [Shorewall-users] Shorewall with mulitple providers - basically three-in-one> First some background: > My cable provider offers three simultaneous external DHCP-assigned IP > addresses. I have shorewall running on a system with 5 nics in it. Eth0, > eth1, and eth2 are connected to the cable modem through a switch. They > each > get their IP addresses through DHCP from the cable provider. Eth3 is my > internal wired interface which is statically configured to 192.168.0.1. > Eth4 is wireless and is statically configured to 192.168.1.1. > > Here is what I want to accomplish: > I am trying to setup shorewall with multiple providers so that all traffic > originating on 192.168.0.254 (one of my internal PCs) is masqueraded on > eth0, all traffic originating on 192.168.0.253 (another internal PC) is > masqueraded on eth1, and all traffic originating from PCs connected to > eth3 > (192.168.0.0/24) and eth4 (192.168.1.0/24) is masqueraded on eth2. > > Here is what I think works properly: > I believe that shorewall tries to masquerade 192.168.0.254 on eth0, > 192.168.0.253 on eth1, and all else on eth2. I know that everything that > goes out on eth2 works. For example, when I change my IP address to > 192.168.0.x (where 1<x<253) I get internet connectivity. 192.168.0.253 > and > 192.168.0.254 get nothing. >Yea, there is no route to the providers table, where the gateways for eth0, and eth1 are.> Where I think my problem lies: > I don''t think I have the correct routes configured. This is where I get > confused. Do I have to build routing tables and then configure them in my > providers file? I have been just duplicating the main table for all three > provider entries in this file. Also, if I have shorewall attempt to > detect > my gateway address, it fails on eth0 and eth1, but can detect eth2''s > gateway > address. I can open the /var/lib/dhcp/dhclient-eth0.leases and get my > gateway address manually and then enter it into the providers file. This > allows shorewall to start, but since my IP addresses are DHCP assigned, > and > since my cable provider has more than one gateway address, this would be a > temporary solution that might only last as long as my DHCP lease. That > would be acceptable, but not ideal. >I just finished creating some patches for the network initcrtipts that deals with that issue. (want to bata test?)> I have no need for load balancing, but definitely want all traffic from > 192.168.0.254 to go through eth0, 192.168.0.253 to go through eth1 and all > else to go through eth2. Any help is much appreciated. >Well, the arpfilter option is needed for eth0,1,2 in the interfaces file, same hub/switch right? With the absence of balance, you need to override the routing table with the use of fwmarks, or everything travels out the default gateway in the main routing table. The tcrules file is used to define which fwmarks are placed on what traffic. There will be a ip rule for the provider that is used to direct the marked traffic to the provider''s alternate routing tables. This is the provider''s routing table that I mention earlier. 1:P 192.168.0.254 0.0.0.0/0 all 2:P 192.168.0.253 0.0.0.0/0 all The marks need to match the "provider" in the providers file. If these client machines accept inbound connections then "track" maybe needed for both eth0 and eth1. You may want to use snat in the masq file. Jerry ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information
Tom Eastep
2005-Oct-25 14:41 UTC
Re: Shorewall with mulitple providers - basically three-in-one
On Tuesday 25 October 2005 02:46, Jerry Vonau wrote:> > Well, the arpfilter option is needed for eth0,1,2 in the interfaces file, > same hub/switch right?I think that Russel will actually need arp_ignore=1 on those two interfaces. arp_filter isn''t enough when the two interfaces are on the same IP network. That''s one of the things that gave me fits with this kind of configuration. I couldn''t use arp_ignore=1 on one of my internet interfaces because that interface was involved in proxy ARP. arp_ignore is supported in /etc/shorewall/interfaces in the 3.0.0 release candidates. If Russel is running an earlier release, he will need to set it in /etc/shorewall/init. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Russel
2005-Oct-26 13:27 UTC
RE: Shorewall with mulitple providers - basically three-in-one
It turns out I''ve had time to give everything a try. Here is what I''ve got: The updated network init scripts from Jerry build separate routing tables for each external DHCP-assigned interface. They appear to be working correctly, but shorewall still can''t detect the gw address on eth0 and eth1. Just the same, I have the gateway entered in manually in the providers file and shorewall can start. From my two internal machines I can ping their respective gateways. For example, 192.168.0.254 is supposed to connect through eth0. Eth0 has an ip address of 24.117.145.174. Its gateway is 24.117.144.1. From 192.168.0.254 I can ping 24.117.144.1. I cannot ping anything else on the internet from 192.168.0.254. 192.168.0.253 can ping eth1''s gateway address, but nothing else on the internet. 192.168.0.2-192.168.0.252 all work as expected. I think I have a problem with my routes or tcrules. I''m just not sure where to continue from here. I have updated attached updated configuration and log files. Again, any help would be much appreciated. Russel -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Russel Sent: Tuesday, October 25, 2005 8:30 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall with mulitple providers - basically three-in-one It will be a few days before I''m able to really test out your suggestions. I thought I might have to modify the networking init scripts to make everything work with DHCP, but I lack the talent to do so. I would definately be interested in beta testing the patches you''ve written. I''ve also thought about using SNAT for 192.168.0.253 and 192.168.0.254, but I''m not sure if there are any advangates to this. Thanks for your help. I''ll get back to you when I''ve had a chance to try your suggestions. Russel ----- Original Message ----- From: "Jerry Vonau" <jvonau@shaw.ca> To: <shorewall-users@lists.sourceforge.net> Sent: Tuesday, October 25, 2005 3:46 AM Subject: Re: [Shorewall-users] Shorewall with mulitple providers - basically three-in-one> First some background: > My cable provider offers three simultaneous external DHCP-assigned IP > addresses. I have shorewall running on a system with 5 nics in it. Eth0, > eth1, and eth2 are connected to the cable modem through a switch. They > each > get their IP addresses through DHCP from the cable provider. Eth3 is my > internal wired interface which is statically configured to 192.168.0.1. > Eth4 is wireless and is statically configured to 192.168.1.1. > > Here is what I want to accomplish: > I am trying to setup shorewall with multiple providers so that all traffic > originating on 192.168.0.254 (one of my internal PCs) is masqueraded on > eth0, all traffic originating on 192.168.0.253 (another internal PC) is > masqueraded on eth1, and all traffic originating from PCs connected to > eth3 > (192.168.0.0/24) and eth4 (192.168.1.0/24) is masqueraded on eth2. > > Here is what I think works properly: > I believe that shorewall tries to masquerade 192.168.0.254 on eth0, > 192.168.0.253 on eth1, and all else on eth2. I know that everything that > goes out on eth2 works. For example, when I change my IP address to > 192.168.0.x (where 1<x<253) I get internet connectivity. 192.168.0.253 > and > 192.168.0.254 get nothing. >Yea, there is no route to the providers table, where the gateways for eth0, and eth1 are.> Where I think my problem lies: > I don''t think I have the correct routes configured. This is where I get > confused. Do I have to build routing tables and then configure them in my > providers file? I have been just duplicating the main table for all three > provider entries in this file. Also, if I have shorewall attempt to > detect > my gateway address, it fails on eth0 and eth1, but can detect eth2''s > gateway > address. I can open the /var/lib/dhcp/dhclient-eth0.leases and get my > gateway address manually and then enter it into the providers file. This > allows shorewall to start, but since my IP addresses are DHCP assigned, > and > since my cable provider has more than one gateway address, this would be a > temporary solution that might only last as long as my DHCP lease. That > would be acceptable, but not ideal. >I just finished creating some patches for the network initcrtipts that deals with that issue. (want to bata test?)> I have no need for load balancing, but definitely want all traffic from > 192.168.0.254 to go through eth0, 192.168.0.253 to go through eth1 and all > else to go through eth2. Any help is much appreciated. >Well, the arpfilter option is needed for eth0,1,2 in the interfaces file, same hub/switch right? With the absence of balance, you need to override the routing table with the use of fwmarks, or everything travels out the default gateway in the main routing table. The tcrules file is used to define which fwmarks are placed on what traffic. There will be a ip rule for the provider that is used to direct the marked traffic to the provider''s alternate routing tables. This is the provider''s routing table that I mention earlier. 1:P 192.168.0.254 0.0.0.0/0 all 2:P 192.168.0.253 0.0.0.0/0 all The marks need to match the "provider" in the providers file. If these client machines accept inbound connections then "track" maybe needed for both eth0 and eth1. You may want to use snat in the masq file. Jerry -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.361 / Virus Database: 267.12.5/148 - Release Date: 10/25/2005 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.361 / Virus Database: 267.12.5/148 - Release Date: 10/25/2005 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.361 / Virus Database: 267.12.5/148 - Release Date: 10/25/2005
Russel
2005-Oct-26 13:30 UTC
RE: Shorewall with mulitple providers - basically three-in-one
It turns out I''ve had time to give everything a try. Here is what I''ve got: The updated network init scripts from Jerry build separate routing tables for each external DHCP-assigned interface. They appear to be working correctly, but shorewall still can''t detect the gw address on eth0 and eth1. Just the same, I have the gateway entered in manually in the providers file and shorewall can start. From my two internal machines I can ping their respective gateways. For example, 192.168.0.254 is supposed to connect through eth0. Eth0 has an ip address of 24.117.145.174. Its gateway is 24.117.144.1. From 192.168.0.254 I can ping 24.117.144.1. I cannot ping anything else on the internet from 192.168.0.254. 192.168.0.253 can ping eth1''s gateway address, but nothing else on the internet. 192.168.0.2-192.168.0.252 all work as expected. I think I have a problem with my routes or tcrules. I''m just not sure where to continue from here. I have updated attached updated configuration and log files. Again, any help would be much appreciated. Russel -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Russel Sent: Tuesday, October 25, 2005 8:30 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall with mulitple providers - basically three-in-one It will be a few days before I''m able to really test out your suggestions. I thought I might have to modify the networking init scripts to make everything work with DHCP, but I lack the talent to do so. I would definately be interested in beta testing the patches you''ve written. I''ve also thought about using SNAT for 192.168.0.253 and 192.168.0.254, but I''m not sure if there are any advangates to this. Thanks for your help. I''ll get back to you when I''ve had a chance to try your suggestions. Russel ----- Original Message ----- From: "Jerry Vonau" <jvonau@shaw.ca> To: <shorewall-users@lists.sourceforge.net> Sent: Tuesday, October 25, 2005 3:46 AM Subject: Re: [Shorewall-users] Shorewall with mulitple providers - basically three-in-one> First some background: > My cable provider offers three simultaneous external DHCP-assigned IP > addresses. I have shorewall running on a system with 5 nics in it. Eth0, > eth1, and eth2 are connected to the cable modem through a switch. They > each > get their IP addresses through DHCP from the cable provider. Eth3 is my > internal wired interface which is statically configured to 192.168.0.1. > Eth4 is wireless and is statically configured to 192.168.1.1. > > Here is what I want to accomplish: > I am trying to setup shorewall with multiple providers so that all traffic > originating on 192.168.0.254 (one of my internal PCs) is masqueraded on > eth0, all traffic originating on 192.168.0.253 (another internal PC) is > masqueraded on eth1, and all traffic originating from PCs connected to > eth3 > (192.168.0.0/24) and eth4 (192.168.1.0/24) is masqueraded on eth2. > > Here is what I think works properly: > I believe that shorewall tries to masquerade 192.168.0.254 on eth0, > 192.168.0.253 on eth1, and all else on eth2. I know that everything that > goes out on eth2 works. For example, when I change my IP address to > 192.168.0.x (where 1<x<253) I get internet connectivity. 192.168.0.253 > and > 192.168.0.254 get nothing. >Yea, there is no route to the providers table, where the gateways for eth0, and eth1 are.> Where I think my problem lies: > I don''t think I have the correct routes configured. This is where I get > confused. Do I have to build routing tables and then configure them in my > providers file? I have been just duplicating the main table for all three > provider entries in this file. Also, if I have shorewall attempt to > detect > my gateway address, it fails on eth0 and eth1, but can detect eth2''s > gateway > address. I can open the /var/lib/dhcp/dhclient-eth0.leases and get my > gateway address manually and then enter it into the providers file. This > allows shorewall to start, but since my IP addresses are DHCP assigned, > and > since my cable provider has more than one gateway address, this would be a > temporary solution that might only last as long as my DHCP lease. That > would be acceptable, but not ideal. >I just finished creating some patches for the network initcrtipts that deals with that issue. (want to bata test?)> I have no need for load balancing, but definitely want all traffic from > 192.168.0.254 to go through eth0, 192.168.0.253 to go through eth1 and all > else to go through eth2. Any help is much appreciated. >Well, the arpfilter option is needed for eth0,1,2 in the interfaces file, same hub/switch right? With the absence of balance, you need to override the routing table with the use of fwmarks, or everything travels out the default gateway in the main routing table. The tcrules file is used to define which fwmarks are placed on what traffic. There will be a ip rule for the provider that is used to direct the marked traffic to the provider''s alternate routing tables. This is the provider''s routing table that I mention earlier. 1:P 192.168.0.254 0.0.0.0/0 all 2:P 192.168.0.253 0.0.0.0/0 all The marks need to match the "provider" in the providers file. If these client machines accept inbound connections then "track" maybe needed for both eth0 and eth1. You may want to use snat in the masq file. Jerry -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.361 / Virus Database: 267.12.5/148 - Release Date: 10/25/2005 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.361 / Virus Database: 267.12.5/148 - Release Date: 10/25/2005 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.361 / Virus Database: 267.12.5/148 - Release Date: 10/25/2005
Jerry Vonau
2005-Oct-26 14:09 UTC
Re: RE: Shorewall with mulitple providers - basically three-in-one
> It turns out I''ve had time to give everything a try. > > Here is what I''ve got: > The updated network init scripts from Jerry build separate routing tables > for each external DHCP-assigned interface. They appear to be working > correctly, but shorewall still can''t detect the gw address on eth0 and eth1.Your not using the add_hops function to install the multi-hop gateway, so your where you started.> Just the same, I have the gateway entered in manually in the providers file > and shorewall can start. > > From my two internal machines I can ping their respective gateways. For > example, 192.168.0.254 is supposed to connect through eth0. Eth0 has an ip > address of 24.117.145.174. Its gateway is 24.117.144.1. From 192.168.0.254 > I can ping 24.117.144.1. I cannot ping anything else on the internet from > 192.168.0.254. 192.168.0.253 can ping eth1''s gateway address, but nothing > else on the internet. 192.168.0.2-192.168.0.252 all work as expected. >Hitting the gateway from behind the firewall is a good thing. Did you set arp_ignore=1 for eth0,1,2 as Tom had suggested? This is where tcpdump comes in handy.> I think I have a problem with my routes or tcrules. I''m just not sure where > to continue from here. >What happend to eth3,4 from the copy from column? I''d just use track,balance in the providers file, and to the TOP of tcrules add 3:P 192.168.0.0/24 0.0.0.0/0 Last match in the tcrules file gets to mark the packet. Jerry ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information
Tom Eastep
2005-Oct-26 14:17 UTC
Re: RE: Shorewall with mulitple providers - basically three-in-one
On Wednesday 26 October 2005 07:09, Jerry Vonau wrote:> > Hitting the gateway from behind the firewall is a good thing. > Did you set arp_ignore=1 for eth0,1,2 as Tom had suggested? > This is where tcpdump comes in handy. >It''s also a good idea after setting arp_ignore to use arping to send gratuitous ARP so as to straighten out the ARP caches on the external network (hint: Use ''arping'' -- the Proxy ARP documentation gives examples of how to run it). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Since last writing, I''ve tried a lot of new things with some success. I am now running shorewall 3.0 rc2. I am still using Jerry''s modified network init scripts and I modified my /etc/init.d/network file to include the bal_hops function. As Jerry indicated, this fixed my problem detecting the gateways when the providers are added. However, it caused the kernel to panic after shorewall started. I was getting kernel error messages so fast that I couldn''t even read them, until the kernel finally panicked and the machine stopped responding. I compiled a new kernel (2.6.14) and have had more success. Shorewall now starts and everything works as I want, but after anywhere from 30 seconds to 5 minutes, the kernel panics again. None of the error data appears to be included in the log files in /var/log. Do I need a serial cable to capture all the error data? I suspect that I missed some option when compiling the kernel, or need to go to an older version of the kernel to make everything right. I will pick up a serial cable tomorrow to capture the error data, but I wanted to know if there is anything I should try first? I have included the output of the following commands to show how the firewall is configured just before the kernel panics: shorewall show ip addr show ip route show ip rule show I have also included my .config file for my kernel. Tomorrow I will add the kernel panic info if I can capture it. Any help would be much appreciated. Thanks Russel -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jerry Vonau Sent: Wednesday, October 26, 2005 8:10 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] RE: Shorewall with mulitple providers - basically three-in-one> It turns out I''ve had time to give everything a try. > > Here is what I''ve got: > The updated network init scripts from Jerry build separate routing tables > for each external DHCP-assigned interface. They appear to be working > correctly, but shorewall still can''t detect the gw address on eth0 andeth1. Your not using the add_hops function to install the multi-hop gateway, so your where you started.> Just the same, I have the gateway entered in manually in the providersfile> and shorewall can start. > > From my two internal machines I can ping their respective gateways. For > example, 192.168.0.254 is supposed to connect through eth0. Eth0 has anip> address of 24.117.145.174. Its gateway is 24.117.144.1. From192.168.0.254> I can ping 24.117.144.1. I cannot ping anything else on the internet from > 192.168.0.254. 192.168.0.253 can ping eth1''s gateway address, but nothing > else on the internet. 192.168.0.2-192.168.0.252 all work as expected. >Hitting the gateway from behind the firewall is a good thing. Did you set arp_ignore=1 for eth0,1,2 as Tom had suggested? This is where tcpdump comes in handy.> I think I have a problem with my routes or tcrules. I''m just not surewhere> to continue from here. >What happend to eth3,4 from the copy from column? I''d just use track,balance in the providers file, and to the TOP of tcrules add 3:P 192.168.0.0/24 0.0.0.0/0 Last match in the tcrules file gets to mark the packet. Jerry -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.12.8/163 - Release Date: 11/8/2005
Today I picked up a serial null modem cable and captured the output of the kernel panic. It is attached along with other configuration files. Any help resolving the kernel panic issue would be greatly appreciated. Thanks, Russel -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Russel Sent: Wednesday, November 09, 2005 12:39 AM To: shorewall-users@lists.sourceforge.net Subject: [Shorewall-users] Shorewall with mulitple providers - basically three-in-one Since last writing, I''ve tried a lot of new things with some success. I am now running shorewall 3.0 rc2. I am still using Jerry''s modified network init scripts and I modified my /etc/init.d/network file to include the bal_hops function. As Jerry indicated, this fixed my problem detecting the gateways when the providers are added. However, it caused the kernel to panic after shorewall started. I was getting kernel error messages so fast that I couldn''t even read them, until the kernel finally panicked and the machine stopped responding. I compiled a new kernel (2.6.14) and have had more success. Shorewall now starts and everything works as I want, but after anywhere from 30 seconds to 5 minutes, the kernel panics again. None of the error data appears to be included in the log files in /var/log. Do I need a serial cable to capture all the error data? I suspect that I missed some option when compiling the kernel, or need to go to an older version of the kernel to make everything right. I will pick up a serial cable tomorrow to capture the error data, but I wanted to know if there is anything I should try first? I have included the output of the following commands to show how the firewall is configured just before the kernel panics: shorewall show ip addr show ip route show ip rule show I have also included my .config file for my kernel. Tomorrow I will add the kernel panic info if I can capture it. Any help would be much appreciated. Thanks Russel -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Jerry Vonau Sent: Wednesday, October 26, 2005 8:10 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] RE: Shorewall with mulitple providers - basically three-in-one> It turns out I''ve had time to give everything a try. > > Here is what I''ve got: > The updated network init scripts from Jerry build separate routing tables > for each external DHCP-assigned interface. They appear to be working > correctly, but shorewall still can''t detect the gw address on eth0 andeth1. Your not using the add_hops function to install the multi-hop gateway, so your where you started.> Just the same, I have the gateway entered in manually in the providersfile> and shorewall can start. > > From my two internal machines I can ping their respective gateways. For > example, 192.168.0.254 is supposed to connect through eth0. Eth0 has anip> address of 24.117.145.174. Its gateway is 24.117.144.1. From192.168.0.254> I can ping 24.117.144.1. I cannot ping anything else on the internet from > 192.168.0.254. 192.168.0.253 can ping eth1''s gateway address, but nothing > else on the internet. 192.168.0.2-192.168.0.252 all work as expected. >Hitting the gateway from behind the firewall is a good thing. Did you set arp_ignore=1 for eth0,1,2 as Tom had suggested? This is where tcpdump comes in handy.> I think I have a problem with my routes or tcrules. I''m just not surewhere> to continue from here. >What happend to eth3,4 from the copy from column? I''d just use track,balance in the providers file, and to the TOP of tcrules add 3:P 192.168.0.0/24 0.0.0.0/0 Last match in the tcrules file gets to mark the packet. Jerry -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.12.8/163 - Release Date: 11/8/2005 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.12.8/163 - Release Date: 11/8/2005
Tom Eastep
2005-Nov-10 04:54 UTC
Re: Shorewall with mulitple providers - basically three-in-one
On Wednesday 09 November 2005 20:43, Russel wrote:> Today I picked up a serial null modem cable and captured the output of the > kernel panic. It is attached along with other configuration files. Any > help resolving the kernel panic issue would be greatly appreciated.I hope you aren''t in a hurry. As far as I know, there are no kernel developers subscribed to this list so the probability of your getting a meaningful response by posting here is exactly zero percent. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Simon Matter
2005-Nov-10 07:12 UTC
Re: Shorewall with mulitple providers - basically three-in-one
> On Wednesday 09 November 2005 20:43, Russel wrote: >> Today I picked up a serial null modem cable and captured the output of >> the >> kernel panic. It is attached along with other configuration files. Any >> help resolving the kernel panic issue would be greatly appreciated. > > I hope you aren''t in a hurry. As far as I know, there are no kernel > developers > subscribed to this list so the probability of your getting a meaningful > response by posting here is exactly zero percent.The panic indicates that maybe webmin is involved, at least miniserv.pl which usually belongs to webmin shows up in it. Simon ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache''s Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
Tom Eastep
2005-Nov-10 15:11 UTC
Re: Shorewall with mulitple providers - basically three-in-one
On Wednesday 09 November 2005 23:12, Simon Matter wrote:> > On Wednesday 09 November 2005 20:43, Russel wrote: > >> Today I picked up a serial null modem cable and captured the output of > >> the > >> kernel panic. It is attached along with other configuration files. Any > >> help resolving the kernel panic issue would be greatly appreciated. > > > > I hope you aren''t in a hurry. As far as I know, there are no kernel > > developers > > subscribed to this list so the probability of your getting a meaningful > > response by posting here is exactly zero percent. > > The panic indicates that maybe webmin is involved, at least miniserv.pl > which usually belongs to webmin shows up in it. >User-space code like Perl should not be able to produce a kernel panic though. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Cristian Rodriguez
2005-Nov-11 22:11 UTC
Re: Shorewall with mulitple providers - basically three-in-one
Simon Matter wrote:>> On Wednesday 09 November 2005 20:43, Russel wrote: >>> Today I picked up a serial null modem cable and captured the output of >>> the >>> kernel panic. It is attached along with other configuration files. Any >>> help resolving the kernel panic issue would be greatly appreciated. >> I hope you aren''t in a hurry. As far as I know, there are no kernel >> developers >> subscribed to this list so the probability of your getting a meaningful >> response by posting here is exactly zero percent. > > The panic indicates that maybe webmin is involved, at least miniserv.pl > which usually belongs to webmin shows up in it. > > Simon > > > ------------------------------------------------------- > SF.Net email is sponsored by: > Tame your development challenges with Apache''s Geronimo App Server. Download > it for free - -and be entered to win a 42" plasma tv or your very own > Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-usersperl **should not** be able to generate a kernel panic. Rusell: get the latest version of webmin and make you sure you have the latest updates from your distribution...