I''m trying to replace my current firewall at home (a FreeBSD box using PF) with Shorewall. However, for some reason I''m unable to get the new firewall to talk to the Internet. See the attached output from "shorewall dump". My local network is using 172.29.0.0/24, with an experimental DMZ on 172.29.11.0/24. I have four static public IP addresses (171.66.155.243 - 171.66.155.246). As best I can tell from the "shorewall dump" output, it looks like I''m not getting any inbound packets from the Internet at all. Lots of stuff is being sent out to the Internet, but nothing is coming back (e.g., no TCP connections are being set up, and UDP services like NTP and DNS are not receiving any replies to queries). When I reconnected my current firewall, everything starting working again just fine. Any ideas? Rich Wales === Palo Alto, CA, USA === richw@richw.org http://www.richw.org === http://en.wikipedia.org/wiki/User:Richwales ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Rich Wales wrote:> I''m trying to replace my current firewall at home (a FreeBSD box using PF) > with Shorewall. However, for some reason I''m unable to get the new > firewall > to talk to the Internet. > > See the attached output from "shorewall dump". My local network is using > 172.29.0.0/24, with an experimental DMZ on 172.29.11.0/24. I have four > static public IP addresses (171.66.155.243 - 171.66.155.246). > > As best I can tell from the "shorewall dump" output, it looks like I''m not > getting any inbound packets from the Internet at all. Lots of stuff is > being sent out to the Internet, but nothing is coming back (e.g., no TCP > connections are being set up, and UDP services like NTP and DNS are not > receiving any replies to queries). > > When I reconnected my current firewall, everything starting working again > just fine. > > Any ideas?Sounds like a stale ARP cache problem in the upstream router. I presume that "shorewall clear" doesn''t improve the situation? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom -- Replying to:> Sounds like a stale ARP cache problem in the upstream router. > I presume that "shorewall clear" doesn''t improve the situation?I didn''t try "shorewall clear", but I''ll try that tonight when I get home and can do some more experimenting. I =did= try an "arping -U" command to update the upstream router''s ARP cache, in case that might have been the problem. FWIW, I haven''t run into stale ARP cache issues previously at my location; changing the network card in my current firewall, at various times in the past, never interrupted traffic. I would also have thought (possibly naively?) that even if there had been a stale ARP cache issue, it wouldn''t have affected things if I were originating connections from my firewall (as opposed to outside hosts trying to connect to me). Anyway, I''ll try experimenting with this tonight. I suppose I could run "tcpdump" to see everything coming in from my Internet connection; this should show me if replies are being sent to the wrong MAC address. If all else fails, I could physically move the external network card from my production firewall into the new firewall -- though, hopefully understandably, I''d only want to do that as a last resort. Do any other possibilities come to your mind, in case it turns out not to be a question of a stale ARP cache? Rich Wales === Palo Alto, CA, USA === richw@richw.org http://www.richw.org === http://en.wikipedia.org/wiki/User:Richwales ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Rich Wales wrote:> > I would also have thought (possibly naively?) that even if there had > been a stale ARP cache issue, it wouldn''t have affected things if I > were originating connections from my firewall (as opposed to outside > hosts trying to connect to me).That naive assumption is incorrect. How do you think responses to your outgoing packets could reach your system if they were being sent to the wrong link-layer address? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Rich Wales wrote:> I didn''t try "shorewall clear", but I''ll try that tonight when I get > home and can do some more experimenting.It it still doesn''t work from firewall->net after "shorewall clear", that will eliminate Shorewall as the cause. See http://www.shorewall.net/troubleshoot.htm. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Fri, Mar 30, 2007 at 12:30:12PM -0700, Rich Wales wrote:> I =did= try an "arping -U" command to update the upstream router''s > ARP cache, in case that might have been the problem.That only works if the upstream router has not been configured to maintain a static arp cache. A number of misguided ISPs do this as part of an attempt to inconvinience people who would like to connect more than one device to their internet connection. (If you discover that your ISP is doing this, I would strongly advise finding a new ISP, as it indicates that an idiot has decision-making authority over their network)> If all else fails, I could physically move the external network card > from my production firewall into the new firewall -- though, hopefully > understandably, I''d only want to do that as a last resort.This should not be necessary. One of the many reasons why such upstream inanity is misguided is because you can merely change the MAC address of your existing network card, instead of using the power-on default. ifconfig ethx hw ether aa:bb:cc:dd:ee:ff ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
My earlier problem (firewall not able to communicate with any Internet host) appears, as predicted, to have been because of a stale ARP cache problem. It''s working OK now. Thanks again for the suggestions. Rich Wales === Palo Alto, CA, USA === richw@richw.org http://www.richw.org === http://en.wikipedia.org/wiki/User:Richwales ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV