> Hey guys, currently we have a Dell PE2850 acting as our firewall/nat > with shorewall. I am trying to move it over to a PE1650 so I can reclaim > that much better 2850 for other uses. > > The 2850 is running Debian Etch 4.0 AMD64 distro, the 1650 is running > the same but 686 distro. > > I have copied over the contents of /etc/shorewall/* from the 2850 to the > 1650, copied over /etc/network/interfaces as well. When i power up the > 1650 it is acting very weird. I can ping the external gateway and I can > SSH out to only 1 server we have that's not behind our firewall. None of > the servers behind the firewall can get out nor can I get into any of > them remotely. While the 1650 is trying to act as the firewall, I can > SSH into any of the servers behind the firewall on the localnet. I have > checked the routes with "route" and confirmed they are identical on the > boxes. What is strange though is that the 1650 does not log a single > line to /var/log/messages while the 2850, when in operations writes to > it pretty consistently. The init.d scripts for logging are identical on > both boxes as well. I do have it set so that it does not print to the > screen. DNS is also working fine as there is a DNS server behind the > firewall, which I can successfully run an nslookup for the servers I > want to ssh into that are not behind the firewall. Obviously I cannot > query the DNS server for anything external that is not in our domain and > not already cached on the name server, since it can't get out on any > port. So it's not DNS. Any help would be greatly appreciated. > > Some additional information... the 2850 has portsentry, snort and tiger > installed. I also installed the same on the 1650 and copied over the > config files to the 1650. I also tried stopping all of those while I was > trying to get the 1650 in place as the firewall but it changed nothing.
Well, if both boxes are configured the same way they should also work the same way. Two questions come to mind: 1) Are all interfaces configured correctly on the new box? Are they correctly attached? Some distros put the MAC addresses into the interface configs by default. 2) If you switch to the new box, can it be that some arp caches on routers are not updated? That's very likely to happen in certain configs (for example with proxyarp) and maybe you have such a config. Reset those devices after changing the firwall to the new box. Simon ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
