NDC Logical Firewall - Interaction with UW Network Operations

When a host misbehaves in such a way that UW Network Operations is forced to deactivate its network connection, its layer-2 (MAC/ethernet/hardware) address must be known in order to identify which switch port it is on.

When a host is a client of (protected by) a logical firewall, its layer-2 (MAC/ethernet/hardware) address is never seen by the campus routers so, if there is trouble, Network Operations will likely (unknowingly) disconnect the firewall rather than its misbehaving client. (Also, note that using "masquerading" vs "non-masquerading NAT will make disconnecting the firewall more likely.)

If you want to allow Network Operations to try to find and disconnect only the offending client, you need to take the following steps to ensure they have current layer-2 addresses for your firewall's clients:

  1. Add the following line to your firewall's "/etc/syslog.conf" file:
    	local1.=alert                   @arplog.cac.washington.edu
    
  2. On the firewall, type:
       	killall -1 syslogd
    
  3. On the firewall, type:
    	grep Revision /usr/local/bin/uw-setup
    

    If the Revision number displayed is older (smaller) than Revision 1.66, obtain and run (on your firewall) the latest version of "uw-setup". You can run it from a floppy as you did during initial firewall setup or you can replace the copy on the firewall in "/usr/local/bin/uw-setup" and run it from there. Either way, be sure to run "uw-setup -n" (or else supply no hostname when propted) so it leaves your firewall's rules and interfaces unchanged).

  4. Contact Network Operations (netops@cac.washington.edu) and make sure they have appropriate contact information for the administrator of the firewall.

Corey Satten
Email -- corey @ cac.washington.edu
Web -- http://staff.washington.edu/co rey/
Date -- Tue Dec 14 15:24:09 PST 2004