Hey Simon, yes Debian does keep the mac addresses mapped to the
interface, eth0, eth1, etc. but that has no bearing on shorewall, unless
shorewall somewhere has the mac address of the interface in it's
configuration, which I have never seen before.
The router eth0 plugs into, to get out to the internet, had it's arp
tables cleared a couple times by the network guys. This firewall I am
replacing is at a co-location so I am at the mercy of their support.
You did spark an idea though, if it is in fact the arp tables, I can try
and give eth0 an unused public IP and see if it'll let me out then.
Thanks for sparking that idea. I'll stay up late tonight and see if I
can't get it going. I will let you know what I find out.
Thanks.
Matt Jamison
Systems Administrator
New Homes Realty, Inc
(813)319-3095
Simon Matter wrote:
Hey guys, currently we have a Dell PE2850 acting as our firewall/nat
with shorewall. I am trying to move it over to a PE1650 so I can reclaim
that much better 2850 for other uses.
The 2850 is running Debian Etch 4.0 AMD64 distro, the 1650 is running
the same but 686 distro.
I have copied over the contents of /etc/shorewall/* from the 2850 to the
1650, copied over /etc/network/interfaces as well. When i power up the
1650 it is acting very weird. I can ping the external gateway and I can
SSH out to only 1 server we have that's not behind our firewall. None of
the servers behind the firewall can get out nor can I get into any of
them remotely. While the 1650 is trying to act as the firewall, I can
SSH into any of the servers behind the firewall on the localnet. I have
checked the routes with "route" and confirmed they are identical on the
boxes. What is strange though is that the 1650 does not log a single
line to /var/log/messages while the 2850, when in operations writes to
it pretty consistently. The init.d scripts for logging are identical on
both boxes as well. I do have it set so that it does not print to the
screen. DNS is also working fine as there is a DNS server behind the
firewall, which I can successfully run an nslookup for the servers I
want to ssh into that are not behind the firewall. Obviously I cannot
query the DNS server for anything external that is not in our domain and
not already cached on the name server, since it can't get out on any
port. So it's not DNS. Any help would be greatly appreciated.
Some additional information... the 2850 has portsentry, snort and tiger
installed. I also installed the same on the 1650 and copied over the
config files to the 1650. I also tried stopping all of those while I was
trying to get the 1650 in place as the firewall but it changed nothing.
Well, if both boxes are configured the same way they should also work the
same way. Two questions come to mind:
1) Are all interfaces configured correctly on the new box? Are they
correctly attached? Some distros put the MAC addresses into the interface
configs by default.
2) If you switch to the new box, can it be that some arp caches on routers
are not updated? That's very likely to happen in certain configs (for
example with proxyarp) and maybe you have such a config. Reset those
devices after changing the firwall to the new box.
Simon
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
