[leaf-user] 3 nic Bering 1.0-rc2 setup stopped working after I replaced one of the nics?

Steve Sobka Tue, 18 Jun 2002 08:00:12 -0700

I recently decided to upgrade my Bering 1.0-rc2 firewall by replacing the
eth0 nic with a new one.  Everything was working fine, but once I changed
the nic
traffic from the internet was no longer able to reach my dmz.
BTW, I am running the proxyarp in shorewall.
I am totally clueless as to why just replacing a nic would cause this?
I did restart the switch that connects the (dmz) to the firewall and I also
restarted the SpeedStream DSL modem that connects me to the internet after
I made the changes, to clear out the arp cache, but this seemed to do
nothing.


Here's what I have done and my configuration settings:

My old setup with the ethx and corresponding module:

(External Internet) 64.81.34.152 eth0 = tulip
(loc network)  10.170.166.254 eth1 = tulip
(dmz network)  10.170.165.254 eth2 = tulip

I replaced the eth0 which was a Kingston TX100 card with an Intel
EtherexpressPro100.
I downloaded and installed the eepro100.o module.  I changed the modules
parameters
to load the modules with the eepro100 above the line for tulip so the
eepro100 module
would load first.  Backed up, rebooted.

So now my network looks like this:

(External Internet) 64.81.34.152 eth0 = eepro100
(loc network)  10.170.166.254 eth1 = tulip
(dmz network)  10.170.165.254 eth2 = tulip

When the system reboots, everything comes up fine.  I go to any of the
computers
on the (loc) network and I ping and browse the internet so I know the new
eepro nic is working.
Then from the (loc) computer I am able to browse the web server
(64.81.34.166) located on the
(dmz).  I noticed that one of them was responding very slow, but it did
work.
Then I ssh into an external system on another network and try using lynx to
connect into the web server located on the (dmz).  Nothing responded.  I
tried pinging the
web server, I got nothing.  I tried restarting the web server box itself,
restarting the switch
that connects it to the (dmz), and restarting the speedstream modem.  Still
I cannot access
the web server from the Internet, but I can access it from the (loc) network
machines.

Ok, I am totally confused now, so I replace the eepro nic with the old
Kingston Tx100 that was
in before.  I reboot the box and everything works like a charm again.  I
think, hmmm, maybe this
eepro nic has problems with the proxyarp stuff, so I try replacing the eth0
nic with a 3com 3c509 ISA
card.  I load the modules, save, reboot... Same problem, No access from the
Internet.

I also tried using the 3com 3c509 as eth2, and I had the same problem, no
access from the Internet, but
I could browse just fine from the (loc) <> (dmz).

I am wondering if this is some kind of Shorewall issue or and IRQ issue with
the setup?
I am lost.  Any help, guidance would be great. I am thinking that just
changing
a nic in the box should not effect shorewall in anyway since it only needs
to know
which interface = which network... not what module it loads, etc...

In case it matters, here's my setup files, and a dmesg output from when the
three nics that work fine load
at system boot:

/var/log/messages:

Jun 17 21:23:44 firewall syslogd 1.3-3#31.slink1: restart.
Jun 17 21:23:44 firewall kernel: klogd 1.3-3#31.slink1, log source =
/proc/kmsg started.
Jun 17 21:23:44 firewall kernel: Cannot find map file.
Jun 17 21:23:44 firewall kernel: Loaded 38 symbols from 5 modules.
Jun 17 21:23:44 firewall kernel: Linux version 2.4.18 (root@debian) (gcc
version 2.95.2 20000220 (Debian GNU/Linux)) #1 Sun Apr 21 12:50:34 CEST 2002
Jun 17 21:23:44 firewall kernel: BIOS-provided physical RAM map:
Jun 17 21:23:44 firewall kernel:  BIOS-e820: 0000000000000000 -
00000000000a0000 (usable)
Jun 17 21:23:44 firewall kernel:  BIOS-e820: 00000000000f0000 -
0000000000100000 (reserved)
Jun 17 21:23:44 firewall kernel:  BIOS-e820: 0000000000100000 -
0000000004000000 (usable)
Jun 17 21:23:44 firewall kernel:  BIOS-e820: 00000000ffff0000 -
0000000100000000 (reserved)
Jun 17 21:23:44 firewall kernel: On node 0 totalpages: 16384
Jun 17 21:23:44 firewall kernel: zone(0): 4096 pages.
Jun 17 21:23:44 firewall kernel: zone(1): 12288 pages.
Jun 17 21:23:44 firewall kernel: zone(2): 0 pages.
Jun 17 21:23:44 firewall kernel: Kernel command line: console=ttyS0,19200
BOOT_IMAGE=linux initrd=initrd.lrp init=/linuxrc root=/dev/ram0
boot=/dev/fd0u1680:msdos PKGPATH=/dev/fd0u1680,/dev/fd1u1680
LRP=root,etc,local,modules,shorwall,dnscache,weblet
Jun 17 21:23:44 firewall kernel: Initializing CPU#0
Jun 17 21:23:44 firewall kernel: Detected 233.869 MHz processor.
Jun 17 21:23:44 firewall kernel: Console: colour VGA+ 80x25
Jun 17 21:23:44 firewall kernel: Calibrating delay loop... 466.94 BogoMIPS
Jun 17 21:23:44 firewall kernel: Memory: 62392k/65536k available (853k
kernel code, 2760k reserved, 204k data, 60k init, 0k highmem)
Jun 17 21:23:44 firewall kernel: Dentry-cache hash table entries: 8192
(order: 4, 65536 bytes)
Jun 17 21:23:44 firewall kernel: Inode-cache hash table entries: 4096
(order: 3, 32768 bytes)
Jun 17 21:23:44 firewall kernel: Mount-cache hash table entries: 1024
(order: 1, 8192 bytes)
Jun 17 21:23:44 firewall kernel: Buffer-cache hash table entries: 4096
(order: 2, 16384 bytes)
Jun 17 21:23:44 firewall kernel: Page-cache hash table entries: 16384
(order: 4, 65536 bytes)
Jun 17 21:23:44 firewall kernel: CPU: L1 I Cache: 32K (32 bytes/line), D
cache 32K (32 bytes/line)
Jun 17 21:23:44 firewall kernel: CPU: AMD-K6tm w/ multimedia extensions
stepping 02
Jun 17 21:23:44 firewall kernel: Checking 'hlt' instruction... OK.
Jun 17 21:23:44 firewall kernel: POSIX conformance testing by UNIFIX
Jun 17 21:23:44 firewall kernel: PCI: PCI BIOS revision 2.10 entry at
0xfaf00, last bus=0
Jun 17 21:23:44 firewall kernel: PCI: Using configuration type 1
Jun 17 21:23:44 firewall kernel: PCI: Probing PCI hardware
Jun 17 21:23:44 firewall kernel: PCI: Using IRQ router PIIX [8086/7110] at
00:07.0
Jun 17 21:23:44 firewall kernel: Limiting direct PCI/PCI transfers.
Jun 17 21:23:44 firewall kernel: Linux NET4.0 for Linux 2.4
Jun 17 21:23:44 firewall kernel: Based upon Swansea University Computer
Society NET3.039
Jun 17 21:23:44 firewall kernel: Initializing RT netlink socket
Jun 17 21:23:44 firewall kernel: Starting kswapd
Jun 17 21:23:44 firewall kernel: pty: 256 Unix98 ptys configured
Jun 17 21:23:44 firewall kernel: Serial driver version 5.05c (2001-07-08)
with MANY_PORTS SHARE_IRQ DETECT_IRQ SERIAL_PCI enabled
Jun 17 21:23:44 firewall kernel: ttyS00 at 0x03f8 (irq = 4) is a 16550A
Jun 17 21:23:44 firewall kernel: Software Watchdog Timer: 0.05, timer
margin: 60 sec
Jun 17 21:23:44 firewall kernel: block: 128 slots per queue, batch=32
Jun 17 21:23:44 firewall kernel: RAMDISK driver initialized: 16 RAM disks of
4096K size 1024 blocksize
Jun 17 21:23:44 firewall kernel: Floppy drive(s): fd0 is 1.44M, fd1 is 1.44M
Jun 17 21:23:44 firewall kernel: FDC 0 is a post-1991 82077
Jun 17 21:23:44 firewall kernel: NET4: Linux TCP/IP 1.0 for NET4.0
Jun 17 21:23:44 firewall kernel: IP Protocols: ICMP, UDP, TCP, IGMP
Jun 17 21:23:44 firewall kernel: IP: routing cache hash table of 512
buckets, 4Kbytes
Jun 17 21:23:44 firewall kernel: TCP: Hash tables configured (established
4096 bind 4096)
Jun 17 21:23:44 firewall kernel: Linux IP multicast router 0.06 plus PIM-SM
Jun 17 21:23:44 firewall kernel: ip_conntrack (512 buckets, 4096 max)
Jun 17 21:23:44 firewall kernel: ip_tables: (C) 2000-2002 Netfilter core
team
Jun 17 21:23:44 firewall kernel: NET4: Unix domain sockets 1.0/SMP for Linux
NET4.0.
Jun 17 21:23:44 firewall kernel: RAMDISK: Compressed image found at block 0
Jun 17 21:23:44 firewall kernel: Freeing initrd memory: 404k freed
Jun 17 21:23:44 firewall kernel: VFS: Mounted root (minix filesystem).
Jun 17 21:23:44 firewall kernel: Freeing unused kernel memory: 60k freed
Jun 17 21:23:44 firewall kernel: Linux Tulip driver version 0.9.15-pre9 (Nov
6, 2001)
Jun 17 21:23:44 firewall kernel: PCI: Found IRQ 11 for device 00:0a.0
Jun 17 21:23:44 firewall kernel: tulip0:  MII transceiver #1 config 3100
status 7829 advertising 01e1.
Jun 17 21:23:44 firewall kernel: eth0: Lite-On 82c168 PNIC rev 32 at
0xc4815000, 00:C0:H1:55:A7:14, IRQ 11.
Jun 17 21:23:44 firewall kernel: PCI: Found IRQ 15 for device 00:0c.0
Jun 17 21:23:44 firewall kernel: tulip1:  MII transceiver #1 config 3000
status 7829 advertising 01e1.
Jun 17 21:23:44 firewall kernel: eth1: Lite-On 82c168 PNIC rev 32 at
0xc4817000, 00:A0:CC:44:F3:21, IRQ 15.
Jun 17 21:23:44 firewall kernel: PCI: Found IRQ 10 for device 00:0b.0
Jun 17 21:23:44 firewall kernel: 00:0b.0: PCI cache line size set
incorrectly (32 bytes) by BIOS/FW, correcting to 16
Jun 17 21:23:44 firewall kernel: eth2: Lite-On PNIC-II rev 37 at 0xc4819000,
00:A0:CC:44:F1:B2, IRQ 10.
Jun 17 21:23:45 firewall kernel: eth1: Setting full-duplex based on MII#1
link partner capability of 45e1.
Jun 17 21:23:56 firewall root: Shorewall Started



shorewall setup (Note, I did not include files that were not moddified from
a stock Shorewall 1.3.1:

============== interfaces ==============

#ZONE  INTERFACE BROADCAST OPTIONS
net     eth0  64.81.34.255 norfc1918
loc eth1  10.170.166.255 routestopped
dmz eth2  10.170.165.255 routestopped
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

============== policy ==============

#SOURCE  DEST  POLICY  LOG LEVEL LIMIT:BURST
loc  net  ACCEPT
loc  loc  ACCEPT
loc  net  ACCEPT
$FW  loc  ACCEPT
loc  fw  REJECT
fw  net  ACCEPT
net  all  DROP  info
all  all  REJECT  info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE

============== rules ==============

#ACTION  SOURCE  DEST       PROTO DEST    SOURCE    ORIGINAL
#                                 PORT    PORT(S)    DEST
#
# Stop IRC/Mail connection Delays
#
REJECT net  fw  tcp 113
#
#
# Stop leeches from sucking down bandwidth
#
REJECT loc  net  tcp 1214
REJECT net  loc  tcp 1214
#
# Accept DNS connections from fw to anywhere to allow DNS Servers to work
#
ACCEPT fw  net  tcp 53
ACCEPT fw  net  udp 53
#
ACCEPT dmz  net  tcp 53
ACCEPT dmz  net  udp 53
ACCEPT net  dmz  udp 53
ACCEPT net  dmz  tcp 53
#
ACCEPT loc  fw  udp 53
ACCEPT fw  loc  udp 53
#
# Accept SSH connections from fw to loc,dmz,net
#
ACCEPT loc  fw  tcp 22
ACCEPT loc  dmz  tcp 22
ACCEPT net  fw  tcp 22
ACCEPT fw  net  tcp 22
ACCEPT fw  dmz  tcp 22
ACCEPT dmz  fw  tcp 22
#
#
# Make ping work between the DMZ, net and local zone (assumes that the loc->
# net policy is ACCEPT).
#
ACCEPT  loc   dmz           icmp    8
ACCEPT  dmz   loc  icmp 8
ACCEPT  dmz   net  icmp 8
ACCEPT  net   dmz  icmp 8 # Only with Proxy ARP and
ACCEPT  net   loc  icmp 8 # static NAT
#
# Allow connections to Weblet on fw from anywhere (let hosts.allow work)
#
ACCEPT  loc fw  tcp wwweblet
ACCEPT  fw loc  tcp wwweblet
ACCEPT  net fw  tcp wwweblet
ACCEPT  fw net  tcp wwweblet
#
# Rules for SERVERS behind firewall -ProxyArp-
# 06/14/2002
#
ACCEPT  net dmz  tcp 21
ACCEPT  net dmz  tcp 22
ACCEPT  net dmz  tcp 25
ACCEPT  net dmz  tcp 80
ACCEPT  net dmz  tcp 110
ACCEPT  net dmz  tcp 143
ACCEPT  net dmz  tcp 443
ACCEPT  net dmz  tcp auth
ACCEPT  net dmz  tcp whois
#
ACCEPT  dmz net  tcp 21
ACCEPT  dmz net  tcp 22
ACCEPT  dmz net  tcp 25
ACCEPT  dmz net  tcp 80
ACCEPT  dmz net  tcp 110
ACCEPT  dmz net  tcp 143
ACCEPT  dmz net  tcp 443
ACCEPT  dmz net  tcp auth
ACCEPT  dmz net  tcp whois
#
ACCEPT  loc dmz  tcp 21
ACCEPT  loc dmz  tcp 22
ACCEPT  loc dmz  tcp 25
ACCEPT  loc dmz  tcp 80
ACCEPT  loc dmz  tcp 110
ACCEPT  loc dmz  tcp 143
ACCEPT  loc dmz  tcp 443
ACCEPT  loc dmz  tcp auth
ACCEPT  loc dmz  tcp whois
#
# MOH Game Server running on the (loc) network
#
ACCEPT  net loc  tcp 12000,12201,12202,12203,12210,12300
ACCEPT  loc net  tcp 12000,12201,12202,12203,12210,12300
#
DNAT  net loc:10.170.166.123 udp     12000,12201,12202,12203,12210,12300
DNAT  net loc:10.170.166.123 tcp     12000,12201,12202,12203,12210,12300
#
#
# Bug Fixes for FTP
#
ACCEPT:info dmz net  tcp 1024: 20
#
# TESTING SECTION
#
#
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


============== masq ==============

#INTERFACE         SUBNET  ADDRESS
eth0   eth1  64.81.34.152
eth0   eth2
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

============== ProxyARP ==============

#ADDRESS  INTERFACE EXTERNAL        HAVEROUTE
64.81.34.164  eth2  eth0  No
64.81.34.166  eth2  eth0  No
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

============== TOS ==============

#SOURCE DEST  PROTOCOL SOURCE PORTS DEST PORTS TOS
all all  tcp  -  ssh  16
all all  tcp  ssh  -  16
all all  tcp  -  ftp  16
all all  tcp  ftp  -  16
all all  tcp  ftp-data -  8
all all  tcp  -  ftp-data 8
all all  udp  12203  -  8
all all  udp  -  12203  8
#LAST LINE -- Add your entries above -- DO NOT REMOVE

--- EOF ---

Steve Sobka
[EMAIL PROTECTED]

P.S. I hope I gave the correct info needed to help diagnose my problem.




----------------------------------------------------------------------------
                   Bringing you mounds of caffeinated joy
                      >>>     http://thinkgeek.com/sf    <<<

------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] 3 nic Bering 1.0-rc2 setup stopped working after I replaced one of the nics?

Reply via email to