Hello All, Thank you everyone for all of your input on the "Fourteen Day" thread. For those of you who are having a similar problem, this is what I know so far...
I already had some logging in place in the rules to catch the communication from my ISP's dhcp server to my firewall box (LOG then ACCEPT). Looking back through the logs I see that exactly every 3.5 days the ISP's dhcp server initiated a communication with a udp packet (--sport 67 --dport 68), including last night immediately before connectivity was lost. Since 3.5 is half of the seven day lease, that seems to make some sense. And since fourteen days is twice the length of the lease, that also makes some sense (as suggested by another lister, Joe Patterson). I know it was the dhcp server initiating the communication because (1) the logging rule that caught the incoming packet appeared after an "established,related" rule that would have accepted it had it been a reply to something the fw initiatied, and (2) the rule that would have logged the fw initiating the communication to the dhcp server was never triggered. Unfortunately, those rules to explicitly log the firewall's communication back to the dhcp server appeared _after_ an "established,related" rule which would have already accepted the outgoing packet. However, I assume that communication from my firewall back to the dhcp server _was_ successfully accepted there. I log all the dropped packets, and there weren't any dropped ones destined for the dhcp server or anywhere else for --dport 67. So, I've reorganized these logging rules so they can catch the traffic before it is accepted. I'll have more info to go on in two weeks. But all that begs the question, "If the dhcp server can get in, and the firewall was able to talk back, why did it break?" It may not be a netfilter or rules issue afterall, and could be a broken dhcpd running at the ISP that refuses to renew a lease (maybe?). Another lister (Eric Daigneault) said he had a similar problem with losing connectivity that was solved with a chron job to regularly restart networking... /etc/rc.d/init.d/network restart When this breaks again in two weeks, I will check to see whether "ifconfig eth0" shows it as still having an IP address (I suspect it won't). I also suspect that "network restart" - as opposed to rebooting - will restore connectivity since that requires (re)obtaining the dhcp lease. Now I know I'm going OT... Shouldn't my fw be initiating the communication with the ISP's dhcp server every 3.5 days? I'll examine the logs again, but it looks like the dhcp server is contacting my fw every 3.5 days. (The machine doing the contacting is the ISP's legitimate dhcp server.) Again, thank you everyone! Darrell D
