On 7/14/20 3:37 PM, Vieri Di Paola wrote: > On Tue, Jul 14, 2020 at 5:11 PM Simon Matter via Shorewall-users > <shorewall-users@lists.sourceforge.net> wrote: >> >>> On Sat, Jul 11, 2020 at 9:49 PM Tom Eastep <eastep...@gmail.com> wrote: >>>> >>>> On 7/11/20 2:40 AM, Vieri Di Paola wrote: >>>> >>>> What was your 'shorewall iptrace command? >>> >>> If I just run 'shorewall iptrace' with no filter, won't that just >>> trace all packets?
Should... >>> >>>>> I saved a tcpdump taken on the Shorewall system to a >>>>> file and uploaded it here: >>>>> >>>>> >>>>> https://drive.google.com/file/d/1waEUIIMHsPK0c-xAEyKkT2XSgNWrj5t3> >>>> /view?usp=sharing >>>>> >>>>> I can see the reply in this dump, but frankly I don't know why >>>>> it's not reaching the host at 10.215.246.24. The only thing I >>>>> noticed in this dump is that the destination MAC is >>>>> e8:ea:6a:0c:4c:1c. However, I see another MAC on the Shorewall >>>>> gateway: >>> >>> OK, so this is really weird. >>> >>> Ping from host at 10.215.246.24 to host at 10.215.144.251: >>> >>> 1) echo request #1: src MAC is correct, dst MAC is that of lan.1 >>> interface in Shorewall Firewall >>> >>> 2) echo request #2: src MAC is that of lan.1 interface in Shorewall >>> Firewall, dst MAC is correct >>> >>> 3) first and only echo reply: src MAC is correct, dst MAC ( >>> e8:ea:6a:0c:4c:1c ) is that of an interface on an older Shorewall >>> router. >>> >>> So, that means that this particular client (an HP iLO system based on >>> Linux) is still sending replies to an old Shorewall gateway I replaced >>> 20 days ago. The interface to which this MAC addr belongs to isn't >>> even online. >>> I haven't found this MAC addr in any intermediate switch (ARP tables) >>> so I'm guessing it must be in the client's ARP cache? >>> >>> Does this make sense? >>> >>> What could I try before asking the HP iLO admin to reboot that system? >> >> You said the HP ilo interface isn't even online but are you really sure >> about it? If it's an ilo with dedicated ethernet port then it's usually >> online as soon as the server is connected to power, even if the box is >> switched off. And if you're looking for a system with ugly behavior, >> things like ilo are good candidates because these embedded systems are not >> always tested as good as normal operating systems. > > No, the off-line (ie. "down") interface I was referring to was one of > the ethernet interfaces of my OLD shorewall router/gateway. > So, just to be clear: > > a) more than 20 days ago I had a Shorewall gateway which was working > fine, The hosts in this thread could ping each other. > > b) 20 days ago I changed the Shorewall gateway with new hardware and > software. Only recently have I come to know that the hosts in this > thread could not ping each other anymore. I'm assuming the origin of > the problem is the change of the gateway because of the following > observations. > > 1) an echo client with a given netmask sends a request to this HP iLO > system with another netmask but attached to the same FW interface > (lan.1 in my example) > > 2) the requests (2) are fine because they have the expected MAC > addresses (src and dst). One of these MAC addresses is the one of > lan.1 on the "new" Shorewall system. > > 3) oddly though, the reply captured with tcpdump (1) has a DST MAC > address that points to an ethernet interface found on the "old" > Shorewall system (this interface was previously used as "lan.1", so it > had the same role). > > 4) the "old" Shorewall system's "lan.1" interface is offline (down). > In other words, the old Shorewall system is history and that > particular MAC address is nowhere to be found in the network, not even > in the core switch. > > I don't have access to the HP iLO, but is it possible that it is > sending the echo replies to the "old" MAC address because it hasn't > refreshed its own ARP table? Not even after 20 days? You might try 'gratuitous ARP' from the new Shorewall box (see the 'ARP Cache' section of https://shorewall.org/ProxyARP.htm > Can I rule out a problem/misconfiguration on the "new" Shorewall gateway? Yes. > > If what I'm stating is correct, it seems that the HP iLO firmware has > a bug or is misconfigured. > Agreed. -Tom PS - sorry to be slow responding. New email hosting service categorized your posts as Spam. -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________ -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
