swfla.rr.com == aka == timewarner/roadrunner cable
I'm using the default setup on the Bering_1.0rc3 floppy1680 image
---except I went ahead and removed norfc1918 from
/etc/shorewall/interfaces' eth0
Initially the users connected behind the firewall are able to use
services, then after a random amount of time the internet dissapears.
The internal network can still reach weblet on the firewall, but all
requests NAT to the internet fail.
From the firewall/Bering box itself, pump -s says I still have valid
lease, but it sure doesn't act like it.
If I issue shorewall stop, svi networking stop, power cycle the modem,
svi networking start, shorewall start, svi networking restart; the
connection to the internet at large is restored. It doesn't appear to be
a physical ISP failure, because I can do this immediately after the
disconnect. I can also reboot bering & powercycle the modem and get
immediate connection. The disconnect appears after a random amount of
time, sometimes a few minutes, sometimes after more that 12 hours.
eth0 is outside - connected to the rr cablemodem
eth1 is inside - connected to hub
eth2 is unused
what follows are via the firewall/bering box console.
uname=============================================================
Linux firewall 2.4.18 #4 Sun Jun 9 09:46:15 CEST 2002 i486 unknown
ip addr show =======================================================
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:00:c5:04:db:e8 brd ff:ff:ff:ff:ff:ff
inet 65.34.117.132/23 brd 255.255.255.255 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
link/ether 00:40:f6:f4:e5:d4 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
5: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 100
link/ether 00:40:33:90:fc:3a brd ff:ff:ff:ff:ff:ff
ip route show ======================================================
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254
65.34.116.0/23 dev eth0 proto kernel scope link src 65.34.117.132
default via 65.34.116.1 dev eth0
pump -s=============================================================
Device eth0
IP: 65.34.117.132
Netmask: 255.255.254.0
Broadcast: 255.255.255.255
Network: 65.34.116.0
Boot server 65.32.2.175
Next server 0.0.0.0
Gateway: 65.34.116.1
Hostname: firewall
Domain: swfla.rr.com
Nameservers: 65.32.1.70 65.32.2.130
Renewal time: Sat Aug 10 05:29:08 2002
Expiration time: Sat Aug 10 06:59:08 2002
netstat -nr---------------------------------------------------------
netstat: not found
traceroute: not found
ping a FQN that will normally respond----------------------------
never responds, have to kill process.
I am not getting info back from the nameserver.
All pings that follow are to numerical addresses x.x.x.x
see pump -s section above for appropriate address numbers
These ping(s) will succeed when firewall is first booted.
ping one, then the other nameserver---------------------------------
never responds, have to kill process. 100% packet loss
ping gateway---------------------------------------------------------
never responds, have to kill process. 100% packet loss
ping bootserver/DHCPserver------------------------------------------
never responds, have to kill process. 100% packet loss
ping address outside ISP that normally responds---------------------
never responds, have to kill process. 100% packet loss
iptables -nvL=======================================================
Chain INPUT (policy DROP 2 packets, 144 bytes)
pkts bytes target prot opt in out source
destination
560 52190 ACCEPT ah -- lo * 0.0.0.0/0
0.0.0.0/0
565 160K eth0_in ah -- eth0 * 0.0.0.0/0
0.0.0.0/0
373 24430 eth1_in ah -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 common ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
7434 5349K eth0_fwd ah -- eth0 * 0.0.0.0/0
0.0.0.0/0
6112 758K eth1_fwd ah -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 common ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
560 52190 ACCEPT ah -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
57 5857 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT udp -- * eth0 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
1199 75914 fw2net ah -- * eth0 0.0.0.0/0
0.0.0.0/0
373 34139 all2all ah -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 common ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain all2all (3 references)
pkts bytes target prot opt in out source
destination
355 32969 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
18 1170 common ah -- * * 0.0.0.0/0
0.0.0.0/0
0 0 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:'
0 0 reject ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out source
destination
0 0 icmpdef icmp -- * * 0.0.0.0/0
0.0.0.0/0
45 2340 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x10/0x10
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x04/0x04
10 780 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139 reject-with icmp-port-unreachable
0 0 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445 reject-with icmp-port-unreachable
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
0 0 DROP ah -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP ah -- * * 0.0.0.0/0
224.0.0.0/4
1 60 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
18 1170 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53 state NEW
0 0 DROP ah -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP ah -- * * 0.0.0.0/0
192.168.1.255
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source
destination
7434 5349K net2all ah -- * eth1 0.0.0.0/0
0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source
destination
90 31036 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:67:68
9 756 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
466 128K net2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source
destination
6112 758K loc2net ah -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
373 24430 loc2fw ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
46 1840 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
1153 74074 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 12
Chain loc2fw (1 references)
pkts bytes target prot opt in out source
destination
363 23769 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
10 661 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:80
0 0 all2all ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
5393 715K ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
719 43140 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2all (2 references)
pkts bytes target prot opt in out source
destination
7841 5474K ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
59 3324 common ah -- * * 0.0.0.0/0
0.0.0.0/0
3 144 LOG ah -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:net2all:DROP:'
3 144 DROP ah -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (6 references)
pkts bytes target prot opt in out source
destination
1 60 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
0 0 REJECT ah -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
iptables -t nat -vnL================================================
Chain PREROUTING (policy ACCEPT 775 packets, 55690 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 1167 packets, 75255 bytes)
pkts bytes target prot opt in out source
destination
664 39840 MASQUERADE ah -- * eth0 192.168.1.0/24
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 1184 packets, 76385 bytes)
pkts bytes target prot opt in out source
destination
/var/log/messages===================================================
Aug 9 18:59:38 firewall root: Shorewall Started
Aug 9 19:20:00 firewall kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC=00:00:c5:04:db:e8:00:04:9b:ec:78:8c:08:00 SRC=206.103.207.130
DST=65.34.117.132 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=17815 DF
PROTO=TCP SPT=4426 DPT=80 WINDOW=8760 RES=0x00 SYN URGP=0
Aug 9 19:20:03 firewall kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC=00:00:c5:04:db:e8:00:04:9b:ec:78:8c:08:00 SRC=206.103.207.130
DST=65.34.117.132 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=17896 DF
PROTO=TCP SPT=4426 DPT=80 WINDOW=8760 RES=0x00 SYN URGP=0
Aug 9 19:20:09 firewall kernel: Shorewall:net2all:DROP:IN=eth0 OUT=
MAC=00:00:c5:04:db:e8:00:04:9b:ec:78:8c:08:00 SRC=206.103.207.130
DST=65.34.117.132 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=18047 DF
PROTO=TCP SPT=4426 DPT=80 WINDOW=8760 RES=0x00 SYN URGP=0
date================================================================
Fri Aug 9 20:38:46 EDT 2002
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
