Shorewall users - Mar 2011 - Attached shorewall dumps

Folks,

I have been able to get my routing straight (at least I think so), however, at 
the point in time when I try to bring up my browser(Firefox) or email 
(Thunderbird) my lap top looses connectivity to my network. The route display 
and netstat -rn appear to contain what I expect. I am attaching two to tgz files
(NEW_dump.tgz and OLD_dump.tgz)  The one labeled OLD if from that system that 
does not fail the NEW one is from the failing system.

OLD runs Ubuntu 8.04 LTS and NEW runs Ubuntu 10.04.2 LTS Shorewall versions are 
4.0 and 4.4 respectively.

Both systems have three interfaces(net, local and wireless).

Here is what is happening I can ping -c3 yahoo.com no problem. I can ping inside
my local net no problem. I have an IP address that was assigned via dhclinet (it
is as expected). I bring up my browser and it fails to properly load. My routes 
look OK and my IP address is still there. I can no longer ping my fierewall.

I have checked my configuration files /etc/dhcp3/dhcpd.conf 
/etc/dhcp3/dhclient.conf and /etc/interfaces are the same (I used diff on them).
I am going to do the same for each of the configuration file in Shorewall before
I send this. There were only the differences that were expected.

PLEASE take a peek at it and let me know if you see anything amiss.

If you need anything else please let know.

Thanks,
Jay
-- 


Jay Ridgley
jridgley2@austin.rr.com
Registered Linux User ID - 9115
Registered Ubuntu User ID - 23320



------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

On 3/17/11 4:38 PM, Jay Ridgley wrote:
> 
> OLD runs Ubuntu 8.04 LTS and NEW runs Ubuntu 10.04.2 LTS Shorewall 
> versions are 4.0 and 4.4 respectively.
> 
> Both systems have three interfaces(net, local and wireless).
> 
> Here is what is happening I can ping -c3 yahoo.com no problem.
From where? Firewall? System inside the firewall? System in your
neighbor''s garage?
> I can ping inside my local net no problem. I have an IP address that
> was assigned via dhclinet (it is as expected).
*You* do not have an IP address. Some computer that you are using has an
IP address. Again, inside the firewall?
> I bring up my browser and it fails to properly load.
The binary fails to run or your home page cannot be loaded.
> My routes look OK and my IP address is still there. I can no longer
> ping my fierewall.
You could ping the firewall before you started your browser?
> 
> I have checked my configuration files /etc/dhcp3/dhcpd.conf 
> /etc/dhcp3/dhclient.conf and /etc/interfaces are the same (I used
> diff on them). I am going to do the same for each of the
> configuration file in Shorewall before I send this. There were only
> the differences that were expected.
Did you go through the 4.0->4.4 migration document
(http://www.shorewall.net/LennyToSqueeze.html) and assess each potential
problem against your configuration?
> 
> PLEASE take a peek at it and let me know if you see anything amiss.
> 
> If you need anything else please let know.
> 
There seem to be lots of connections passing through the Shorewall box?
Is this problem limited to you (your personal system) or are all users
on the LAN or wireless networks affected?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

On 03/17/2011 07:10 PM, Tom Eastep wrote:
> On 3/17/11 4:38 PM, Jay Ridgley wrote:
>
>>
>> OLD runs Ubuntu 8.04 LTS and NEW runs Ubuntu 10.04.2 LTS Shorewall
>> versions are 4.0 and 4.4 respectively.
>>
>> Both systems have three interfaces(net, local and wireless).
>>
>> Here is what is happening I can ping -c3 yahoo.com no problem.
>
>  From where? Firewall? System inside the firewall? System in your
> neighbor''s garage?
I am sorry, the problem manifests itself on my laptop which has a wireless 
connection to my local network. It is from within home (my chair in the living 
room). The remainder of my systems are all wired. Those systems do not appear to
be affected, only the laptop.
>
>> I can ping inside my local net no problem. I have an IP address that
>> was assigned via dhclinet (it is as expected).
>
> *You* do not have an IP address. Some computer that you are using has an
> IP address. Again, inside the firewall?
I was referring to my laptop once again. The IP address is the one obtained 
through the negotiation with the access point from the firewall system. Yes, it 
is inside the firewall.
>
>> I bring up my browser and it fails to properly load.
>
> The binary fails to run or your home page cannot be loaded.
The home page, stops loading. The binary is still running. It eventually 
displays an error screen that states it could not connect to the
site.
>
>> My routes look OK and my IP address is still there. I can no longer
>> ping my fierewall.
>
> You could ping the firewall before you started your browser?
>
Yes, I am able to ping the firewall before I start the browser. In fact, I am 
able to obtain an SSH connection the the firewall.
>>
>> I have checked my configuration files /etc/dhcp3/dhcpd.conf
>> /etc/dhcp3/dhclient.conf and /etc/interfaces are the same (I used
>> diff on them). I am going to do the same for each of the
>> configuration file in Shorewall before I send this. There were only
>> the differences that were expected.
>
> Did you go through the 4.0->4.4 migration document
> (http://www.shorewall.net/LennyToSqueeze.html) and assess each potential
> problem against your configuration?
Yes, I did make some corrections based upon that review, however, there were 
only two or three of them.
>
>>
>> PLEASE take a peek at it and let me know if you see anything amiss.
>>
>> If you need anything else please let know.
>>
>
> There seem to be lots of connections passing through the Shorewall box?
> Is this problem limited to you (your personal system) or are all users
> on the LAN or wireless networks affected?
Are the number of these connections abnormal? My wireless connection should only
be coming from my 192.168.139.32/28 subnet the allowed hosts are within 
192.168.139.35 through 192.168.139.39 range. I am including the entry from 
/etc/dhcp3/dhcpd.conf for both the wireless and wired subnets below:


# DHCP subnet a wireless Access Point for eth2

subnet 192.168.139.32 netmask 255.255.255.240 {
     range 192.168.139.35 192.168.139.39;
	option routers 192.168.139.34;
	option subnet-mask 255.255.255.240;
	option broadcast-address 192.168.139.47;
	option domain-name-servers 24.93.41.127, 24.93.41.128;
	option ip-forwarding off;
	default-lease-time 21600;
	max-lease-time 43200;
}

# Include a static ip address for the Access Point (per vendor)

host bear_den {
	hardware ethernet 00:11:50:45:7A:42;
	fixed-address 192.168.139.33;
}

All other connections are wired and within the range 192.168.139.0/28

subnet 192.168.139.0 netmask 255.255.255.240 {
           option routers 192.168.139.2;
           option subnet-mask 255.255.255.240;
           option domain-name-servers 24.93.41.127, 24.93.41.128;
           option ip-forwarding off;
}

These are the same on both the OLD and NEW systems.


My firewall system is utilized by all systems within my home. Normally there are
a total of four actual systems (including my laptop) in addition to a network 
drive and an access point. They are all normally up 7x24. Other than the laptop 
all are wired; except for the access point, of course, which provides wireless 
connections.

My personal laptop is currently the only wireless enabled system on my network 
and it is the only one that is having the problem. It works just fine using the 
OLD system...
>
> -Tom
>
Tom,

Thank you very much. I apologize for leaving out the details.

I eventually want to be able to provide wireless connections for my son and my 
three grandchildren when the visit and bring their own computers with them.

Regards,
Jay

-- 


Jay Ridgley
jridgley2@austin.rr.com
Registered Linux User ID - 9115
Registered Ubuntu User ID - 23320

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

On 3/17/11 7:36 PM, Jay Ridgley wrote:
> On 03/17/2011 07:10 PM, Tom Eastep wrote:
>> On 3/17/11 4:38 PM, Jay Ridgley wrote:
>>
>>>
>>> OLD runs Ubuntu 8.04 LTS and NEW runs Ubuntu 10.04.2 LTS Shorewall
>>> versions are 4.0 and 4.4 respectively.
>>>
>>> Both systems have three interfaces(net, local and wireless).
>>>
>>> Here is what is happening I can ping -c3 yahoo.com no problem.
>>
>>  From where? Firewall? System inside the firewall? System in your
>> neighbor''s garage?
> 
> I am sorry, the problem manifests itself on my laptop which has a wireless 
> connection to my local network. It is from within home (my chair in the
living
> room). The remainder of my systems are all wired. Those systems do not
appear to
> be affected, only the laptop.
>>
>>> I can ping inside my local net no problem. I have an IP address
that
>>> was assigned via dhclinet (it is as expected).
>>
>> *You* do not have an IP address. Some computer that you are using has
an
>> IP address. Again, inside the firewall?
> 
> I was referring to my laptop once again. The IP address is the one obtained
> through the negotiation with the access point from the firewall system.
Yes, it
> is inside the firewall.
> 
>>
>>> I bring up my browser and it fails to properly load.
>>
>> The binary fails to run or your home page cannot be loaded.
> 
> The home page, stops loading. The binary is still running. It eventually 
> displays an error screen that states it could not connect to the site.
>>
>>> My routes look OK and my IP address is still there. I can no longer
>>> ping my fierewall.
>>
>> You could ping the firewall before you started your browser?
>>
> Yes, I am able to ping the firewall before I start the browser. In fact, I
am
> able to obtain an SSH connection the the firewall.
>>>
>>> I have checked my configuration files /etc/dhcp3/dhcpd.conf
>>> /etc/dhcp3/dhclient.conf and /etc/interfaces are the same (I used
>>> diff on them). I am going to do the same for each of the
>>> configuration file in Shorewall before I send this. There were only
>>> the differences that were expected.
>>
>> Did you go through the 4.0->4.4 migration document
>> (http://www.shorewall.net/LennyToSqueeze.html) and assess each
potential
>> problem against your configuration?
> 
> Yes, I did make some corrections based upon that review, however, there
were
> only two or three of them.
>>
>>>
>>> PLEASE take a peek at it and let me know if you see anything amiss.
>>>
>>> If you need anything else please let know.
>>>
>>
>> There seem to be lots of connections passing through the Shorewall box?
>> Is this problem limited to you (your personal system) or are all users
>> on the LAN or wireless networks affected?
> 
> Are the number of these connections abnormal? My wireless connection should
only
> be coming from my 192.168.139.32/28 subnet the allowed hosts are within 
> 192.168.139.35 through 192.168.139.39 range. I am including the entry from 
> /etc/dhcp3/dhcpd.conf for both the wireless and wired subnets below:
> 
> 
> # DHCP subnet a wireless Access Point for eth2
> 
In the old config, there were eth0,eth1 and eth2.

In the new config, there are eth0, eth3 and eth4

I assume that all subsystems that care have been updated accordingly?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

On 3/17/11 7:36 PM, Jay Ridgley wrote:
> All other connections are wired and within the range 192.168.139.0/28
> 
> subnet 192.168.139.0 netmask 255.255.255.240 {
>            option routers 192.168.139.2;
>            option subnet-mask 255.255.255.240;
>            option domain-name-servers 24.93.41.127, 24.93.41.128;
>            option ip-forwarding off;
> }
ARP

? (192.168.139.4) at 00:a0:cc:26:cb:bd [ether] on eth3
? (192.168.139.3) at 00:1a:a0:99:d0:90 [ether] on eth3
? (192.168.139.5) at 00:90:a9:6e:27:24 [ether] on eth3
? (70.112.128.1) at 00:1d:a2:e8:41:d9 [ether] on eth0
? (192.168.100.1) at 00:02:8a:de:ad:02 [ether] on eth0
? (192.168.139.37) at 00:1a:70:84:51:40 [ether] on eth4 <==
The only host known to the firewall on eth4 is .37.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

On 03/17/2011 10:00 PM, Tom Eastep wrote:
> On 3/17/11 7:36 PM, Jay Ridgley wrote:
>
>> All other connections are wired and within the range 192.168.139.0/28
>>
>> subnet 192.168.139.0 netmask 255.255.255.240 {
>>             option routers 192.168.139.2;
>>             option subnet-mask 255.255.255.240;
>>             option domain-name-servers 24.93.41.127, 24.93.41.128;
>>             option ip-forwarding off;
>> }
>
> ARP
>
> ? (192.168.139.4) at 00:a0:cc:26:cb:bd [ether] on eth3
> ? (192.168.139.3) at 00:1a:a0:99:d0:90 [ether] on eth3
> ? (192.168.139.5) at 00:90:a9:6e:27:24 [ether] on eth3
> ? (70.112.128.1) at 00:1d:a2:e8:41:d9 [ether] on eth0
> ? (192.168.100.1) at 00:02:8a:de:ad:02 [ether] on eth0   <-------------
this is reflected in the dump? eth0 is my firewall and to my
> ? (192.168.139.37) at 00:1a:70:84:51:40 [ether] on eth4<===            
knowledge the address contained is NOT part of my network.
>
> The only host known to the firewall on eth4 is .37.      <-------------
that would be correct
>
> -Tom
Tom,

Your prior message asked about the difference between eth1 and eth2 vs eth3
&
eth4. Yes, all of the config files that required changes have been fixed to 
reflect that change.

This was brought about from moving NICs from the old system to the new system. I
was having to do it so many times I purchased a pair of new NICs and when I 
installed them they showed up as eth3 and eth4. I have found no way to change 
them to eth1 and eth2. Do you have any ideas? I don''t feel like that
should be a
worry, however.

I am very concerned about the 168.192.100.1 entry above. Is there a lot of 
traffic to/from it?

I did an arp from my firewall and 192.168.100.1 points to my main system 
(192.168.139.5). I am going to try to see where that came from.

Thanks,
Jay
-- 


Jay Ridgley
jridgley2@austin.rr.com
Registered Linux User ID - 9115
Registered Ubuntu User ID - 23320

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

Good morning Jay,

If you want to control and have persistent names for NIC''s on Linux,
the
preferred method these days is udev (man udev).

On an SLES system, we have entries like:

    SUBSYSTEM=="net", ACTION=="add",
DRIVERS=="?*",
    ATTR{address}=="00:e0:ed:08:72:04", ATTR{type}=="1",
KERNEL=="eth*",
    NAME="eth1"

for each NIC in the file /etc/udev/rules.d/70-persistent-net.rules. You 
just have to match the MAC address with the name. 

The network configuration interface should create these lines for you, 
so you can simply edit the file and change the NAME.  Do this from the 
console and reboot right after the edit, and do not use the network 
configuration interface afterwards, as it will overwrite your changes.

The files may not be in the same place in Ubuntu but there is some 
information available if you google "ubuntu udev".

Patrick


Jay Ridgley wrote:
> On 03/17/2011 10:00 PM, Tom Eastep wrote:
>   
>> On 3/17/11 7:36 PM, Jay Ridgley wrote:
>>
>>     
>>> All other connections are wired and within the range
192.168.139.0/28
>>>
>>> subnet 192.168.139.0 netmask 255.255.255.240 {
>>>             option routers 192.168.139.2;
>>>             option subnet-mask 255.255.255.240;
>>>             option domain-name-servers 24.93.41.127, 24.93.41.128;
>>>             option ip-forwarding off;
>>> }
>>>       
>> ARP
>>
>> ? (192.168.139.4) at 00:a0:cc:26:cb:bd [ether] on eth3
>> ? (192.168.139.3) at 00:1a:a0:99:d0:90 [ether] on eth3
>> ? (192.168.139.5) at 00:90:a9:6e:27:24 [ether] on eth3
>> ? (70.112.128.1) at 00:1d:a2:e8:41:d9 [ether] on eth0
>> ? (192.168.100.1) at 00:02:8a:de:ad:02 [ether] on eth0  
<------------- this is reflected in the dump? eth0 is my firewall and to my
>> ? (192.168.139.37) at 00:1a:70:84:51:40 [ether] on eth4<===         
knowledge the address contained is NOT part of my network.
>>
>> The only host known to the firewall on eth4 is .37.     
<------------- that would be correct
>>
>> -Tom
>>     
>
> Tom,
>
> Your prior message asked about the difference between eth1 and eth2 vs eth3
&
> eth4. Yes, all of the config files that required changes have been fixed to
> reflect that change.
>
> This was brought about from moving NICs from the old system to the new
system. I
> was having to do it so many times I purchased a pair of new NICs and when I
> installed them they showed up as eth3 and eth4. I have found no way to
change
> them to eth1 and eth2. Do you have any ideas? I don''t feel like
that should be a
> worry, however.
>
> I am very concerned about the 168.192.100.1 entry above. Is there a lot of 
> traffic to/from it?
>
> I did an arp from my firewall and 192.168.100.1 points to my main system 
> (192.168.139.5). I am going to try to see where that came from.
>
> Thanks,
> Jay
>   
-- 
Patrick McNeil Université de Montréal - DGTIC
Pav. Roger-Gaudry, X-205 Téléphone: (514) 343-6111, poste 5247
Courriel: Patrick.McNeil@umontreal.ca
Télécopie/FAX: (514) 343-2155
   mcneilp@paget.dgtic.umontreal.ca


------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

On 03/18/2011 08:44 AM, Patrick McNeil wrote:
> Good morning Jay,
>
> If you want to control and have persistent names for NIC''s on
Linux, the
> preferred method these days is udev (man udev).
>
> On an SLES system, we have entries like:
>
>      SUBSYSTEM=="net", ACTION=="add",
DRIVERS=="?*",
>      ATTR{address}=="00:e0:ed:08:72:04",
ATTR{type}=="1", KERNEL=="eth*",
>      NAME="eth1"
>
> for each NIC in the file /etc/udev/rules.d/70-persistent-net.rules. You
> just have to match the MAC address with the name.
>
> The network configuration interface should create these lines for you,
> so you can simply edit the file and change the NAME.  Do this from the
> console and reboot right after the edit, and do not use the network
> configuration interface afterwards, as it will overwrite your changes.
>
> The files may not be in the same place in Ubuntu but there is some
> information available if you google "ubuntu udev".
>
> Patrick
>
>
Patrick,

Thanks I will look into that.

Regards,
Jay

-- 


Jay Ridgley
jridgley2@austin.rr.com
Registered Linux User ID - 9115
Registered Ubuntu User ID - 23320

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d