On 6/13/2011 3:01 PM, m.roth@5-cent.us wrote:
Les Mikesell wrote:
On 6/13/2011 1:02 PM, m.roth@5-cent.us wrote:
We just went to replace the bridge/firewall services one one server with the same on another. It's pretty simple, and I literally cloned (w/ rsync) a third server that does this onto the one that will be the new one.Then copied the /etc/sysconfig/iptables from the one being replaced, and brought it up this morning.
Nope. We had to put everything back the way it was.
The new one sees the two or three servers behind the firewall, and we can ping them, from the new box. On one, we see IPP broadcasts; in fact, we see lots of broadcast packets using tcpdump. From outside, though, you can't see the servers. Trying to ping them, they see nothing. It seems to be the case that tcp and icmp packets are blocked, and we can't figure out why.
<snip> > Are the HWADDR= entries fixed up to match the actual hardware after the > copy? And does ifconfig show that your config actually set up what you > expected? CentOS isn't very predictable in terms of which NIC gets > which interface name.
Yes. And I made sure of that, before we started this excersize. (And my manager asked the same question - he's one of us, you see, *not* a PHB)
I missed that 'from outside' part before. If that means on the other side of a router, note that routers generally have a 20 minute arp cache so when you move the IP to a different MAC address you either have to wait a long time or log into the router and 'clear arp' before things will work again. There's probably a way to make the interface send a gratuitous arp that the router will catch, but I don't know it off the top of my head.