Re: [leaf-user] Bering - internet disappears, clues for newbie
swfla.rr.com == aka == timewarner/roadrunner cable I'm using the default setup on the Bering_1.0rc3 floppy1680 image ---except I went ahead and removed norfc1918 from /etc/shorewall/interfaces' eth0 I'm still having the outside world suddenly disappear. I can login to the firewall itself and ping the upstream BootP server address, but nothing outside of it. Yes, if I powercycle the cable modem and issue: #shorewall stop #svi networking restart #shorewall start Shorewall Already Started Everything works again, and I get a new DHCP Lease. The strange thing is that the old lease wasn't supposed to renew/expire for another 5 hours. could you dump iptables -t nat -vnL zz iptables --vnL zz . . . it sounds like it's not keeping up with his DHCP lease so I wanted to see how the rules are. hmm, my Bering doesn't like the --vnL so I did it with only a single dash -vnL here's the dump . . . Chain PREROUTING (policy ACCEPT 241 packets, 17089 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 1309 packets, 86217 bytes) pkts bytes target prot opt in out source destination 185 11100 MASQUERADE ah -- * eth0192.168.1.0/24 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 1311 packets, 87121 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy DROP 2 packets, 138 bytes) pkts bytes target prot opt in out source destination 511 50052 ACCEPT ah -- lo * 0.0.0.0/0 0.0.0.0/0 207 57264 eth0_inah -- eth0 * 0.0.0.0/0 0.0.0.0/0 214 14275 eth1_inah -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOGah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2365 1644K eth0_fwd ah -- eth0 * 0.0.0.0/0 0.0.0.0/0 1861 199K eth1_fwd ah -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOGah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:' 0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 511 50052 ACCEPT ah -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID 4 288 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * eth00.0.0.0/0 0.0.0.0/0 udp dpts:67:68 1432 92881 fw2net ah -- * eth00.0.0.0/0 0.0.0.0/0 171 15610 all2allah -- * eth10.0.0.0/0 0.0.0.0/0 0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOGah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' 0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain all2all (3 references) pkts bytes target prot opt in out source destination 171 15610 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 common ah -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOGah -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:all2all:REJECT:' 0 0 reject ah -- * * 0.0.0.0/0 0.0.0.0/0 Chain common (5 references) pkts bytes target prot opt in out source destination 0 0 icmpdeficmp -- * * 0.0.0.0/0 0.0.0.0/0 35 1820 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x10/0x10 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x04/0x04 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 reject-with icmp-port-unreachable 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445 reject-with icmp-port-unreachable 0 0 reject tcp -- * * 0.0.0.0/0
Re: [leaf-user] Bering - internet disappears, clues for newbie
At 12:31 AM 7/31/02 -0400, lbilyeu wrote: swfla.rr.com == aka == timewarner/roadrunner cable I'm using the default setup on the Bering_1.0rc3 floppy1680 image ---except I went ahead and removed norfc1918 from /etc/shorewall/interfaces' eth0 I'm still having the outside world suddenly disappear. I can login to the firewall itself and ping the upstream BootP server address, but nothing outside of it. Disappear is not a technical description. *How* do the unsuccessful ping attempts fail (if you don't know the variety of ways ping can report failure, refer to the LEAF FAQs)? Can you ping your default gateway address (which may be the same as or different from what you call your BootP server)? If you try a traceroute out to the Internet (for example, to my IP address -- 63.198.182.124), where does it fail? At the time of failure, what do the following commands report? ip addr show netstat -nr (That is, do you still have a working interface and routing table?) And if the BootP server is different from the gateway, what is its address? How long do you wait before restarting? Might this just be flaky connectivity between your ISP and the Internet, and your fix a false solution (it just kills some time, and during that time, connectivity is restored)? When you get a new DHCP lease, does it have the same or different gateway and nameserver addresses? Finally, are you doing all of this testing by IP address (not FQN)? If you are pinging by name, you might be having DNS resolution problems, not actual connectivity problems. Just to be clear ... if the problem is with DHCP lease renewal, then it probably is in the firewalling, and Tom or some other Shorewall expert needs to comment on the ruleset (which I've deleted here). But the symptoms don't sound like a DHCP problem ... you can still ping some external address, and you say the lease still has 5 hours to run ... which is why I am raising these more standard routing questions. Oh, one more comment ... [...] One last bit of worthless trivia, this location has been running successfully with Dachstein on a different Box for over 11months. So there must be something weird in DHCP that TimeWarner has setup for swfla.rr.com (we're upgrading from a 386sx and figured while we upgrade the hardware, we'd upgrade the software too) While Bering is a different LEAF variant than Dachstein, with a slightly different focus, I would not characterize it as an upgrade. Just a good alternative. -- ---Never tell me the odds!-- Ray Olszewski-- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] --- --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering - internet disappears, clues for newbie
- Original Message - From: peter vander kleut [EMAIL PROTECTED] To: lbilyeu [EMAIL PROTECTED] Sent: Monday, July 29, 2002 10:34 AM Subject: Re: [leaf-user] Bering - internet disappears, clues for newbie I've had a similar problem, which turned out to be a fault at the ISP side, their routet (first hop from your external interface) would check dhcp leases with their dhcp server if their dhcp server was down you would get any pages/mail etc. it was possible to ping ip's on your subnet but nothing beyond that. You said you could ping your firewall, is that the internal or the external networkcard? if you can ping both and ping hosts on your (local external) subnet, but not the next hop router (your.ext.net.1) then it could be a problem at the ISP Peter vander Kleut - Original Message - From: lbilyeu [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, January 01, 1970 7:46 PM Subject: [leaf-user] Bering - internet disappears, clues for newbie I'm using Bering 1.0 rc3 with roadrunner cable modem. My system initially works just fine. I can access the outside net from my NAT users. I can also login to the firewall and ping an external Domain as well as a direct address on the internet at large. After a while, the outside internet just disappears. I can still contact Bering/Weblet, and ping the firewall from the internal network. Ping attempts to a domain from the firewall machine to the internet at large now return nothing. Attempting to ping an external address directly also returns nothing. pump -s says my DHCP lease is still good until tomorrow. Any suggestions? thanks... --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering - internet disappears, clues for newbie
On Sun, Jul 28, 2002 at 07:46:55PM -0700, Tom Eastep wrote: On Sun, 28 Jul 2002, George Georgalis wrote: Do you mean if you reboot it, it works again? Can you dump ipchains -t nat -vnL and ipchains -vnL to the list? Post again if you have trouble with this... George -- the poster is running Bering so dumping ipchains isn't relevant. Yes, well I meant iptables, iptables -t nat -vnL zz iptables --vnL zz Also, it is unlikely that his iptables configuration is spontaneously changing itself after it has been running for a while But it sounds like it's not keeping up with his DHCP lease so I wanted to see how the rules are. // George -- GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 Security Services, Web, Mail,mailto:[EMAIL PROTECTED] File, Print, DB and DNS Servers. http://www.galis.org/george --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering - internet disappears, clues for newbie
On Sun, Jul 28, 2002 at 11:03:08PM -0400, lbilyeu wrote: Can you dump ipchains -t nat -vnL and ipchains -vnL # ipchains: not found Bering1.0 rc3, after a random time period, the internet disappears from eth0. I have to reboot Bering and power-cycle the cable modem as well. Yes, per my other response the command should be iptables... iptables -t nat -vnL zz iptables --vnL zz add this too... ip addr zz Then send/copy the zz file over to the list. I'm thinking your DHCP lease is changing faster than your firewall rules. It would probably work fine to turn on anti-spoofing and masq everything from the LAN net to 0/0. # Turn on reverse path filtering # Since we don't have any asymmetric routing, we can simply turn on # anti-spoofing for all interfaces. for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 $f; done iptables -t nat -A POSTROUTING -s $192.168.0.0/24 -o ppp0 -j $M iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 --state NEW -j ACCEPT pump -s gives me addresses outside of RFC1918 (65.34.x.x), so I don't think that is the problem. The Renewal/expiration for my DHCP lease is for tomorrow. What logs/dumps should I be examining for Bering rc3 diagnosis? I haven't looked at pump logs in a while, but I suspect it's changing the IP when you loose functionality. // George -- GEORGE GEORGALIS, System Admin/Architectcell: 347-451-8229 Security Services, Web, Mail,mailto:[EMAIL PROTECTED] File, Print, DB and DNS Servers. http://www.galis.org/george --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering - internet disappears, clues for newbie
On Sun, 28 Jul 2002, lbilyeu wrote: Can you dump ipchains -t nat -vnL and ipchains -vnL # ipchains: not found Bering1.0 rc3, after a random time period, the internet disappears from eth0. I have to reboot Bering and power-cycle the cable modem as well. pump -s gives me addresses outside of RFC1918 (65.34.x.x), so I don't think that is the problem. The Renewal/expiration for my DHCP lease is for tomorrow. What logs/dumps should I be examining for Bering rc3 diagnosis? /var/log/messages looking for Shorewall messages that refer to UDP ports 67 and 68. If the message includes the string rfc1918 then your ISP may be using an RFC 1918 IP address on their DHCP server and renewal is being blocked. The solution is to remove norfc1918 from the entry for your external interface in /etc/shorewall/interfaces (note: there are other solutions but that one is the most foolproof). If the messages don't include rfc1918 then you may not have dhcp specified as an option for your external interface in /etc/shorewall/interfaces. -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering - internet disappears, clues for newbie
OK, I'm confused about what pump gives for statistics. If my ISP is possibly using an RFC 1918 IP address on their DHCP server, shouldn't Pump list the Boot Server as such? If Pump lists my renewal time as being ten (10) hours from now, and the expiration as being eleven (11) hours from now, shouldn't my system stay up for at least that long? # pump -s Device eth0 IP: 65.34.116.16 Netmask: 255.255.254.0 Broadcast: 255.255.255.255 Network: 65.34.116.0 Boot server 65.32.2.175 Next server 0.0.0.0 Gateway: 65.34.116.1 Hostname: firewall Domain: swfla.rr.com Nameservers: 65.32.1.70 65.32.2.130 Renewal time: Tue Jul 30 10:24:47 2002 Expiration time: Tue Jul 30 11:54:47 2002 --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering - internet disappears, clues for newbie
On Mon, 29 Jul 2002, Tom Eastep wrote: --- An RFC 1918 DNS server doesn't seem to be your problem. Er -- make that DHCP server -Tom -- Tom Eastep\ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] --- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] Bering - internet disappears, clues for newbie
Can you dump ipchains -t nat -vnL and ipchains -vnL # ipchains: not found Bering1.0 rc3, after a random time period, the internet disappears from eth0. I have to reboot Bering and power-cycle the cable modem as well. pump -s gives me addresses outside of RFC1918 (65.34.x.x), so I don't think that is the problem. The Renewal/expiration for my DHCP lease is for tomorrow. What logs/dumps should I be examining for Bering rc3 diagnosis? thanks --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html