in response to my summary about problems with virtual interfaces, viet
hoang suggested that i check the netmask/broadcast address of the interfaces to
make sure that they were the same. this jogged my memory--i had, just before i
noticed the problem logging in to the host with an access list, changed the
netmask on hme0:2 (i'll discuss this a bit more below). when i downed it and
brought it up again to see if i could (as someone suggested) force the machine
to use hme0:0, i typed out the full command, including netmask and
broadcast--and, out of habit, used the correct netmask (255.255.255.0).
changing the netmask on hme0:2 back to the different one caused the access list
problem to reappear.
as far as i can tell, then, packets were _never_ going out the hme0:2
interface; when the netmask on that interface was set differently, however, the
remote host somehow recognized the packets as coming from that interface, and
denied access.
this brings up two followup questions: one, why does having the
different netmask (255.255.252.0) cause the remote host to recognize the packets
as coming from hme0:2, even though netstat shows them as coming from hme0:0?
and two, is netmask 255.255.252.0 a valid one under solaris 2.5.1? one of my
coworkers claimed it wasn't, because /etc/netmasks refuses to let you use a
netmask that doesn't correspond to whole-byte values (class a, b, or c
networks), which was why i had originally set the netmask on hme0:2 to
255.255.252.0--to prove that, even if /etc/netmasks rejected the value, ifconfig
would (at least in theory) let you enter any value. the second physical
interface (which would connect to another, super-netted network, for which we
are using the 255.255.252.0 mask) for my machine hasn't arrived yet, however, so
i can't test whether ifconfig is simply not producing an error, as /etc/netmasks
does, but would still not work with the different mask, or if it is, in fact,
compatible with supernets. does anyone else have any experience with this?
thanks again to everyone who responded; as always, i will post a
summary. (also, since i still can't find a virtual interfaces (not virtual
host) faq, and since i received a fair number of "me too" messages, i think i
_will_ start compiling such a faq. i'll post a notice to the list when it's
ready.)
-- sweth.
-- "Countin' on a remedy I've counted on before Goin' with a cure that's never failed me What you call the disease I call the remedy" -- The Mighty Mighty Bosstones
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:29 CDT