Hello all. I''ve recently setup my first (newbie alert!) Shorewall firewall and am having problems getting the traffic I want to go through. The traffic I don''t want through isn''t going, as expected. I setup a 3-NIC/1-static IP firewall based on the directions here: http://shorewall.net/three-interface.htm (There are actually 4 NICs in the PC, but the fourth one isn''t being used.) I can access the Internet from the firewall (after adding the fw->net ACCEPT policy). This is what I specifically cannot do: 1) Go from loc to net. I have the loc->net ACCEPT policy set. I tried accessing multiple remote IPs and domains from multiple local (192.168.144.0/24) PCs with both ping and a Web browser. 2) People from net cannot access dmz (I did test this with a PC outside of the network). It started working when I created a net->dmz ACCEPT policy, but, based on the instructions, I don''t think I should have to do that. I have been modifying the rules to try to get it working, but have given up. Hopefully I haven''t totally messed them up. I noticed that the WEB macro includes both ports 80 and 443. In our network they are currently on different PCs, so I setup individual access rules for those two ports. I have it running on a PC built from source with Source Mage, so anything wrong is most likely self-inflicted. # shorewall version 3.0.7 Attached are the results of /sbin/shorewall dump > /tmp/status.txt (from http://shorewall.net/support.htm). Thank you for any help and/or advice you can offer. -- Jason Flatt Caring Nurses, Inc. Voice: (702) 791-3729 - Fax: (702) 791-3859 2968 E. Russell Rd., Las Vegas, NV 89120 ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Jason Flatt wrote:> Hello all. > > I''ve recently setup my first (newbie alert!) Shorewall firewall and am having > problems getting the traffic I want to go through. The traffic I don''t want > through isn''t going, as expected. I setup a 3-NIC/1-static IP firewall based > on the directions here: http://shorewall.net/three-interface.htm (There are > actually 4 NICs in the PC, but the fourth one isn''t being used.) I can access > the Internet from the firewall (after adding the fw->net ACCEPT policy). > > This is what I specifically cannot do: > 1) Go from loc to net. I have the loc->net ACCEPT policy set. I tried > accessing multiple remote IPs and domains from multiple local > (192.168.144.0/24) PCs with both ping and a Web browser. > 2) People from net cannot access dmz (I did test this with a PC outside of > the network). It started working when I created a net->dmz ACCEPT policy, > but, based on the instructions, I don''t think I should have to do that. >ARP ? (192.168.120.26) at 00:20:ED:6C:5F:C4 [ether] on eth2 ? (192.168.144.31) at * PERM PUP on eth0 <====================? (208.57.199.83) at * PERM PUP on eth1 <==================== You appear to have eth0 and eth1 reversed in your configuration. The above suggests that eth1 is connected to the internet but you have configured eth0 as your ''net'' interface. Either that or you have badly mis-cabled your network -Tomj -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> Jason Flatt wrote: >> Hello all. >> >> I''ve recently setup my first (newbie alert!) Shorewall firewall and am having >> problems getting the traffic I want to go through. The traffic I don''t want >> through isn''t going, as expected. I setup a 3-NIC/1-static IP firewall based >> on the directions here: http://shorewall.net/three-interface.htm (There are >> actually 4 NICs in the PC, but the fourth one isn''t being used.) I can access >> the Internet from the firewall (after adding the fw->net ACCEPT policy). >> >> This is what I specifically cannot do: >> 1) Go from loc to net. I have the loc->net ACCEPT policy set. I tried >> accessing multiple remote IPs and domains from multiple local >> (192.168.144.0/24) PCs with both ping and a Web browser. >> 2) People from net cannot access dmz (I did test this with a PC outside of >> the network). It started working when I created a net->dmz ACCEPT policy, >> but, based on the instructions, I don''t think I should have to do that. >> > ARP > > ? (192.168.120.26) at 00:20:ED:6C:5F:C4 [ether] on eth2 > ? (192.168.144.31) at * PERM PUP on eth0 <====================> ? (208.57.199.83) at * PERM PUP on eth1 <====================> > You appear to have eth0 and eth1 reversed in your configuration. The > above suggests that eth1 is connected to the internet but you have > configured eth0 as your ''net'' interface. Either that or you have badly > mis-cabled your network >I just noticed that those are ''PERM'' entries -- if you followd the three-interface example, why do you have those? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Saturday 26 August 2006 16:12, Tom Eastep wrote:> Tom Eastep wrote: > > > > ARP > > > > ? (192.168.120.26) at 00:20:ED:6C:5F:C4 [ether] on eth2 > > ? (192.168.144.31) at * PERM PUP on eth0 <====================> > ? (208.57.199.83) at * PERM PUP on eth1 <====================> > > > You appear to have eth0 and eth1 reversed in your configuration. The > > above suggests that eth1 is connected to the internet but you have > > configured eth0 as your ''net'' interface. Either that or you have badly > > mis-cabled your network > > I just noticed that those are ''PERM'' entries -- if you followd the > three-interface example, why do you have those? > > -TomOops! Sorry about that. That was another experiment to try to get it working, and I forgot to remove them before I created to file. It didn''t change anything and I probably should have removed them right away. I cannot take down the network right now, so I will try to recreate the dump file tomorrow afternoon and send it then. -- Jason Flatt Caring Nurses, Inc. Voice: (702) 791-3729 - Fax: (702) 791-3859 2968 E. Russell Rd., Las Vegas, NV 89120 ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Jason Flatt wrote:> > 2) People from net cannot access dmz (I did test this with a PC outside of > the network). It started working when I created a net->dmz ACCEPT policy, > but, based on the instructions, I don''t think I should have to do that. >Folks -- I can''t emphasize enough. I need to know what destination IP address, protocol and port is being accessed from the net to the dmz. "People from the net cannot access dmz" is completely useless as a problem description. If that is the level at which you yourself are thinking about your problem, then you will never solve it! You have to get down to the details. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Saturday 26 August 2006 17:45, Tom Eastep wrote:> Jason Flatt wrote: > > 2) People from net cannot access dmz (I did test this with a PC outside > > of the network). It started working when I created a net->dmz ACCEPT > > policy, but, based on the instructions, I don''t think I should have to do > > that. > > Folks -- I can''t emphasize enough. I need to know what destination IP > address, protocol and port is being accessed from the net to the dmz. > "People from the net cannot access dmz" is completely useless as a > problem description. If that is the level at which you yourself are > thinking about your problem, then you will never solve it! You have to > get down to the details. > > -TomI''m sorry. I guess I thought it was obvious, but you''re absolutely correct. I can not assume that the correct information would be inferred from the dump file. I will try to recite all I can remember (which should be most, if not all), as I am no longer on site. There are two domain names: caringnurses.com and caringnurses.net There is one static IP address: 208.57.199.83 (The public IP for the company.) The internal network is set to use a class C of 192.168.144.0/24 There is a server (the dmz) at 192.168.120.26 (originally 192.168.144.26, but changed for the firewall, based on the document) handling HTTP on port 80. There is another server (in loc) at 192.168.144.22 handling FTP on port 21 and HTTPS on port 443. There is another server (also in loc) at 192.168.144.151 handling FTP on port 2188 and HTTP on port 8088. Webmin is setup on the firewall at HTTP port 8696. There is a Windows Domain Controller handling DNS on port 53 for the internal network. Currently I have a firewall rule set to allow all DNS traffic, but I suspect I will limit it to outbound only once the dust settles. I generally allow both TCP and UDP for any port I open up. So, for the tests from the outside, I simply had my wife try to access http://www.caringnurses.com/, and she couldn''t until I created the policy to allow net to dmz (which I think I removed before I sent the dump file). I know one does not preclude the other, but with the problems I was having getting out of the network, I didn''t expect inbound to work. I think that''s it. Did I leave anything out? -- Jason Flatt Caring Nurses, Inc. Voice: (702) 791-3729 - Fax: (702) 791-3859 2968 E. Russell Rd., Las Vegas, NV 89120 ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Jason Flatt wrote:> On Saturday 26 August 2006 17:45, Tom Eastep wrote: >> Jason Flatt wrote: >>> 2) People from net cannot access dmz (I did test this with a PC outside >>> of the network). It started working when I created a net->dmz ACCEPT >>> policy, but, based on the instructions, I don''t think I should have to do >>> that. >> Folks -- I can''t emphasize enough. I need to know what destination IP >> address, protocol and port is being accessed from the net to the dmz. >> "People from the net cannot access dmz" is completely useless as a >> problem description. If that is the level at which you yourself are >> thinking about your problem, then you will never solve it! You have to >> get down to the details. >> >> -Tom > > I''m sorry. I guess I thought it was obvious, but you''re absolutely correct. I > can not assume that the correct information would be inferred from the dump > file. I will try to recite all I can remember (which should be most, if not > all), as I am no longer on site. > > There are two domain names: caringnurses.com and caringnurses.net > There is one static IP address: 208.57.199.83 (The public IP for the company.) > > The internal network is set to use a class C of 192.168.144.0/24 > > There is a server (the dmz) at 192.168.120.26 (originally 192.168.144.26, but > changed for the firewall, based on the document) handling HTTP on port 80. > > There is another server (in loc) at 192.168.144.22 handling FTP on port 21 and > HTTPS on port 443. > > There is another server (also in loc) at 192.168.144.151 handling FTP on port > 2188 and HTTP on port 8088. > > Webmin is setup on the firewall at HTTP port 8696. > > There is a Windows Domain Controller handling DNS on port 53 for the internal > network. Currently I have a firewall rule set to allow all DNS traffic, but I > suspect I will limit it to outbound only once the dust settles. > > I generally allow both TCP and UDP for any port I open up. > > So, for the tests from the outside, I simply had my wife try to access > http://www.caringnurses.com/, and she couldn''t until I created the policy to > allow net to dmz (which I think I removed before I sent the dump file).You didn''t.> I know one does not preclude the other, but with the problems I was having > getting out of the network, I didn''t expect inbound to work. > > I think that''s it. Did I leave anything out? >So www.caringnurses.com is now working -- what it the current state of the firewall? All of the internal system (including the web server) *do* have the Shorewall box configured as their default gateway, right? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Saturday 26 August 2006 20:08, Tom Eastep wrote:> Jason Flatt wrote: > > > > So, for the tests from the outside, I simply had my wife try to access > > http://www.caringnurses.com/, and she couldn''t until I created the policy > > to allow net to dmz (which I think I removed before I sent the dump > > file). > > You didn''t.Okay. I guess I really should have gone through the configuration and cleaned up first, but I think I was mentally done at that time and just wanted to be done with it.> > I know one does not preclude the other, but with the problems I was > > having getting out of the network, I didn''t expect inbound to work. > > > > I think that''s it. Did I leave anything out? > > So www.caringnurses.com is now working -- what it the current state of > the firewall?I currently have a Linksys router in there, which is working fine. I need to leave the network operational as much as possible. :^) I''m trying to replace it with something with more capabilites. The firewall is up and running, but only eth1 (loc) has a network cable in it.> All of the internal system (including the web server) *do* have the > Shorewall box configured as their default gateway, right?Hmm, no I didn''t do that for any of the loc systems. I did change the dmz, though. I may change the IP of the firewall''s eth1 to 192.168.144.1 so I don''t have to think about changing anything except the dmz, which has to be changed when I switch from the Linksys to Shorewall and back. I''ll try that tomorrow and see if that''s the missing piece.> -TomThanks. -- Jason Flatt Caring Nurses, Inc. Voice: (702) 791-3729 - Fax: (702) 791-3859 2968 E. Russell Rd., Las Vegas, NV 89120 ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Sat, 2006-08-26 at 21:39 -0700, Jason Flatt wrote:> > All of the internal system (including the web server) *do* have the > > Shorewall box configured as their default gateway, right? > > Hmm, no I didn''t do that for any of the loc systems. I did change the dmz, > though. I may change the IP of the firewall''s eth1 to 192.168.144.1 so I > don''t have to think about changing anything except the dmz, which has to be > changed when I switch from the Linksys to Shorewall and back. I''ll try that > tomorrow and see if that''s the missing piece.It is almost certainly the missing piece for the local LAN. For your DMZ, if you can reproduce the problem then please capture another dump following the instructions in the support guide exactly. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Jason Flatt wrote:> ... > I''m sorry. I guess I thought it was obvious, but you''re absolutely correct.Ah - that would be PPPPPPS section 2 article 2! :-) http://linuxman.wikispaces.com/PPPPPPS Paul ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Jason Flatt wrote:> I''ll try that tomorrow and see if that''s the missing piece.Did you get it working? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Monday 28 August 2006 12:12, Tom Eastep wrote:> Jason Flatt wrote: > > I''ll try that tomorrow and see if that''s the missing piece. > > Did you get it working? > > -TomThanks for asking. I wasn''t able to take the network down as it turned out that many people had chosen that day to get caught up on work. Who would''ve thunk? I''m going to shoot for early Wednesday morning instead. -- Jason Flatt Caring Nurses, Inc. Voice: (702) 791-3729 - Fax: (702) 791-3859 2968 E. Russell Rd., Las Vegas, NV 89120 ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Monday 28 August 2006 12:12, Tom Eastep wrote:> Jason Flatt wrote: > > I''ll try that tomorrow and see if that''s the missing piece. > > Did you get it working? > > -TomOkay, I''m finally getting back to this. I did try and fail last week, but ran out of time to do any further work, so I didn''t bother writing. I got tired of mucking with my potentially (and likely) broken configuration, so I deleted it and copied the files from the three-interface sample. The only changes I made are one or two mods to the policy file and added few new rules (Web and POP3). * I am able to ping from fw, loc and dmz to fw, loc, dmz, net and to the gateway of net, but no further, not even the DNS server by IP (24.234.0.71). * I am unable to access any Web sites beyond the fw, but I am able to access Webmin on the fw. (I am also not able to access any Web sites on the dmz, but I suspect that will be easier to correct after the other problem(s) is(are) fixed.) I can''t imagine that there is anything wrong with the configuration, since it is basically stock from the sample, so I''m assuming I must have my network interfaces misconfigured, so I''m going to include that configuration as well as the dump file. fw: IP Broadcast Netmask Gateway eth0(net): 24.234.160.51 24.234.160.64 255.255.255.224 24.234.160.33 eth1(loc): 192.168.144.1 192.168.144.255 255.255.255.0 24.234.160.51 eth2(dmz): 192.168.120.12 192.168.120.255 255.255.255.0 24.234.160.51 dmz: eth0: 192.168.120.14 192.168.120.255 255.255.255.0 192.168.120.12 loc: eth0: 192.168.144.159 192.168.144.255 255.255.255.0 192.168.144.1 Here is the version and status (though it will be down so I can send and receieve e-mail): Shorewall-3.0.7 Status at firewall - Tue Sep 5 10:08:27 PDT 2006 Shorewall is running State:Started (Tue Sep 5 10:05:44 PDT 2006) For step 3.b. in http://www.shorewall.net/support.htm I tried accessing http://www.yahoo.com/ -- Jason Flatt Caring Nurses, Inc. Voice: (702) 791-3729 - Fax: (702) 791-3859 2968 E. Russell Rd., Las Vegas, NV 89120 ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Jason Flatt wrote: <more than I want to look at> Jason, Does your ISP *really* ask you to define your external network as a /8 (netmask 255.0.0.0)??? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Jason Flatt wrote:> > > fw: IP Broadcast Netmask Gateway > eth0(net): 24.234.160.51 24.234.160.64 255.255.255.224 24.234.160.33To answer my own question, you have badly mis-configured eth0. It has a netmask of 255.0.0.0 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Tuesday 05 September 2006 18:10, Tom Eastep wrote:> Jason Flatt wrote: > > fw: IP Broadcast Netmask Gateway > > eth0(net): 24.234.160.51 24.234.160.64 255.255.255.224 > > 24.234.160.33 > > To answer my own question, you have badly mis-configured eth0. It has a > netmask of 255.0.0.0 > > -TomI seem to have at least one faulty NIC. The devices are configured the way I listed, however when I bring eth0 up, it has a different broadcast and netmask. Sorry to bother you all with my problems. I''ll try replacing one or more NICs and see if things improve. Thanks. -- Jason Flatt Caring Nurses, Inc. Voice: (702) 791-3729 - Fax: (702) 791-3859 2968 E. Russell Rd., Las Vegas, NV 89120 ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Tue, 2006-09-05 at 21:51 -0700, Jason Flatt wrote:> On Tuesday 05 September 2006 18:10, Tom Eastep wrote: > > Jason Flatt wrote: > > > fw: IP Broadcast Netmask Gateway > > > eth0(net): 24.234.160.51 24.234.160.64 255.255.255.224 > > > 24.234.160.33 > > > > To answer my own question, you have badly mis-configured eth0. It has a > > netmask of 255.0.0.0 > > > > -Tom > > I seem to have at least one faulty NIC. The devices are configured the way I > listed, however when I bring eth0 up, it has a different broadcast and > netmask. Sorry to bother you all with my problems. I''ll try replacing one or > more NICs and see if things improve. Thanks. >Netmask is not something that is configured in the NIC itself -- it is strictly within your kernel. Here is the eth0 configuration from the "shorewall dump" output: 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:90:27:2b:ca:b7 brd ff:ff:ff:ff:ff:ff inet 24.234.160.51/8 brd 24.255.255.255 scope global eth0 ---------------------------------- inet6 fe80::290:27ff:fe2b:cab7/64 scope link valid_lft forever preferred_lft forever It is extremely unlikely that this is the result of faulty hardware. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Wednesday 06 September 2006 07:20, Tom Eastep wrote:> > Netmask is not something that is configured in the NIC itself -- it is > strictly within your kernel. Here is the eth0 configuration from the > "shorewall dump" output: > > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 > link/ether 00:90:27:2b:ca:b7 brd ff:ff:ff:ff:ff:ff > inet 24.234.160.51/8 brd 24.255.255.255 scope global eth0 > ---------------------------------- > inet6 fe80::290:27ff:fe2b:cab7/64 scope link > valid_lft forever preferred_lft forever > > It is extremely unlikely that this is the result of faulty hardware. > > -TomWell, whether it was faulty hardware or a badly compiled module, I don''t know. Replacing the two suspect NICs fixed the problem. I put in NICs with totally different chip sets to avoid the potential of a badly compiled module. Maybe if I have free time (not likely), I''ll try and pin-point the problem. Right now my priority is getting the firewall working, which it is. Now I just need to fine-tune it. -- Jason Flatt Caring Nurses, Inc. Voice: (702) 791-3729 - Fax: (702) 791-3859 2968 E. Russell Rd., Las Vegas, NV 89120 ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642