I am not sure this is even a shorewall issue, but I will see if anyone can offer any advice. I have a multi-interface configuration where interface, eth2, is the interface connected to ISP and is the default gateway in my environment. The IP for this interface is assigned via dhcpclient from ISP’s DHCP server. When an IP address is successfully assigned, the following messages show up in /var/log/messages : Sep 25 18:46:37 firewall dhclient: DHCPREQUEST on eth2 to 172.19.73.31 port 67 (xid=0x7620baf8) Sep 25 18:46:37 firewall dhclient: DHCPACK from 172.19.73.31 (xid=0x7620baf8) Sep 25 18:46:37 firewall dhclient: bound to a.b.c.d -- renewal in 34555 seconds. <--- bound address changed to protect the innocent. Ok, at this point everything is fine and is working as expected. In my /var/lib/dhclient/dhclient-eth2.leases I have this in the configuration (received from ISP/DHCP server; not my configuration): option dhcp-server-identifier 172.19.73.31; The problem is this... Between the times when a DHCP lease is successfully obtained, like above, the following messages show up in /var/log/messages (every minute). Sep 26 09:54:44 firewall dhclient: DHCPREQUEST on eth2 to 172.19.73.31 port 67 (xid=0xa2a4686) Sep 26 09:54:44 firewall dhclient: send_packet: Network is unreachable Sep 26 09:54:44 firewall dhclient: send_packet: please consult README file regarding broadcast address. These messages do not lead to anything breaking as far as network is concerned, but it is definitely flooding the logs and is annoying. Out in internet-land I came across this as a possible solution (http://bit.ly/VJ1yLQ) iptables -t nat -A OUTPUT -d 10.0.0.0/255.0.0.0 -o eth1 -p udp -m udp --dport 67 -j DNAT --to-destination 255.255.255.255 Obviously the IPs used above do not match my environment, but this is the line the was used in the example. This comes to why I am posting in the shorewall forum. I was wondering if this is a solution I should pursue, and if so, what is the correct way to add the iptables command using shorewall. Thank you for reading. ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\''t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/26/2012 10:05 AM, Scott Ruckh wrote:> I was wondering if this is a solution I should pursue, and if so, what > is the correct way to add the iptables command using shorewall. > Thank you for reading.Is there a direct route to 172.19.73.31 out of eth2? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\''t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/26/2012 01:10 PM, Tom Eastep wrote:> On 09/26/2012 10:05 AM, Scott Ruckh wrote: > >> I was wondering if this is a solution I should pursue, and if so, what >> is the correct way to add the iptables command using shorewall. >> Thank you for reading. > > Is there a direct route to 172.19.73.31 out of eth2? >And remember to take policy routing into account (look at the output of ''shorewall show routing'' rather than ''ip route ls'' or ''netstat -nr''). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\''t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
Yo. This is what you said earlier: Tom Eastep> On 09/26/2012 01:10 PM, Tom Eastep wrote: >> On 09/26/2012 10:05 AM, Scott Ruckh wrote: >> >>> I was wondering if this is a solution I should pursue, and if so, what >>> is the correct way to add the iptables command using shorewall. >>> Thank you for reading. >> >> Is there a direct route to 172.19.73.31 out of eth2? >> > > And remember to take policy routing into account (look at the output of > ''shorewall show routing'' rather than ''ip route ls'' or ''netstat -nr''). >no results are returned when running; $ sudo shorewall show routing | grep 172.19 The web article mentioned the ISP not accepting unicast messages -- This has not always happened, but I don''t really have a timeline when it did start. Like if it happened after dhclient upgrade, an ISP change, or some other change. My network configuration has been static for quite some time, more then a year. I probably should have mentioned this earlier: $ shorewall version 4.5.6.2 $ lsb_release -a LSB Version: :core-4.0-amd64:core-4.0-ia32:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-ia32:printing-4.0-noarch Distributor ID: CentOS Description: CentOS release 5.8 (Final) Release: 5.8 Codename: Final $ rpm -q iptables iptables-1.3.5-9.1.el5 $ rpm -qf /sbin/dhclient dhclient-3.0.5-31.el5_8.1 ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\''t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/26/2012 03:04 PM, Scott Ruckh wrote:> > Yo. This is what you said earlier: Tom Eastep >> On 09/26/2012 01:10 PM, Tom Eastep wrote: >>> On 09/26/2012 10:05 AM, Scott Ruckh wrote: >>> >>>> I was wondering if this is a solution I should pursue, and if so, what >>>> is the correct way to add the iptables command using shorewall. >>>> Thank you for reading. >>> >>> Is there a direct route to 172.19.73.31 out of eth2? >>> >> >> And remember to take policy routing into account (look at the output of >> ''shorewall show routing'' rather than ''ip route ls'' or ''netstat -nr''). >> > no results are returned when running; > > $ sudo shorewall show routing | grep 172.19 > > The web article mentioned the ISP not accepting unicast messages -- > > This has not always happened, but I don''t really have a timeline when it > did start. Like if it happened after dhclient upgrade, an ISP change, or > some other change. My network configuration has been static for quite > some time, more then a year. > > I probably should have mentioned this earlier: > > $ shorewall version > 4.5.6.2 > > $ lsb_release -a > LSB Version: > :core-4.0-amd64:core-4.0-ia32:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-ia32:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-ia32:printing-4.0-noarch > Distributor ID: CentOS > Description: CentOS release 5.8 (Final) > Release: 5.8 > Codename: Final > > $ rpm -q iptables > iptables-1.3.5-9.1.el5 > > $ rpm -qf /sbin/dhclient > dhclient-3.0.5-31.el5_8.1At any rate, I suggest adding the appropriate route in /etc/shorewall/routes and see if that doesn''t solve the problem. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\''t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html