On 6/13/2011 3:01 PM, m.roth at 5-cent.us wrote: > Les Mikesell wrote: >> On 6/13/2011 1:02 PM, m.roth at 5-cent.us wrote: >>> We just went to replace the bridge/firewall services one one server with >>> the same on another. It's pretty simple, and I literally cloned (w/ >>> rsync) a third server that does this onto the one that will be the new >>> one.Then >>> copied the /etc/sysconfig/iptables from the one being replaced, and >>> brought it up this morning. >>> >>> Nope. We had to put everything back the way it was. >>> >>> The new one sees the two or three servers behind the firewall, and we >>> can ping them, from the new box. On one, we see IPP broadcasts; in fact, >>> we >>> see lots of broadcast packets using tcpdump. From outside, though, you >>> can't see the servers. Trying to ping them, they see nothing. It seems >>> to be the case that tcp and icmp packets are blocked, and we can't figure >>> out why. > <snip> >> Are the HWADDR= entries fixed up to match the actual hardware after the >> copy? And does ifconfig show that your config actually set up what you >> expected? CentOS isn't very predictable in terms of which NIC gets >> which interface name. > > Yes. And I made sure of that, before we started this excersize. (And my > manager asked the same question - he's one of us, you see, *not* a PHB) I missed that 'from outside' part before. If that means on the other side of a router, note that routers generally have a 20 minute arp cache so when you move the IP to a different MAC address you either have to wait a long time or log into the router and 'clear arp' before things will work again. There's probably a way to make the interface send a gratuitous arp that the router will catch, but I don't know it off the top of my head. -- Les Mikesell lesmikesell at gmail.com