[CentOS] Not firewall, but what?

Fri May 14 07:10:44 UTC 2010
Jussi Hirvi <listmember at greenspot.fi>

>> [root at farm1 network-scripts]# grep -rl "ip rule" .
>> ./ifdown-routes
>> ./ifup-routes

On 13.5.2010 21.36, Gordon Messmer wrote:
> Yes, those scripts will run "ip rule" to process the contents of the
> "rule-*" files.  The company I work for uses shorewall on all of their
> multi-homed systems, so I'm not sure how systems without it behave.
> That said, I don't see any magic in the init scripts to handle this
> without your input.  I'm inclined to believe that something on your
> system was manually configured to set up the routing policy that you see.
>
> Find it harder:
> find /etc/ -type f -print0 | xargs -0 grep "ip rule"

Ok, rc.d/routes is probably it (on the "healthy" machine I previously 
used as a reference). I will have to study the ip command and routing a 
bit, then make a fix on the "non-healthy" (xen) box.

[root at mail ~]# find /etc -type f -exec grep -l "ip rule" {} \;
/etc/udev/rules.d/50-udev.rules.rpmorig
/etc/udev/rules.d/50-udev.rules
/etc/rc.d/routes
/etc/sysconfig/network-scripts/ifdown-routes.rpmorig
/etc/sysconfig/network-scripts/ifdown-routes
/etc/sysconfig/network-scripts/ifup-routes.rpmorig
/etc/sysconfig/network-scripts/ifup-routes

[root at mail rc.d]# cat routes

/sbin/ip address add 62.220.237.110/27 dev eth0
/sbin/ip route add default via 62.220.237.126 tab 1
/sbin/ip route add default via 62.236.221.65 tab 2
/sbin/ip rule add from 62.236.221.70 tab 2 prio 500
/sbin/ip rule add from 62.220.237.110 tab 1 prio 600
/sbin/ip route flush cache


- Jussi

-- 
Jussi Hirvi * Green Spot
Topeliuksenkatu 15 C * 00250 Helsinki * Finland
Tel. +358 9 493 981 * Mobile +358 40 771 2098 (only sms)
jussi.hirvi at greenspot.fi * http://www.greenspot.fi