[CentOS] Not firewall, but what?

Jussi Hirvi listmember at greenspot.fi
Sat May 8 12:00:44 UTC 2010 

On 8.5.2010 11.56, Kahlil Hodgson wrote:
>> Is if safe to turn stp "on" there (instead of "off"? (Requires xend
>> restart at least, I suppose.) Or is there a better way to turn stp on
>> permanently?
>
> STP is safe to turn on, but there is a small start up and tiny
> performance hit - that's why its off by default.  All the bridges on
> your network have to establish relationships with each other, which can
> take 10-15 seconds depending on you network.  Also, its not just the
> bridges on that box that you have to worry about: any other bridges on
> other boxes that are on the same network also need STP turned on.  Your
> old Fedora box may be a potential culprit.
>
> I've never used Xen, so I can't give any firm advice.
> That looks like the place where the bridge is created, so at a guess,
> that's where you want to turn it on.  Not to sure about turning ARP or
> MULTICAST off though -- that might interfere with STP.
>
>> The box has 2 physical if cards, and both of them are used for bridges
>> (xenbr0 and xenbr1).
>
> Yeah. Thinking you definitely need STP.  You can turn it on temporarily
> with
>
> 	brctl stp xenbr0 on
> 	brctl stp xenbr1 on
>
> wait a few seconds and run
>
> 	brctrl showstp xenbr0
>
> to see what's going on, and also see if it fixes your problem.
>
> Hope this helps
>
> Kal

Thanks, it does (though the problem still persists).

I turned stp on (for both bridges). I found another virbridge on another 
machine which has 2 if-cards: "virbr0", created by CentOS 5 by default I 
guess, for dhcp network, which I never even thought of. I brought this 
bridge down with icfonfig - btw, how can I disable it so that it stays 
off through reboots?

So far the problem persists - I guess that I will have to start 
modifying routing tables.

I guess it's natural that this kind of problem is weird. :-)

For example, it is kind of natural that I can access these problematic 
62.236.221.xx addresses (on the xen box) from other boxes in the same 
62.236.221.xx network segment.

But I can *also* access those ip addresses from the network 
62.220.237.xx. Why? No idea. (the other if-card on the xen box is 
configured to this network segment, but I don't see why this would 
explain this.)

Also seen from my home computer at 84.20.154.60 everything seems normal 
- no idea why!

These (62.236.221.xx, 62.220.237.xx, 84.20.154.58/xx) are the only known 
clients from which the problematic addresses (62.236.221.67, 
62.236.221.71) on the xen box are visible. :-/

- Jussi

-- 
Jussi Hirvi * Green Spot
Topeliuksenkatu 15 C * 00250 Helsinki * Finland
Tel. +358 9 493 981 * Mobile +358 40 771 2098 (only sms)
jussi.hirvi at greenspot.fi * http://www.greenspot.fi

More information about the CentOS mailing list