Hello! I have a small network at home with gateway/router, server and desktop. On all boxes run Debian GNU/Linux Etch. So far this network works but today I can''t access the internet from server nor desktop, but only from gateway/router. I can to access gateway/router from desktop and from server throught SSH. I can''t ping from server nor from desktop the internet, say www.google.com. I have setup shorewall on all three system, and that setup works so far. I don''t change any setup recently as I know. I don''t know how can happen this with my network? shorewall starts successfully on all three systems. I tried to search with Google from the desktop that is on LAN in my network but with nosuccess. When I try to follow the Shorewall Support Guide at c. I get an error message: $ sudo /sbin/shorewall dump > status.txt /sbin/shorewall: line 1098: 11210 Illegal instruction ip addr ls What cause this error? -- Regards, Paul Csanyi http://www.freewebs.com/csanyi-pal/index.htm ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Csanyi Pal <csanyipal@gmail.com> writes:> Hello! > > I have a small network at home with gateway/router, server and > desktop. On all boxes run Debian GNU/Linux Etch. > > So far this network works but today I can''t access the internet from > server nor desktop, but only from gateway/router. > > I can to access gateway/router from desktop and from server throught > SSH. > > I can''t ping from server nor from desktop the internet, say > www.google.com. > > I have setup shorewall on all three system, and that setup works so > far. > > I don''t change any setup recently as I know. > I don''t know how can happen this with my network? > > shorewall starts successfully on all three systems. > > I tried to search with Google from the desktop that is on LAN in my > network but with nosuccess. > > When I try to follow the Shorewall Support Guide at c. I get an error > message: > > $ sudo /sbin/shorewall dump > status.txtI tried to open with w3m the www.google.com website: $ host www.google.com www.google.com CNAME www.l.google.com www.l.google.com A 209.85.135.103 www.l.google.com A 209.85.135.104 www.l.google.com A 209.85.135.99 www.l.google.com A 209.85.135.147 from desktop machine that has IP address 192.168.1.100 with no success. How can I solve this problem? Any advices will be appreciated! -- Regards, Paul Csanyi http://www.freewebs.com/csanyi-pal/index.htm ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Csanyi Pal wrote:> ... > I have a small network at home with gateway/router, server and > desktop. On all boxes run Debian GNU/Linux Etch. > ... > When I try to follow the Shorewall Support Guide at c. I get an error > message: > > $ sudo /sbin/shorewall dump > status.txt > /sbin/shorewall: line 1098: 11210 Illegal instruction ip addr ls > > What cause this error?If you''re getting that sort of error on a simple command like ip addr ls, you could have a corrupt hard disk or RAM stick. Paul ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Csanyi Pal wrote:> Hello! > > I have a small network at home with gateway/router, server and > desktop. On all boxes run Debian GNU/Linux Etch. > > So far this network works but today I can''t access the internet from > server nor desktop, but only from gateway/router. > > I can to access gateway/router from desktop and from server throught > SSH. > > I can''t ping from server nor from desktop the internet, say > www.google.com.What makes you believe that the problem has anything to do with Shorewall? If you "shorewall clear", can you then do DNS lookups from the firewall? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep <teastep@shorewall.net> writes:> Csanyi Pal wrote: >> Hello! >> >> I have a small network at home with gateway/router, server and >> desktop. On all boxes run Debian GNU/Linux Etch. >> >> So far this network works but today I can''t access the internet from >> server nor desktop, but only from gateway/router. >> >> I can to access gateway/router from desktop and from server throught >> SSH. >> >> I can''t ping from server nor from desktop the internet, say >> www.google.com. > > What makes you believe that the problem has anything to do with > Shorewall? If you "shorewall clear", can you then do DNS lookups from > the firewall?I can nslookup from the firewall even if the shorewall is running. I can''t nslookup only behind the firewall, from LAN, from desktop machine, even I do "shorewall clear". Well, maybe this problem has nothing to do with Shorewall. I don''t understand that that how can to be that on LAN DNS suddenly don''t works? I have not changed the setup of anything related to the network recently. If you think that that my Shorewall setup is OK then please point me in the right direction how to solve this problem! -- Regards, Paul Csanyi http://www.freewebs.com/csanyi-pal/index.htm ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
> Tom Eastep <teastep@shorewall.net> writes: > >> Csanyi Pal wrote: >>> Hello! >>> >>> I have a small network at home with gateway/router, server and >>> desktop. On all boxes run Debian GNU/Linux Etch. >>> >>> So far this network works but today I can''t access the internet from >>> server nor desktop, but only from gateway/router. >>> >>> I can to access gateway/router from desktop and from server throught >>> SSH. >>> >>> I can''t ping from server nor from desktop the internet, say >>> www.google.com. >> >> What makes you believe that the problem has anything to do with >> Shorewall? If you "shorewall clear", can you then do DNS lookups from >> the firewall? > > I can nslookup from the firewall even if the shorewall is running. > > I can''t nslookup only behind the firewall, from LAN, from desktop > machine, even I do "shorewall clear". > > Well, maybe this problem has nothing to do with Shorewall. I don''t > understand that that how can to be that on LAN DNS suddenly don''t > works? I have not changed the setup of anything related to the > network recently. > > If you think that that my Shorewall setup is OK then please point me > in the right direction how to solve this problem!Did you update bind recently on your boxes? You should have done it for security reason. Maybe now your DNS queries are using random source ports instead of fixed port 53 and you have to adjust your shorewall configs. Simon ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Csanyi Pal wrote:>If you think that that my Shorewall setup is OK then please point me >in the right direction how to solve this problem!First step - calm down, take a deep breath, and work methodically. From your clients, can the contact services by IP address ? Can they ping external addresses ? If they can then it shows your routing and/or NAT is working OK. If not, then fix that. What do your clients have configured for a resolver ? Is it what you thought they had configured ? When you make a query from a client, can you see the query packet on the wire with a packet sniffer (I like wireshark, or more normally the text-only version tshark) ? If not, then look into why the client isn''t sending the packet. Can you see the packet inbound on your gateway (which I assume is doing your DNS) with a packet sniffer ? Does it have a DNS service running ? Does the DNS service log the query and/or any errors ? Does the DNS service resolve the address queried ? Does it return the result to the client ? Does the client receive it ? As you can see, most of this does not involve Shorewall - but there are steps where packets could be blocked by one device or the other. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
"Simon Matter" <simon.matter@invoca.ch> writes:>> Tom Eastep <teastep@shorewall.net> writes: >> >>> Csanyi Pal wrote: >>>> I have a small network at home with gateway/router, server and >>>> desktop. On all boxes run Debian GNU/Linux Etch. >>>> >>>> So far this network works but today I can''t access the internet from >>>> server nor desktop, but only from gateway/router. >>>> >>>> I can to access gateway/router from desktop and from server throught >>>> SSH. >>>> >>>> I can''t ping from server nor from desktop the internet, say >>>> www.google.com.> Did you update bind recently on your boxes? You should have done it for > security reason. Maybe now your DNS queries are using random source ports > instead of fixed port 53 and you have to adjust your shorewall configs.I have installed on desktop machine: i bind9-host i A libbind9-0 i A winbind but havn''t installed p bind -- Regards, Paul Csanyi http://www.freewebs.com/csanyi-pal/index.htm ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
> "Simon Matter" <simon.matter@invoca.ch> writes: > >>> Tom Eastep <teastep@shorewall.net> writes: >>> >>>> Csanyi Pal wrote: >>>>> I have a small network at home with gateway/router, server and >>>>> desktop. On all boxes run Debian GNU/Linux Etch. >>>>> >>>>> So far this network works but today I can''t access the internet from >>>>> server nor desktop, but only from gateway/router. >>>>> >>>>> I can to access gateway/router from desktop and from server throught >>>>> SSH. >>>>> >>>>> I can''t ping from server nor from desktop the internet, say >>>>> www.google.com. > >> Did you update bind recently on your boxes? You should have done it for >> security reason. Maybe now your DNS queries are using random source >> ports >> instead of fixed port 53 and you have to adjust your shorewall configs. > > I have installed on desktop machine: > i bind9-host > i A libbind9-0 > i A winbind > > but havn''t installed > p bindThat''s what I meant, you have some kind of bind libs installed and I''m quite sure they were updated recently. Check you shorewall config that you allow DNS requests with variable source ports. Simon ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Csanyi Please post the results: From the GW: # host www.google.com # host www.google.com 127.0.0.1 # host www.google.com 192.168.1.1 # maybe your gw # host www.google.com 4.2.2.2 # host www.google.com 208.67.222.222 # cat /etc/resolv.conf From the GW: # host www.google.com # host www.google.com 127.0.0.1 # host www.google.com 4.2.2.2 # host www.google.com 208.67.222.222 # cat /etc/resolv.conf -Gilson On 2008-07-24, Csanyi Pal <csanyipal@gmail.com> wrote:> > "Simon Matter" <simon.matter@invoca.ch> writes: > > >> Tom Eastep <teastep@shorewall.net> writes: > >> > >>> Csanyi Pal wrote: > >>>> I have a small network at home with gateway/router, server and > >>>> desktop. On all boxes run Debian GNU/Linux Etch. > >>>> > >>>> So far this network works but today I can''t access the internet from > >>>> server nor desktop, but only from gateway/router. > >>>> > >>>> I can to access gateway/router from desktop and from server throught > >>>> SSH. > >>>> > >>>> I can''t ping from server nor from desktop the internet, say > >>>> www.google.com. > > > Did you update bind recently on your boxes? You should have done it for > > security reason. Maybe now your DNS queries are using random source ports > > instead of fixed port 53 and you have to adjust your shorewall configs. > > I have installed on desktop machine: > i bind9-host > i A libbind9-0 > i A winbind > > but havn''t installed > p bind > > -- > Regards, Paul Csanyi > http://www.freewebs.com/csanyi-pal/index.htm > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- -- Gilson Soares Gerência de Redes e Segurança Kobold Gestora de Fundos Ltda ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Sorry, the first group post from the DESKTOP. On 2008-07-24, Gilson Soares <gilson.soares@kobold.com.br> wrote:> > Csanyi > Please post the results: > > From the GW: > # host www.google.com > # host www.google.com 127.0.0.1 > # host www.google.com 192.168.1.1 # maybe your gw > # host www.google.com 4.2.2.2 > # host www.google.com 208.67.222.222 > # cat /etc/resolv.conf > From the GW: > # host www.google.com > # host www.google.com 127.0.0.1 > # host www.google.com 4.2.2.2 > # host www.google.com 208.67.222.222 > # cat /etc/resolv.conf > > -Gilson > On 2008-07-24, Csanyi Pal <csanyipal@gmail.com> wrote: >> >> "Simon Matter" <simon.matter@invoca.ch> writes: >> >> >> Tom Eastep <teastep@shorewall.net> writes: >> >> >> >>> Csanyi Pal wrote: >> >>>> I have a small network at home with gateway/router, server and >> >>>> desktop. On all boxes run Debian GNU/Linux Etch. >> >>>> >> >>>> So far this network works but today I can''t access the internet from >> >>>> server nor desktop, but only from gateway/router. >> >>>> >> >>>> I can to access gateway/router from desktop and from server throught >> >>>> SSH. >> >>>> >> >>>> I can''t ping from server nor from desktop the internet, say >> >>>> www.google.com. >> >> > Did you update bind recently on your boxes? You should have done it for >> > security reason. Maybe now your DNS queries are using random source >> ports >> > instead of fixed port 53 and you have to adjust your shorewall configs. >> >> I have installed on desktop machine: >> i bind9-host >> i A libbind9-0 >> i A winbind >> >> but havn''t installed >> p bind >> >> -- >> Regards, Paul Csanyi >> http://www.freewebs.com/csanyi-pal/index.htm >> >> >> ------------------------------------------------------------------------- >> This SF.Net email is sponsored by the Moblin Your Move Developer''s >> challenge >> Build the coolest Linux based applications with Moblin SDK & win great >> prizes >> Grand prize is a trip for two to an Open Source event anywhere in the >> world >> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> > > > > -- > -- > Gilson Soares > Gerência de Redes e Segurança > Kobold Gestora de Fundos Ltda-- -- Gilson Soares Gerência de Redes e Segurança Kobold Gestora de Fundos Ltda ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Hello! I asked my ISP whether has changed anything and they say he has changed my public IP address. It was 91.102.227.98 and now it is 91.102.231.33. There was a person who don''t have a skills to tell me what other has ben changed but tomorrow shall to come another person who shall to tell me all about these changes. "Gilson Soares" <gilson.soares@kobold.com.br> writes:> From the DESKTOP: > # host www.google.com;; connection timed out; no servers could be reached> # host www.google.com 127.0.0.1;; connection timed out; no servers could be reached> # host www.google.com 192.168.1.1 # maybe your gwUsing domain server: Name: 192.168.1.1 Address: 192.168.1.1#53 Aliases: www.google.com is an alias for www.l.google.com. www.l.google.com has address 72.14.215.104 www.l.google.com has address 72.14.215.99> # host www.google.com 4.2.2.2;; connection timed out; no servers could be reached> # host www.google.com 208.67.222.222;; connection timed out; no servers could be reached> # cat /etc/resolv.confsearch csanyi-pal.info nameserver 62.108.117.6 nameserver 213.244.255.2> From the GW: > # host www.google.comwww.google.com CNAME www.l.google.com www.l.google.com A 209.85.135.103 www.l.google.com A 209.85.135.99 www.l.google.com A 209.85.135.104 www.l.google.com A 209.85.135.147> # host www.google.com 127.0.0.1www.google.com CNAME www.l.google.com www.l.google.com A 72.14.215.99 www.l.google.com A 72.14.215.104> # host www.google.com 4.2.2.2www.google.com CNAME www.l.google.com www.l.google.com A 216.239.59.104 www.l.google.com A 216.239.59.147 www.l.google.com A 216.239.59.99 www.l.google.com A 216.239.59.103> # host www.google.com 208.67.222.222www.google.com CNAME google.navigation.opendns.com google.navigation.opendns.com A 208.69.32.231 google.navigation.opendns.com A 208.69.32.230> # cat /etc/resolv.confnameserver 62.108.117.6 nameserver 213.244.255.2 -- Regards, Paul Csanyi http://www.freewebs.com/csanyi-pal/index.htm ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Csanyi Pal wrote:> Hello! > > I asked my ISP whether has changed anything and they say he has > changed my public IP address. It was 91.102.227.98 and now it is > 91.102.231.33.Your /etc/shorewall/masq file still has 91.102.227.98 in the ADDRESS column. If your external IP address is likely to change without notice, it would be a good idea to leave that column empty. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Csanyi Pal wrote:> > I leaved the ADDRESS column empty. > > This solve my problem! :) >Glad to hear that it is working again. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom Eastep <teastep@shorewall.net> writes:> Csanyi Pal wrote:>> I asked my ISP whether has changed anything and they say he has >> changed my public IP address. It was 91.102.227.98 and now it is >> 91.102.231.33. > > Your /etc/shorewall/masq file still has 91.102.227.98 in the ADDRESS column. > > If your external IP address is likely to change without notice, it > would be a good idea to leave that column empty.I leaved the ADDRESS column empty. This solve my problem! :) -- Regards, Paul Csanyi http://www.freewebs.com/csanyi-pal/index.htm ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
>>> I have a small network at home with gateway/router, server and >>> desktop. On all boxes run Debian GNU/Linux Etch. >>> So far this network works but today I can''t access the internet from >>> server nor desktop, but only from gateway/router. >>> I can to access gateway/router from desktop and from server throught >>> SSH.>>> I can''t ping from server nor from desktop the internet, say >>> www.google.com.When DNS is broken, `ping` by name becomes a useless diagnostic tool; not only will it not shed any useful light on what''s going on, it won''t work at all. Its failure tells you nothing more than that DNS is broken. Only `ping` by IP Address may be meaningful when DNS is broken.> I can''t nslookup only behind the firewall, from LAN, from desktop > machine, even I do "shorewall clear".If you can recreate a problem after `shorewall clear`, you can be _sure_ it has nothing to do with Shorewall. (Debugging can be quite confusing though if there''s a _second_ problem that involves Shorewall and you forget to do `shorewall clear` after every firewall restart while resolving the _first_ problem.)> ... . I don''t understand that that how can to be that on LAN DNS > suddenly don''t works? I have not changed the setup of anything > related to the network recently.Although _you_ didn''t change (are you really sure?), maybe _the_net_ did. Don''t assume that the rest of the world didn''t change just because you didn''t. Specifically, it''s likely the DNS server your systems used to get their information from isn''t responding any more, possibly because it''s been turned off or possibly because its IP Address changed or possibly because its owner has figured out how to shut down unauthorized use or possibly because of some "security fix". Are you using the DNS servers provided by your ISP? If so, look for recent announcements from your ISP related to name service. If you can''t find any, call your ISP and ask for help.> I can nslookup from the firewall even if the shorewall is running.Then look at /etc/resolv.conf on both the firewall (where it works) and on a client system (where it doesn''t work). They''ll be different, and the entries in /etc/resolv.conf on the client system aren''t any good any more. Copy the values from the /etc/resolv.conf on the firewall into the client /etc/resolve.conf over top of what''s there. Most likely things will start to work. thanks! -Chuck Kollars ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/