Is it my firewall?

English Network/Internet
1

This is driving me mad. Installed two new 11.2 boxes in one of my labs, both connected to a 9 blade Alcatel ethernet switch. Changed over from Ubuntu because of the nice server software included with openSuse. The hardware is the exact same as the previous working Ubuntu install, literally nothing changed - no cables unplugged, nothing.

Installed the two machines, attempted to ping between them - nothing.

Checked ethernet cables, have good link light on both, activity light is blinking.

Turned off the firewall, disabled automatic startup and rebooted, pinged between switches again - still nothing.

Turned firewalls back on and defined rules to allow TCP & UDP from networks 0/0 (all nets), saved config and rebooted - nothing.

On the switch I see both machines’ IP and MAC addresses in it’s table (using ipmac command).
I cannot ping the switch from the PCs, nor PCs from the switch.

Changed over to a Dell switch and tried to ping - nothing.

This is a Linux / HP-UX / Windows Server 2003 / Cisco lab with no internet connection, I have no need for firewalls at all except during specific exercises. How do I just let everything in and out in 11.2? Turning off the firewall didn’t seem to help. Thanks for your help!

-katze

2

On 12/03/2009 11:36 AM, katzebnt84 wrote:
>
> This is driving me mad. Installed two new 11.2 boxes in one of my labs,
> both connected to a 9 blade Alcatel ethernet switch. Changed over from
> Ubuntu because of the nice server software included with openSuse. The
> hardware is the exact same as the previous working Ubuntu install,
> literally nothing changed - no cables unplugged, nothing.
>
> Installed the two machines, attempted to ping between them - nothing.
>
> Checked ethernet cables, have good link light on both, activity light
> is blinking.
>
> Turned off the firewall, disabled automatic startup and rebooted,
> pinged between switches again - still nothing.
>
> Turned firewalls back on and defined rules to allow TCP & UDP from
> networks 0/0 (all nets), saved config and rebooted - nothing.
>
> On the switch I see both machines’ IP and MAC addresses in it’s table
> (using ipmac command).
> I cannot ping the switch from the PCs, nor PCs from the switch.
>
> Changed over to a Dell switch and tried to ping - nothing.
>
> This is a Linux / HP-UX / Windows Server 2003 / Cisco lab with no
> internet connection, I have no need for firewalls at all except during
> specific exercises. How do I just let everything in and out in 11.2?
> Turning off the firewall didn’t seem to help. Thanks for your help!

Do you have the routing problem? Check for a default route in the
‘/sbin/route -n’ output.

3

I’ll reinstall that machine with 11.2 and give that a shot. Reimaged Server 2k3 onto the machine and networking came up right away so I know it’s not hardware, must be a software bug or a misconfiguration on my part. I tried the “route -n” on the other machine with an identical configuration as root and it gave me the routes to my local LAN, APIPA LAN, LL address and the associated interfaces. I’m lost at this point. :stuck_out_tongue:

4

As a side note, before I loaded Server 2K3 I ran Wireshark on eth0 (my connected, configured NIC) and saw all kinds of broadcast packets from around the network, including OSPF and CDP packets from my router.

5

As lwfinger suggested, if the routing entries on the machine is somehow messed up, it will behave like this because no packet can be responded to. Please check that first.

6

Well, the problem isn’t caused by a firewall that is turned off…so if you mean that you disabled the firewalls on each of the SuSE boxes (or do you mean some other firewall?) its not that.

Installed the two machines, attempted to ping between them - nothing
.

When you say that you can’t ping, are you trying to ping ‘by ip’ or ‘by name’? (‘By ip’ can work when ‘by name’ will not, if name resolution is not yet working, so start there.)

I’m guessing about too much of the detail here, so I want to clarify:

  • do you have any GUI’s involved or is it all command line?
  • do you have anything like either network manager or wicd installed (I’m guessing not, but I’d rather not be guessing)?
  • do the machines have sensible IP addresses (what does ifconfig show for (presumably) eth0)?
  • I’m guessing that we are talking machines with exactly one ethernet port and there is no wireless to complicate matters: is that right?
  • Non-crossover ethernet cable, and the switch auto-detects and switches rate appropriately, right?
7

i’m not a networking guru, but i have some questions (which may not
make sense to a real guru, but) below:

katzebnt84 wrote:
> This is driving me mad. Installed two new 11.2 boxes in one of my labs,
> both connected to a 9 blade Alcatel ethernet switch.

does this switch depend on IPv6? is it enabled or not?

how is DNS handled on your network? have you hardwired private IPs or
what? (are you certain the network setup at each 11.2 machine is not
using DHCP, unless that is what you want it to use??)

> Changed over from
> Ubuntu because of the nice server software included with openSuse. The
> hardware is the exact same as the previous working Ubuntu install,
> literally nothing changed - no cables unplugged, nothing.

what tool(s) are you using to configure the machines networking?
(YaST, KNetworkManager, “Traditional Method with ifup” or other??)

how do the following openSUSE files compare to the similar files in
the old Ubuntu setup

/etc/hosts
/etc/hosts.allow
/etc/hosts.deny
/etc/networks
/etc/resolv.conf

> Installed the two machines, attempted to ping between them - nothing.

when you say ‘machines’ is that a hardware machine or a VM?

in setting up the networking did you turn off answering pings?

you mention an HP machine: can you ping it?

> Checked ethernet cables, have good link light on both, activity light
> is blinking.

sounds promising…

> Turned off the firewall, disabled automatic startup and rebooted,
> pinged between switches again - still nothing.
>
> Turned firewalls back on and defined rules to allow TCP & UDP from
> networks 0/0 (all nets), saved config and rebooted - nothing.

what is all this rebooting??? openSUSE is not Windows–that is, you do
not need to reboot to turn the firewall off/on, nor to get a changed
config file read…

> On the switch I see both machines’ IP and MAC addresses in it’s table
> (using ipmac command).
> I cannot ping the switch from the PCs, nor PCs from the switch.

is it possible to run a temp line from one openSUSE to the other?
never mind.

> Changed over to a Dell switch and tried to ping - nothing.
> This is a Linux / HP-UX / Windows Server 2003 / Cisco lab

can you ping the HP or Window server?
can you ssh from one openSUSE to the other, or to the HP *nix?

> with no internet connection,

hmmmmm…you installed from what, a DVD? without access to the
internet? i do not know, but maybe all you need to do is connect to
the net and run an update against the machines…

during install, did you configure the networking to be compatible with
your network? (assign IPs, routes etc etc etc?)

> I have no need for firewalls at all except during
> specific exercises. How do I just let everything in and out in 11.2?

turning off the firewall in YaST should let it all flow, as long as it
know which way to flow…huh?

> Turning off the firewall didn’t seem to help. Thanks for your help!

you know, that kinda answers the question in your subject, huh?


palladium

8

Lots of questions to answer, thank you all for your reponses.

I am using no virtual machines, each machine is its own piece of hardware. No wireless, each machine has one 3Com 10/100 NIC installed.

IP addressing is in the 192.168.148.0/24 network. Switch is set to do IPv4, we don’t do any IPv6 yet in my lab.

No configuration files have been changed by hand at all, these are fresh installs. All configuration changes I have made have been in Yast. When I ping its using a terminal window.

Pinging by name or by IP does not work.

Firewalls are shut off on each machine; normally I prefer to have my firewalls on the routers or another piece of dedicated equipment.

This particular LAN does not have a DNS server on it yet and I am not relying on names for addressing, just IPs at this point using the “Traditional method with IFUP”. DHCP is not enabled, the addresses are static.

I installed from a DVD, I do not have outside connectivity in my lab. Perhaps there is a bug fix out there already for this if it is in fact a bug, but I suspect its more than likely an overlooked configuration item or a mistake on my part.

Someone asked “What’s with all the rebooting?”. Yes I know it isn’t Windows but it has become a habit through the years. I administer HP-UX, Windows Server 2K3/8, and various Linux boxes, each part of a different tactical system and having its own set of quirks. Being in a non-production environment I’d rather just reboot and not question whether a reboot is really necessary or not.

Tomorrow I’ll start fresh with two other machines across a Catalyst switch instead of the Alcatels and see what happens. Thanks again for all the help…

9

katzebnt84 wrote:
> Lots of questions to answer, thank you all for your reponses.

unfortunately, none of my questions resulted in answers with ‘glaring
errors’ in what you have done–as far as i can see… </sigh>

so, it is beyond my capability to figure out…however, do NOT give up
i have sent smoke signals to some calvary members and i would expect
white horses on the horizon real soon now…


palladium

10

Taraaaaaaaaaaaaaa! (but I do not promise you are saved now).

I read through the above, but may have missed some details (because it is a lot to read, and then all those ‘repeats’). But what I am dearly missing until now is facts. With facts I mean: what does the system say. E.g. Where is the output of

ifconfig -a

and of

netstat -rn

to begin with.

Maybe the next is a bit overdone, but as you where until now anxious to give computer facts maybe I am allowed to tell you how I like them:
. use copy/paste, so no typos do intervene.
. use CODE tags in the post, so we can see where the withe space is, etc.
. when appllicable give not only the output, but complete with the statement you used, like:

boven:~ # netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         10.0.0.138      0.0.0.0         UG        0 0          0 eth0
boven:~ #

This all because I am versy suspicious about people telling what they think they did instead of telling what they did :wink:

11

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Agreed. To answer your original question, ‘No’, it is not you firewall
(as you demonstrated). Even if you had not demonstrated that it is not
your firewall by “turning it off” (it’s never really off, it’s just set to
be very permissive and ACCEPT everything) pinging (ICMP) is allowed by
default so that should never be a problem unless you disable pinging manually.

So on to the next… you said at one point you saw broadcast stuff on the
wire, which is fine regardless of how you have your machine setup
routing/subnet-wise so I would start there. I assume you are pinging by
IP address and not DNS name (if not, start doing that when troubleshooting
to rule out DNS issues) but otherwise the next best step is to see what
differs from your box’s NIC configuration from something working (other
Linux, windows, etc.). Also, because I’m too lazy to read everything else
that’s been covered, are you using static or dynamic IP addresses? If
static it’s likely you just mistyped some part of your subnet mask. If
dynamic, well, that’s odd since your DHCP server is hopefully not giving
out bad information to these two boxes while giving good information to
other boxes (assuming other boxes are also DHCP-based).

My preferred commands, since they do not require explicit paths or ‘root’
access, are the following:

ip addr
ip route

Good luck.

hcvv wrote:
> Taraaaaaaaaaaaaaa! (but I do not promise you are saved now).
>
> I read through the above, but may have missed some details (because it
> is a lot to read, and then all those ‘repeats’). But what I am dearly
> missing until now is facts. With facts I mean: what does the system say.
> E.g. Where is the output of
>
> Code:
> --------------------
> ifconfig -a
> --------------------
>
> and of
>
> Code:
> --------------------
> netstat -rn
> --------------------
>
> to begin with.
>
> Maybe the next is a bit overdone, but as you where until now anxious to
> give computer facts maybe I am allowed to tell you how I like them:
> . use copy/paste, so no typos do intervene.
> . use CODE tags in the post, so we can see where the withe space is,
> etc.
> . when appllicable give not only the output, but complete with the
> statement you used, like:
>
> Code:
> --------------------
> boven:~ # netstat -rn
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt Iface
> 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
> 0.0.0.0 10.0.0.138 0.0.0.0 UG 0 0 0 eth0
> boven:~ #
> --------------------
>
> This all because I am versy suspicious about people telling what they
> think they did instead of telling what they did :wink:
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLGSmAAAoJEF+XTK08PnB5Rj0P/3TBG6yWlzvIAZToGaEZKOMu
6RwXz4WjckiatyoBqmnWbIxw47JRlDGxgpjldz8blBQ3FVeZT98+BnRLRR9iyrTu
9XRhoCaAVnLoGtIWztnl7NJWNLT9JJR2fZ0qISpGyeRA3d9KqGjardw+nyYEcb5l
RWTMG/JJiiTcL1cTAvSaQKdlNU2fkkrRMflmdpWrQ5e5H2qZkfqzTChE/dX328PS
7wHeUbKC03VxTTb82PC3AcRCXdl5xgzvWrD9CnhkTxl0SegN3nUTIs6/3DQ+I+5F
WhC4LgQAdHeOGdYoMl2U9GFbntXb6jUgvMG0MhwjG7CrKTcKlcsMex8M5KVEzjI1
ipBosdmEVwaKvLilWzLZ3Ec5QsT0RRVPrbh1uENV07UQmT+H4S5YlP3YGeunwB81
Km4zx+fQQ5NqI1lKXx/izLjxlX3JRGfp3sjn3KUh72jhTYVsuLcEwhyiA1Koyqdj
Zsoil9tElUVj2ImrvpOFgA2evCgm1znoqnWNKzxkP0RTEIEUpLa2I/Bi/6pZyFms
v+3koTd8Z2+2P9Gw0tweGoRtj0obiUN4tlnG7XX8dJ8JiMwRvelBqr5stdh+cSXm
7AzYnDvUmctsEG3ryysbpV/6FP66RWcJYDrvFdE2l2rr0bG4kXufneX3tblI1O9U
0GSp07Kc2/VWMwKpRlMl
=FA4V
-----END PGP SIGNATURE-----

12

First, let me say a big “Thank you” to everyone who has helped me through this issue. Secondly, it’s fixed. Actually it was never broken, just configured in a way I’ve never seen. My routes were good, ethernet interfaces configured correctly, IP address setting fine as can be.

Apparently interface “br0” took it upon itself on both machines to bridge the “eth0” interface. I never modified any settings on either boxes regarding “br0”, don’t know why it did this straight out of the box. Decided on a whim to ping a “br0” interface IP - and it worked. Did the same from the other box with the same result. Angry with “br0” and perplexed as to its purpose I simply deleted the interfaces and pinged “eth0” addresses with a good response.

Now that “br0” is out of the picture “eth0” and I are living happily every after. Can someone explain to me the purpose of “br0” and why it was configured to do this automatically? Thanks again for all the help, it’s very appreciated. :smiley:

13

katzebnt84 wrote:
> First, let me say a big “Thank you” to everyone who has helped me
> through this issue.

apparently you have discovered a bug in the automatic hardware
detection bag of tricks…

as “pay back” for our help (and your use of openSUSE) why not visit
http://en.opensuse.org/Submitting_Bug_Reports
and, do the right thing…please…


palladium