On Tue, Jul 14, 2020 at 5:11 PM Simon Matter via Shorewall-users <shorewall-users@lists.sourceforge.net> wrote: > > > On Sat, Jul 11, 2020 at 9:49 PM Tom Eastep <eastep...@gmail.com> wrote: > >> > >> On 7/11/20 2:40 AM, Vieri Di Paola wrote: > >> > >> What was your 'shorewall iptrace command? > > > > If I just run 'shorewall iptrace' with no filter, won't that just > > trace all packets? > > > >> > I saved a tcpdump taken on the Shorewall system to a > >> > file and uploaded it here: > >> > > >> > > >> > https://drive.google.com/file/d/1waEUIIMHsPK0c-xAEyKkT2XSgNWrj5t3> > >> /view?usp=sharing > >> > > >> > I can see the reply in this dump, but frankly I don't know why > >> > it's not reaching the host at 10.215.246.24. The only thing I > >> > noticed in this dump is that the destination MAC is > >> > e8:ea:6a:0c:4c:1c. However, I see another MAC on the Shorewall > >> > gateway: > > > > OK, so this is really weird. > > > > Ping from host at 10.215.246.24 to host at 10.215.144.251: > > > > 1) echo request #1: src MAC is correct, dst MAC is that of lan.1 > > interface in Shorewall Firewall > > > > 2) echo request #2: src MAC is that of lan.1 interface in Shorewall > > Firewall, dst MAC is correct > > > > 3) first and only echo reply: src MAC is correct, dst MAC ( > > e8:ea:6a:0c:4c:1c ) is that of an interface on an older Shorewall > > router. > > > > So, that means that this particular client (an HP iLO system based on > > Linux) is still sending replies to an old Shorewall gateway I replaced > > 20 days ago. The interface to which this MAC addr belongs to isn't > > even online. > > I haven't found this MAC addr in any intermediate switch (ARP tables) > > so I'm guessing it must be in the client's ARP cache? > > > > Does this make sense? > > > > What could I try before asking the HP iLO admin to reboot that system? > > You said the HP ilo interface isn't even online but are you really sure > about it? If it's an ilo with dedicated ethernet port then it's usually > online as soon as the server is connected to power, even if the box is > switched off. And if you're looking for a system with ugly behavior, > things like ilo are good candidates because these embedded systems are not > always tested as good as normal operating systems.
No, the off-line (ie. "down") interface I was referring to was one of the ethernet interfaces of my OLD shorewall router/gateway. So, just to be clear: a) more than 20 days ago I had a Shorewall gateway which was working fine, The hosts in this thread could ping each other. b) 20 days ago I changed the Shorewall gateway with new hardware and software. Only recently have I come to know that the hosts in this thread could not ping each other anymore. I'm assuming the origin of the problem is the change of the gateway because of the following observations. 1) an echo client with a given netmask sends a request to this HP iLO system with another netmask but attached to the same FW interface (lan.1 in my example) 2) the requests (2) are fine because they have the expected MAC addresses (src and dst). One of these MAC addresses is the one of lan.1 on the "new" Shorewall system. 3) oddly though, the reply captured with tcpdump (1) has a DST MAC address that points to an ethernet interface found on the "old" Shorewall system (this interface was previously used as "lan.1", so it had the same role). 4) the "old" Shorewall system's "lan.1" interface is offline (down). In other words, the old Shorewall system is history and that particular MAC address is nowhere to be found in the network, not even in the core switch. I don't have access to the HP iLO, but is it possible that it is sending the echo replies to the "old" MAC address because it hasn't refreshed its own ARP table? Not even after 20 days? Can I rule out a problem/misconfiguration on the "new" Shorewall gateway? If what I'm stating is correct, it seems that the HP iLO firmware has a bug or is misconfigured. Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
