Shorewall users - Aug 2008 - Trying to replace shorewall box with another but with weird results...

Hey guys, currently we have a Dell PE2850 acting as our firewall/nat 
with shorewall. I am trying to move it over to a PE1650 so I can reclaim 
that much better 2850 for other uses.

The 2850 is running Debian Etch 4.0 AMD64 distro, the 1650 is running 
the same but 686 distro.

I have copied over the contents of /etc/shorewall/* from the 2850 to the 
1650, copied over /etc/network/interfaces as well. When i power up the 
1650 it is acting very weird. I can ping the external gateway and I can 
SSH out to only 1 server we have that''s not behind our firewall. None
of
the servers behind the firewall can get out nor can I get into any of 
them remotely. While the 1650 is trying to act as the firewall, I can 
SSH into any of the servers behind the firewall on the localnet. I have 
checked the routes with "route" and confirmed they are identical on
the
boxes. What is strange though is that the 1650 does not log a single 
line to /var/log/messages while the 2850, when in operations writes to 
it pretty consistently. The init.d scripts for logging are identical on 
both boxes as well. I do have it set so that it does not print to the 
screen. DNS is also working fine as there is a DNS server behind the 
firewall, which I can successfully run an nslookup for the servers I 
want to ssh into that are not behind the firewall. Obviously I cannot 
query the DNS server for anything external that is not in our domain and 
not already cached on the name server, since it can''t get out on any 
port. So it''s not DNS. Any help would be greatly appreciated.

Some additional information... the 2850 has portsentry, snort and tiger 
installed. I also installed the same on the 1650 and copied over the 
config files to the 1650. I also tried stopping all of those while I was 
trying to get the 1650 in place as the firewall but it changed nothing.

Not sure if you needed dumps from both servers but they are attached.

--
Matt Jamison
Systems Administrator
New Homes Realty, Inc
(813)319-3095




-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

> Hey guys, currently we have a Dell PE2850 acting as our firewall/nat
> with shorewall. I am trying to move it over to a PE1650 so I can reclaim
> that much better 2850 for other uses.
>
> The 2850 is running Debian Etch 4.0 AMD64 distro, the 1650 is running
> the same but 686 distro.
>
> I have copied over the contents of /etc/shorewall/* from the 2850 to the
> 1650, copied over /etc/network/interfaces as well. When i power up the
> 1650 it is acting very weird. I can ping the external gateway and I can
> SSH out to only 1 server we have that''s not behind our firewall.
None of
> the servers behind the firewall can get out nor can I get into any of
> them remotely. While the 1650 is trying to act as the firewall, I can
> SSH into any of the servers behind the firewall on the localnet. I have
> checked the routes with "route" and confirmed they are identical
on the
> boxes. What is strange though is that the 1650 does not log a single
> line to /var/log/messages while the 2850, when in operations writes to
> it pretty consistently. The init.d scripts for logging are identical on
> both boxes as well. I do have it set so that it does not print to the
> screen. DNS is also working fine as there is a DNS server behind the
> firewall, which I can successfully run an nslookup for the servers I
> want to ssh into that are not behind the firewall. Obviously I cannot
> query the DNS server for anything external that is not in our domain and
> not already cached on the name server, since it can''t get out on
any
> port. So it''s not DNS. Any help would be greatly appreciated.
>
> Some additional information... the 2850 has portsentry, snort and tiger
> installed. I also installed the same on the 1650 and copied over the
> config files to the 1650. I also tried stopping all of those while I was
> trying to get the 1650 in place as the firewall but it changed nothing.
Well, if both boxes are configured the same way they should also work the
same way. Two questions come to mind:

1) Are all interfaces configured correctly on the new box? Are they
correctly attached? Some distros put the MAC addresses into the interface
configs by default.

2) If you switch to the new box, can it be that some arp caches on routers
are not updated? That''s very likely to happen in certain configs (for
example with proxyarp) and maybe you have such a config. Reset those
devices after changing the firwall to the new box.

Simon


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Hey Simon, yes Debian does keep the mac addresses mapped to the 
interface, eth0, eth1, etc. but that has no bearing on shorewall, unless 
shorewall somewhere has the mac address of the interface in it''s 
configuration, which I have never seen before.

The router eth0 plugs into, to get out to the internet, had it''s arp 
tables cleared a couple times by the network guys. This firewall I am 
replacing is at a co-location so I am at the mercy of their support.

You did spark an idea though, if it is in fact the arp tables, I can try 
and give eth0 an unused public IP and see if it''ll let me out then. 
Thanks for sparking that idea. I''ll stay up late tonight and see if I 
can''t get it going. I will let you know what I find out.

Thanks.

Matt Jamison
Systems Administrator
New Homes Realty, Inc
(813)319-3095



Simon Matter wrote:
>> Hey guys, currently we have a Dell PE2850 acting as our firewall/nat
>> with shorewall. I am trying to move it over to a PE1650 so I can
reclaim
>> that much better 2850 for other uses.
>>
>> The 2850 is running Debian Etch 4.0 AMD64 distro, the 1650 is running
>> the same but 686 distro.
>>
>> I have copied over the contents of /etc/shorewall/* from the 2850 to
the
>> 1650, copied over /etc/network/interfaces as well. When i power up the
>> 1650 it is acting very weird. I can ping the external gateway and I can
>> SSH out to only 1 server we have that''s not behind our
firewall. None of
>> the servers behind the firewall can get out nor can I get into any of
>> them remotely. While the 1650 is trying to act as the firewall, I can
>> SSH into any of the servers behind the firewall on the localnet. I have
>> checked the routes with "route" and confirmed they are
identical on the
>> boxes. What is strange though is that the 1650 does not log a single
>> line to /var/log/messages while the 2850, when in operations writes to
>> it pretty consistently. The init.d scripts for logging are identical on
>> both boxes as well. I do have it set so that it does not print to the
>> screen. DNS is also working fine as there is a DNS server behind the
>> firewall, which I can successfully run an nslookup for the servers I
>> want to ssh into that are not behind the firewall. Obviously I cannot
>> query the DNS server for anything external that is not in our domain
and
>> not already cached on the name server, since it can''t get out
on any
>> port. So it''s not DNS. Any help would be greatly appreciated.
>>
>> Some additional information... the 2850 has portsentry, snort and tiger
>> installed. I also installed the same on the 1650 and copied over the
>> config files to the 1650. I also tried stopping all of those while I
was
>> trying to get the 1650 in place as the firewall but it changed nothing.
>>     
>
> Well, if both boxes are configured the same way they should also work the
> same way. Two questions come to mind:
>
> 1) Are all interfaces configured correctly on the new box? Are they
> correctly attached? Some distros put the MAC addresses into the interface
> configs by default.
>
> 2) If you switch to the new box, can it be that some arp caches on routers
> are not updated? That''s very likely to happen in certain configs
(for
> example with proxyarp) and maybe you have such a config. Reset those
> devices after changing the firwall to the new box.
>
> Simon
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
> Build the coolest Linux based applications with Moblin SDK & win great
prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

> Hey Simon, yes Debian does keep the mac addresses mapped to the
> interface, eth0, eth1, etc. but that has no bearing on shorewall, unless
> shorewall somewhere has the mac address of the interface in it''s
> configuration, which I have never seen before.
>
> The router eth0 plugs into, to get out to the internet, had it''s
arp
> tables cleared a couple times by the network guys. This firewall I am
> replacing is at a co-location so I am at the mercy of their support.
>
> You did spark an idea though, if it is in fact the arp tables, I can try
> and give eth0 an unused public IP and see if it''ll let me out
then.
> Thanks for sparking that idea. I''ll stay up late tonight and see
if I
> can''t get it going. I will let you know what I find out.
You could also try arping to force the router to pick up new arp entries.

Simon


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Matt Jamison wrote:
> Hey Simon, yes Debian does keep the mac addresses mapped to the
> interface, eth0, eth1, etc. but that has no bearing on shorewall, unless
> shorewall somewhere has the mac address of the interface in it''s
> configuration, which I have never seen before.
> 
> The router eth0 plugs into, to get out to the internet, had it''s
arp
> tables cleared a couple times by the network guys. This firewall I am
> replacing is at a co-location so I am at the mercy of their support.
> 
> You did spark an idea though, if it is in fact the arp tables, I can try
> and give eth0 an unused public IP and see if it''ll let me out
then.
> Thanks for sparking that idea. I''ll stay up late tonight and see
if I
> can''t get it going. I will let you know what I find out.
[...]

one thing coming to my mind - is that some Linux Distributions - like
e.g. Ubuntu - link the interface number (ethx) to the Mac address hard
via the udev daemon.
This means - if you copy the configuration (network) onto another
Hardware-System - you will not get eth0,eth1 ...ethn, but everything
will start at: eth0+n,eth1+n ... ethn+m.
Mean - you will eventually only get the default networkinterface
configured as fallback.

Under Ubuntu - check the /etc/udev/rules.d/70-persistent-net.rules file
and adapt the mac-address accordingly. Dunno if Debian itself is
handling the same way. Long time I''ve not used debian (since they
suddenly dropped support for debian 3 - without pre-notice - I switched
over to Ubuntu LTS Server).

Cheers
Joerg
-- 
------------------------------------------------------------------------
| Joerg Mertin              :  smurphy@solsys.org                (Home)|
| in Forchheim/Germany      :  smurphy@linux.de                  (Alt1)|
| Stardust''s LiNUX System   :                                         
|
| Web: http://www.solsys.org                                           |
------------------------------------------------------------------------
PGP: Public Key Server - Get "0x98885d97170b8b7a"


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Joerg Mertin wrote:
>one thing coming to my mind - is that some Linux Distributions - like
>e.g. Ubuntu - link the interface number (ethx) to the Mac address hard
>via the udev daemon.
>This means - if you copy the configuration (network) onto another
>Hardware-System - you will not get eth0,eth1 ...ethn, but everything
>will start at: eth0+n,eth1+n ... ethn+m.
>Mean - you will eventually only get the default networkinterface
>configured as fallback.
>
>Under Ubuntu - check the /etc/udev/rules.d/70-persistent-net.rules file
>and adapt the mac-address accordingly. Dunno if Debian itself is
>handling the same way.
Yes, Debian does that now - means interface names don''t change on 
reboots :-) The file is z25-persistent-net-rules on Debian.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Simon Hobson wrote:
[...]
> Yes, Debian does that now - means interface names don''t change on 
> reboots :-) The file is z25-persistent-net-rules on Debian.
So I suppose it has to be addressed. Cause Shorewall is going to handle
interface eth0/ethx - while the debian system renames the interfaces
after the last old ethx interface.

Matt - maybe you should check it out ;)


Cheers
Joerg
-- 
------------------------------------------------------------------------
| Joerg Mertin              :  smurphy@solsys.org                (Home)|
| in Forchheim/Germany      :  smurphy@linux.de                  (Alt1)|
| Stardust''s LiNUX System   :                                         
|
| Web: http://www.solsys.org                                           |
------------------------------------------------------------------------
PGP: Public Key Server - Get "0x98885d97170b8b7a"


-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Thanks for the suggestions guys but in the original email i sent out I 
clearly listed the files I copied from the 2850 to the 1650 and I never 
copied over the file that maps the mac address to the eth number. As 
Simon stated it''s /etc/udev/rules.d/z25_persistent-net.rules in Debian.
This file was originally created when I built the server and has not 
changed. The only way it would change is if I had copied that file from 
the 2850 to the 1650, then when Debian booted up it would think there 
were 2 more NICs and label them eth2 and eth3, which is not the case. 
The only files I copied over were the shorewall configs and the 
/etc/network/interfaces file which does not contain any mac address 
configurations in it, only IP addresses to eth0, eth1, etc.

I think the problem is as Simon stated in his first reply, the arp 
tables on the router. When I hook up a new box to that router with the 
same IP as the old one but different mac address, the router doesn''t 
like that and won''t push anything to it. I will give eth0 an unused 
public IP and see if that helps.

Matt Jamison
Systems Administrator
New Homes Realty, Inc
(813)319-3095



Joerg Mertin wrote:
> Simon Hobson wrote:
> [...]
>   
>> Yes, Debian does that now - means interface names don''t change
on
>> reboots :-) The file is z25-persistent-net-rules on Debian.
>>     
>
> So I suppose it has to be addressed. Cause Shorewall is going to handle
> interface eth0/ethx - while the debian system renames the interfaces
> after the last old ethx interface.
>
> Matt - maybe you should check it out ;)
>
>
> Cheers
> Joerg
>   

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/