I recently decided to upgrade my Bering 1.0-rc2 firewall by replacing the eth0 nic with a new one. Everything was working fine, but once I changed the nic traffic from the internet was no longer able to reach my dmz. BTW, I am running the proxyarp in shorewall. I am totally clueless as to why just replacing a nic would cause this? I did restart the switch that connects the (dmz) to the firewall and I also restarted the SpeedStream DSL modem that connects me to the internet after I made the changes, to clear out the arp cache, but this seemed to do nothing.
Here's what I have done and my configuration settings: My old setup with the ethx and corresponding module: (External Internet) 64.81.34.152 eth0 = tulip (loc network) 10.170.166.254 eth1 = tulip (dmz network) 10.170.165.254 eth2 = tulip I replaced the eth0 which was a Kingston TX100 card with an Intel EtherexpressPro100. I downloaded and installed the eepro100.o module. I changed the modules parameters to load the modules with the eepro100 above the line for tulip so the eepro100 module would load first. Backed up, rebooted. So now my network looks like this: (External Internet) 64.81.34.152 eth0 = eepro100 (loc network) 10.170.166.254 eth1 = tulip (dmz network) 10.170.165.254 eth2 = tulip When the system reboots, everything comes up fine. I go to any of the computers on the (loc) network and I ping and browse the internet so I know the new eepro nic is working. Then from the (loc) computer I am able to browse the web server (64.81.34.166) located on the (dmz). I noticed that one of them was responding very slow, but it did work. Then I ssh into an external system on another network and try using lynx to connect into the web server located on the (dmz). Nothing responded. I tried pinging the web server, I got nothing. I tried restarting the web server box itself, restarting the switch that connects it to the (dmz), and restarting the speedstream modem. Still I cannot access the web server from the Internet, but I can access it from the (loc) network machines. Ok, I am totally confused now, so I replace the eepro nic with the old Kingston Tx100 that was in before. I reboot the box and everything works like a charm again. I think, hmmm, maybe this eepro nic has problems with the proxyarp stuff, so I try replacing the eth0 nic with a 3com 3c509 ISA card. I load the modules, save, reboot... Same problem, No access from the Internet. I also tried using the 3com 3c509 as eth2, and I had the same problem, no access from the Internet, but I could browse just fine from the (loc) <> (dmz). I am wondering if this is some kind of Shorewall issue or and IRQ issue with the setup? I am lost. Any help, guidance would be great. I am thinking that just changing a nic in the box should not effect shorewall in anyway since it only needs to know which interface = which network... not what module it loads, etc... In case it matters, here's my setup files, and a dmesg output from when the three nics that work fine load at system boot: /var/log/messages: Jun 17 21:23:44 firewall syslogd 1.3-3#31.slink1: restart. Jun 17 21:23:44 firewall kernel: klogd 1.3-3#31.slink1, log source = /proc/kmsg started. Jun 17 21:23:44 firewall kernel: Cannot find map file. Jun 17 21:23:44 firewall kernel: Loaded 38 symbols from 5 modules. Jun 17 21:23:44 firewall kernel: Linux version 2.4.18 (root@debian) (gcc version 2.95.2 20000220 (Debian GNU/Linux)) #1 Sun Apr 21 12:50:34 CEST 2002 Jun 17 21:23:44 firewall kernel: BIOS-provided physical RAM map: Jun 17 21:23:44 firewall kernel: BIOS-e820: 0000000000000000 - 00000000000a0000 (usable) Jun 17 21:23:44 firewall kernel: BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved) Jun 17 21:23:44 firewall kernel: BIOS-e820: 0000000000100000 - 0000000004000000 (usable) Jun 17 21:23:44 firewall kernel: BIOS-e820: 00000000ffff0000 - 0000000100000000 (reserved) Jun 17 21:23:44 firewall kernel: On node 0 totalpages: 16384 Jun 17 21:23:44 firewall kernel: zone(0): 4096 pages. Jun 17 21:23:44 firewall kernel: zone(1): 12288 pages. Jun 17 21:23:44 firewall kernel: zone(2): 0 pages. Jun 17 21:23:44 firewall kernel: Kernel command line: console=ttyS0,19200 BOOT_IMAGE=linux initrd=initrd.lrp init=/linuxrc root=/dev/ram0 boot=/dev/fd0u1680:msdos PKGPATH=/dev/fd0u1680,/dev/fd1u1680 LRP=root,etc,local,modules,shorwall,dnscache,weblet Jun 17 21:23:44 firewall kernel: Initializing CPU#0 Jun 17 21:23:44 firewall kernel: Detected 233.869 MHz processor. Jun 17 21:23:44 firewall kernel: Console: colour VGA+ 80x25 Jun 17 21:23:44 firewall kernel: Calibrating delay loop... 466.94 BogoMIPS Jun 17 21:23:44 firewall kernel: Memory: 62392k/65536k available (853k kernel code, 2760k reserved, 204k data, 60k init, 0k highmem) Jun 17 21:23:44 firewall kernel: Dentry-cache hash table entries: 8192 (order: 4, 65536 bytes) Jun 17 21:23:44 firewall kernel: Inode-cache hash table entries: 4096 (order: 3, 32768 bytes) Jun 17 21:23:44 firewall kernel: Mount-cache hash table entries: 1024 (order: 1, 8192 bytes) Jun 17 21:23:44 firewall kernel: Buffer-cache hash table entries: 4096 (order: 2, 16384 bytes) Jun 17 21:23:44 firewall kernel: Page-cache hash table entries: 16384 (order: 4, 65536 bytes) Jun 17 21:23:44 firewall kernel: CPU: L1 I Cache: 32K (32 bytes/line), D cache 32K (32 bytes/line) Jun 17 21:23:44 firewall kernel: CPU: AMD-K6tm w/ multimedia extensions stepping 02 Jun 17 21:23:44 firewall kernel: Checking 'hlt' instruction... OK. Jun 17 21:23:44 firewall kernel: POSIX conformance testing by UNIFIX Jun 17 21:23:44 firewall kernel: PCI: PCI BIOS revision 2.10 entry at 0xfaf00, last bus=0 Jun 17 21:23:44 firewall kernel: PCI: Using configuration type 1 Jun 17 21:23:44 firewall kernel: PCI: Probing PCI hardware Jun 17 21:23:44 firewall kernel: PCI: Using IRQ router PIIX [8086/7110] at 00:07.0 Jun 17 21:23:44 firewall kernel: Limiting direct PCI/PCI transfers. Jun 17 21:23:44 firewall kernel: Linux NET4.0 for Linux 2.4 Jun 17 21:23:44 firewall kernel: Based upon Swansea University Computer Society NET3.039 Jun 17 21:23:44 firewall kernel: Initializing RT netlink socket Jun 17 21:23:44 firewall kernel: Starting kswapd Jun 17 21:23:44 firewall kernel: pty: 256 Unix98 ptys configured Jun 17 21:23:44 firewall kernel: Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ DETECT_IRQ SERIAL_PCI enabled Jun 17 21:23:44 firewall kernel: ttyS00 at 0x03f8 (irq = 4) is a 16550A Jun 17 21:23:44 firewall kernel: Software Watchdog Timer: 0.05, timer margin: 60 sec Jun 17 21:23:44 firewall kernel: block: 128 slots per queue, batch=32 Jun 17 21:23:44 firewall kernel: RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize Jun 17 21:23:44 firewall kernel: Floppy drive(s): fd0 is 1.44M, fd1 is 1.44M Jun 17 21:23:44 firewall kernel: FDC 0 is a post-1991 82077 Jun 17 21:23:44 firewall kernel: NET4: Linux TCP/IP 1.0 for NET4.0 Jun 17 21:23:44 firewall kernel: IP Protocols: ICMP, UDP, TCP, IGMP Jun 17 21:23:44 firewall kernel: IP: routing cache hash table of 512 buckets, 4Kbytes Jun 17 21:23:44 firewall kernel: TCP: Hash tables configured (established 4096 bind 4096) Jun 17 21:23:44 firewall kernel: Linux IP multicast router 0.06 plus PIM-SM Jun 17 21:23:44 firewall kernel: ip_conntrack (512 buckets, 4096 max) Jun 17 21:23:44 firewall kernel: ip_tables: (C) 2000-2002 Netfilter core team Jun 17 21:23:44 firewall kernel: NET4: Unix domain sockets 1.0/SMP for Linux NET4.0. Jun 17 21:23:44 firewall kernel: RAMDISK: Compressed image found at block 0 Jun 17 21:23:44 firewall kernel: Freeing initrd memory: 404k freed Jun 17 21:23:44 firewall kernel: VFS: Mounted root (minix filesystem). Jun 17 21:23:44 firewall kernel: Freeing unused kernel memory: 60k freed Jun 17 21:23:44 firewall kernel: Linux Tulip driver version 0.9.15-pre9 (Nov 6, 2001) Jun 17 21:23:44 firewall kernel: PCI: Found IRQ 11 for device 00:0a.0 Jun 17 21:23:44 firewall kernel: tulip0: MII transceiver #1 config 3100 status 7829 advertising 01e1. Jun 17 21:23:44 firewall kernel: eth0: Lite-On 82c168 PNIC rev 32 at 0xc4815000, 00:C0:H1:55:A7:14, IRQ 11. Jun 17 21:23:44 firewall kernel: PCI: Found IRQ 15 for device 00:0c.0 Jun 17 21:23:44 firewall kernel: tulip1: MII transceiver #1 config 3000 status 7829 advertising 01e1. Jun 17 21:23:44 firewall kernel: eth1: Lite-On 82c168 PNIC rev 32 at 0xc4817000, 00:A0:CC:44:F3:21, IRQ 15. Jun 17 21:23:44 firewall kernel: PCI: Found IRQ 10 for device 00:0b.0 Jun 17 21:23:44 firewall kernel: 00:0b.0: PCI cache line size set incorrectly (32 bytes) by BIOS/FW, correcting to 16 Jun 17 21:23:44 firewall kernel: eth2: Lite-On PNIC-II rev 37 at 0xc4819000, 00:A0:CC:44:F1:B2, IRQ 10. Jun 17 21:23:45 firewall kernel: eth1: Setting full-duplex based on MII#1 link partner capability of 45e1. Jun 17 21:23:56 firewall root: Shorewall Started shorewall setup (Note, I did not include files that were not moddified from a stock Shorewall 1.3.1: ============== interfaces ============== #ZONE INTERFACE BROADCAST OPTIONS net eth0 64.81.34.255 norfc1918 loc eth1 10.170.166.255 routestopped dmz eth2 10.170.165.255 routestopped #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ============== policy ============== #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT loc loc ACCEPT loc net ACCEPT $FW loc ACCEPT loc fw REJECT fw net ACCEPT net all DROP info all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE ============== rules ============== #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL # PORT PORT(S) DEST # # Stop IRC/Mail connection Delays # REJECT net fw tcp 113 # # # Stop leeches from sucking down bandwidth # REJECT loc net tcp 1214 REJECT net loc tcp 1214 # # Accept DNS connections from fw to anywhere to allow DNS Servers to work # ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # ACCEPT dmz net tcp 53 ACCEPT dmz net udp 53 ACCEPT net dmz udp 53 ACCEPT net dmz tcp 53 # ACCEPT loc fw udp 53 ACCEPT fw loc udp 53 # # Accept SSH connections from fw to loc,dmz,net # ACCEPT loc fw tcp 22 ACCEPT loc dmz tcp 22 ACCEPT net fw tcp 22 ACCEPT fw net tcp 22 ACCEPT fw dmz tcp 22 ACCEPT dmz fw tcp 22 # # # Make ping work between the DMZ, net and local zone (assumes that the loc-> # net policy is ACCEPT). # ACCEPT loc dmz icmp 8 ACCEPT dmz loc icmp 8 ACCEPT dmz net icmp 8 ACCEPT net dmz icmp 8 # Only with Proxy ARP and ACCEPT net loc icmp 8 # static NAT # # Allow connections to Weblet on fw from anywhere (let hosts.allow work) # ACCEPT loc fw tcp wwweblet ACCEPT fw loc tcp wwweblet ACCEPT net fw tcp wwweblet ACCEPT fw net tcp wwweblet # # Rules for SERVERS behind firewall -ProxyArp- # 06/14/2002 # ACCEPT net dmz tcp 21 ACCEPT net dmz tcp 22 ACCEPT net dmz tcp 25 ACCEPT net dmz tcp 80 ACCEPT net dmz tcp 110 ACCEPT net dmz tcp 143 ACCEPT net dmz tcp 443 ACCEPT net dmz tcp auth ACCEPT net dmz tcp whois # ACCEPT dmz net tcp 21 ACCEPT dmz net tcp 22 ACCEPT dmz net tcp 25 ACCEPT dmz net tcp 80 ACCEPT dmz net tcp 110 ACCEPT dmz net tcp 143 ACCEPT dmz net tcp 443 ACCEPT dmz net tcp auth ACCEPT dmz net tcp whois # ACCEPT loc dmz tcp 21 ACCEPT loc dmz tcp 22 ACCEPT loc dmz tcp 25 ACCEPT loc dmz tcp 80 ACCEPT loc dmz tcp 110 ACCEPT loc dmz tcp 143 ACCEPT loc dmz tcp 443 ACCEPT loc dmz tcp auth ACCEPT loc dmz tcp whois # # MOH Game Server running on the (loc) network # ACCEPT net loc tcp 12000,12201,12202,12203,12210,12300 ACCEPT loc net tcp 12000,12201,12202,12203,12210,12300 # DNAT net loc:10.170.166.123 udp 12000,12201,12202,12203,12210,12300 DNAT net loc:10.170.166.123 tcp 12000,12201,12202,12203,12210,12300 # # # Bug Fixes for FTP # ACCEPT:info dmz net tcp 1024: 20 # # TESTING SECTION # # # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ============== masq ============== #INTERFACE SUBNET ADDRESS eth0 eth1 64.81.34.152 eth0 eth2 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE ============== ProxyARP ============== #ADDRESS INTERFACE EXTERNAL HAVEROUTE 64.81.34.164 eth2 eth0 No 64.81.34.166 eth2 eth0 No #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ============== TOS ============== #SOURCE DEST PROTOCOL SOURCE PORTS DEST PORTS TOS all all tcp - ssh 16 all all tcp ssh - 16 all all tcp - ftp 16 all all tcp ftp - 16 all all tcp ftp-data - 8 all all tcp - ftp-data 8 all all udp 12203 - 8 all all udp - 12203 8 #LAST LINE -- Add your entries above -- DO NOT REMOVE --- EOF --- Steve Sobka [EMAIL PROTECTED] P.S. I hope I gave the correct info needed to help diagnose my problem. ---------------------------------------------------------------------------- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html