I have been a happy user of Eigerstein (and descendents) plus Seawall for quite a while. I am currently using Dachstein RC2 + the latest Seawall. I have three NICS, a local network, and a DMZ behind a DSL modem. In the DMZ I am using Oxygen as a thin client and running a tiny web site.
Recently I noticed that the small web server I keep in the DMZ at http://twegner.dynodns.net (a very modest web site) would become inaccessible periodically (every few hours). After executing "seawall restart" everything is OK for a while. Then bad again. I sent the results of "seawall status" before and after the web site disappeared to Tom Eastep. He told me it appeared that somehow the Dachstein network was getting reset, essentially undoing seawall. This makes sense because (as has been mentioned recently) seawall runs after the Dachstein network was been set up, and essentially overwrites the ipchains rules. It didn't take me long to find the problem. It is in /etc/dhclient- exit-hooks. My DSL connection uses DHCP. I noticed this problem because apparently the logic in that detects that the IP has changed executes every time the lease is renewed. Since that logic ends by causing the network to be reloaded, voila! Seawall is undone. My workaround was to add the command "seawall restart" after "reload_all" (see below). [Note: you will see in this code some logic I added to tell my dynamic dns service that my IP has changed. This code also logs when that logic executes. Actually, my IP has changed once in the last two years, I have the poor man's static IP! :-)] My question is NOT what is the bug in the ip changing logic below, I can probably figure that out (though if someone sees it instantly there is no harm in writing me). This code is supposed to have a bug fix I saw in the list from Charles. Maybe I dropped it or did it wrong. I will upgrade the the Latest Dachstein and see if this IP change detection has changed Here are the questions: 1. Are there any other places in Dachstein that update the network, and need to be followed by "seawall restart"? 2. Is there a better fix for this problem? (This fix works, my humble web site has been visible continuously since I edited dhclient-exit- hooks.) Unfortuantely my fix entangles seawall.lrp and dhclient.lrp. Thanks everyone, I love this list! (Oops "these lists" because I sent this to the seawalll list as well.) Tim Wegner #!/bin/sh # dhclient-exit-hooks script for LRP # Charles Steinkuehler, January 2000 # Updated June 27, 2000 to restart dnscache, if present # Notes: # 0. This script restarts the following when a new address is aquired # a: Firewall filter rules reload_all() { svi network ipfilter reload } if [ x$reason = xBOUND ] || [ x$reason = xRENEW ] || \ [ x$reason = xREBIND ] || [ x$reason = xREBOOT ]; then # If our IP address changed, or we just got a new address, # restart the IP filters, using the new address if [ x$old_ip_address = x ] || [ x$old_ip_address != x$new_ip_address ] || \ [ x$reason = xBOUND ] || [ x$reason = xREBOOT ]; then # tell dynodns that the IP has changed date >> /var/log/dynodns.txt http_get -a twegner.dynodns.net:xxxxxxxx \ http://www.dynodns.net/pr/updatens.cgi | \ grep twegner >> /var/log/dynodns.txt #end dynodns changes # Reload networking to see new address reload_all seawall restart fi fi if [ x$reason = xEXPIRE ] || [ x$reason = xFAIL ]; then # No dhcp lease - Shutdown packet forwarding /etc/init.d/network ipfilter flush fi if [ x$reason = xTIMEOUT ]; then if [ x$timeout_using_old_lease = xTRUE ]; then # Succsfully using an old lease, even though we can't talk to the # dhcp server, so reload network to configure with 'new' address reload_all else # Couldn't find the dhcp server, and can't ping the last default router # so let's just give up and stop forwarding packets /etc/init.d/network ipfilter flush fi fi _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
