[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] jsdy networking puzzlement

To: sage-members@sage.org
Subject: Re: [SAGE] jsdy networking puzzlement
From: "David L. Anselmi" <anselmi@anselmi.us>
Date: Thu, 01 Dec 2005 01:07:06 -0700
In-Reply-To: <20051128082418.B12819@gwyn.tux.org>
References: <20051128082418.B12819@gwyn.tux.org>
Sender: owner-sage-members@usenix.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20051007 Debian/1.7.12-1

Joseph S D Yao wrote:
[...]
> 	internet
> 	   |
> 	Cisco 36xx router
> 	   |
> 	   | X.X.15.1
> 	Cisco 295x network switch 1 (.5)
> 	   | X.X.15.7		|
> 	(3DNS?)			|
> 	name server		|
> 				|
> 				|
> 	Cisco 295x network switch 2 (.6)
> 	 |	|		|
> 	 | .3	| .4		| X.X.15.14
> 	Pix525 Pix525	    workstation
> 	 |	|
> 	 |      |
> 	local network - several /24's, including X.X.15.0/24
> 	     |
> 	DNS servers etc.
> 
> Workstation IP = X.X.15.14, netmask = 255.255.255.240,
> default gateway = X.X.15.1
> 
[...]
> Iptables is off.  First thing I turned off.  No IP rule-based routing.
> No routes other than self and to X.X.15.1.  I are stumped.

Well, if you have no route other than the default, the workstation will 
send all but 15.0/28 to 15.1.  So you are relying on the router to send 
ICMP redirects to reach any of the other 15.x subnets.

Perhaps the router doesn't do that.  Perhaps the workstation doesn't 
allow them (see /proc/sys/net/ipv4/conf/*/accept_redirects and such, 
perhaps configured via /etc/sysctl.conf on RH), which would explain the 
difference between Linux and Windows.

The "correct" way to do this is to have routes via the Pixen to the 
subnets they serve.  But if you get the redirects working that may be 
good enough.

As to your observations, they don't seem to match the data you provided:

 > 	(a) I can only 'ping' .3 or .14 on X.X.15.0/28

You should be able to ping any of 15.[1,3,4,5,6,7] that will answer a 
ping.  IME, Windows and Linux should behave the same.

 > 	(b) I can 'traceroute -I' and connect into the local network.
 > 	    The 'traceroute -I' shows the host being contacted, twice
 > 	    (PIX signature).  No other hops, e.g. ".1"!

Skipping the .1 suggests that your routing table isn't as simple as you 
say.  What does route tell you?

 > 	(c) Despite not getting any responses from .1, as far as I can
 > 	    tell, it IS in my arp table per 'arp -a'.

No surprise.  I've heard that Linux will honor arps that it sees between 
other hosts.

 > 	(d) I can't get out into the private internet, using 'ping',
 > 	    'traceroute -I', or other network services.

Again, maybe your routing isn't as simple as you think.

You might run ethereal on the workstation as you try these tests.  That 
frequently shows that what you expect isn't what you're getting.  You 
can verify that your ICMPs are going where you think they are.

HTH,
Dave

References:
- [SAGE] jsdy networking puzzlement
  - From: Joseph S D Yao <jsdy@tux.org>

Prev by Date: Re: [SAGE] System Inventory
Next by Date: Re: [SAGE] Color identifiers and products like Nagios ...
Prev by thread: Re: [SAGE] jsdy networking puzzlement
Next by thread: [SAGE] TLD lossage (still, again, yet)
Index(es):
- Date
- Thread