gmane.comp.security.shorewall

Re: TC and interfaces

Tom Eastep — 2013-05-25T03:09:54


No. I'm saying that it corrects some defects that are present in your
version.

-Tom
You do not need a parachute to skydive. You only need a parachute to skydive
twice.



------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

Re: FORWARD DROP Problem - squeze -> wheezy

2013-05-24T17:27:37

works like charm.
thank you very much.

regards
julian

On 23/05/2013 22:38, Tom Eastep wrote:


------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

Re: FORWARD DROP Problem - squeze -> wheezy

Tom Eastep — 2013-05-23T20:38:00

Add the 'routeback' option for br1 in /etc/shorewall/interfaces.

-Tom

FORWARD DROP Problem - squeze -> wheezy

2013-05-23T19:54:59

hello,

i have a setup which worked without a problem on debian squeeze
(shorewall 4.4.11.6-3) and now don't work any more on debian wheezy
(shorewall 4.5.5.3-3).

the setup inlcudes 2 bridges br0 which briges to eth0 and br1 which
bridges all virtual machines in a virtual lan.


bridge name     bridge id               STP enabled     interfaces
br0             8000.001517ee821c       no              eth0
br1             8000.fe54365c6402       no              vnet0
                                                        vnet1
                                                        vnet2

if i try to ping/connect the lan machines i get drops.

Shorewall:FORWARD:DROP:IN=br1 OUT=br1 PHYSIN=vnet0 PHYSOUT=vnet2
MAC=52:54:36:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=10.12.10.5
DST=10.12.10.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=2686 SEQ=187


/etc/shorewall/policy
.....
lan$FWACCEPTinfo
lannetACCEPTinfo
lanlanACCEPTinfo
....


/etc/shorewall/shorewall.conf
....
#

Re: TC and interfaces

Emiliano Vazquez — 2013-05-23T19:38:11

tc_files who has defined ppp1 and ifb1. ppp1 was down and i think this was
the problem. I will test this in a place without users.






Best regards.
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

Re: TC and interfaces

Tom Eastep — 2013-05-23T19:23:20

Then you need to:

a) Add the 'optional' option on ppp0 and ppp1 in
/etc/shorewall/interfaces; and

b) Run LSM to handle up/down events.

Once I have released 4.5.17, you probably want to install that and also
run Shorewall-init; it handles up events more quickly that LSM.

-Tom

Re: TC and interfaces

Emiliano Vazquez — 2013-05-23T18:27:34

El 23/05/13 10:15, Tom Eastep escribió:
Hi Tom! i'm using 4.5.15 and follow this tutorial[1] for make this work.

When i run "shorewall start" i have tc_files error because the interface 
is down (ppp0 or ppp1).

Best regards.


[1] http://www.shorewall.net/MultiISP.html

Re: TC and interfaces

Tom Eastep — 2013-05-23T13:15:11

Which version of Shorewall are you running? And do you use Shorewall's
Multi-ISP facilities to manage your two uplinks?

-Tom

TC and interfaces

Emiliano Vazquez — 2013-05-23T02:57:24

Hi guys!

I'm having a little problem.
The scenario is:
* Ubuntu 12.10
* 2 ADSL (PPPoE) connections. One on eth1 and the other on eth2
* I run pppd and get both working ok.
* In /etc/default/shorewall put "wait interface ppp0 ppp1" for wait both 
connections on reboot.
* I have a tcinterfaces for each ppp and tcclasses and tcfilters too.

The problems occurs when the system has been rebooted for an update and 
one interface never goes up again. I move on /etc/default/shorewall the 
line "wait interface ppp0 ppp1" to "wait interface ppp0" and reboot 
again to see what happend and problem still there!

What happend? The problem was the tcinterfaces, tcclasses and tcfilters 
have "ppp1" rules and because this link was down every time i start 
Shorewall.  Shorewall says "start failed".
I have to manually delete all lines on tc_ with ppp1 reference and then 
i can get shorewall up and running again.

Is there any way to get this working without have to create 2 different 
/etc/shorewall/* files for both cases? So

Re: Redirect incoming port to anotherportinternal.

2013-05-21T22:53:58

Hi Tom,

Fantastic, that worked perfectly.
I did see the FAQ but my internal range isn't NAT'd and I could quite figure
out what to do.
loc:: solved it perfectly.

Thank you very much.

Cheers
Adam

-----Original Message-----
From: Tom Eastep [mailto:teastep< at >shorewall.net] 
Sent: Wednesday, 22 May 2013 12:33 AM
To: shorewall-users< at >lists.sourceforge.net
Subject: Re: [Shorewall-users] Redirect incoming port to another port
internal.

On 05/21/2013 07:07 AM, Tom Eastep wrote:
possible.


e.g.

DNATnetloc::25tcp26-111.111.111.111

-Tom

Re: UDP 38 - my log is flooded

Tom Eastep — 2013-05-21T20:59:11

Note that the dynamic blacklist does not survive a 'shorewall
stop/start' sequence; it does survive a 'shorewall restart' when you are
running later Shorewall versions.

-Tom

Re: UDP 38 - my log is flooded

Øyvind Lode — 2013-05-21T20:07:04

Hm, thanks.

# shorewall drop 77.247.156.58

I got tired looking at 77.247.156.58 cluttering my log.

-----Original Message-----
From: Wayne S [mailto:linux< at >zuik.net] 
Sent: 21. mai 2013 19:36
To: Shorewall Users
Subject: Re: [Shorewall-users] UDP 38 - my log is flooded

At 5/21/2013 12:12 PM, you wrote:


Hi all:

I see a lot of these messages:

#########################

May 19 06:25:54 munin kernel: [3093836.996827] Shorewall:net2fw:DROP:IN=eth0 OUT
= MAC=48:5b:39:ac:1b:5e:00:12:da:a4:14:bf:08:00 SRC=77.247.156.58 DST=x.x.x.x
LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=32900 PROTO=UDP SPT=51327 DPT=38 LEN=56
May 19 06:27:03 munin kernel: [3093906.026783] Shorewall:net2fw:DROP:IN=eth0 OUT
= MAC=48:5b:39:ac:1b:5e:00:12:da:a4:14:bf:08:00 SRC=77.247.156.58 DST=x.x.x.x
LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=32901 PROTO=UDP SPT=51327 DPT=38 LEN=56
May 19 06:28:12 munin kernel: [3093975.060379] Shorewall:net2fw:DROP:IN=eth0 OUT
= MAC=48:5b:39:ac:1b:5e:00:12:da:a4:14:bf:08:00 SRC=77.247.156.58 DST=x.x.x.x
LEN

Re: UDP 38 - my log is flooded

Wayne S — 2013-05-21T17:36:21

Port 38 is Route Access Protocol - RAP,  and someone may be trying to add a route to your firewall.

Wayne


------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

UDP 38 - my log is flooded

Øyvind Lode — 2013-05-21T16:12:59

Hi all:

I see a lot of these messages:

#########################

May 19 06:25:54 munin kernel: [3093836.996827] Shorewall:net2fw:DROP:IN=eth0 OUT
= MAC=48:5b:39:ac:1b:5e:00:12:da:a4:14:bf:08:00 SRC=77.247.156.58 DST=x.x.x.x
LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=32900 PROTO=UDP SPT=51327 DPT=38 LEN=56
May 19 06:27:03 munin kernel: [3093906.026783] Shorewall:net2fw:DROP:IN=eth0 OUT
= MAC=48:5b:39:ac:1b:5e:00:12:da:a4:14:bf:08:00 SRC=77.247.156.58 DST=x.x.x.x
LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=32901 PROTO=UDP SPT=51327 DPT=38 LEN=56
May 19 06:28:12 munin kernel: [3093975.060379] Shorewall:net2fw:DROP:IN=eth0 OUT
= MAC=48:5b:39:ac:1b:5e:00:12:da:a4:14:bf:08:00 SRC=77.247.156.58 DST=x.x.x.x
LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=32902 PROTO=UDP SPT=51327 DPT=38 LEN=56

#########################

At the time of writing 3096 entries and counting...

I have filtered out my IP (DST=)

UDP 38 is unknown to me and /etc/services did not give me a clue either.

What's going on?

Thanks

- Øyvind




---------------------

Re: Redirect incoming port to another portinternal.

Tom Eastep — 2013-05-21T14:32:41


e.g.

DNATnetloc::25tcp26-111.111.111.111

-Tom

Re: Redirect incoming port to another portinternal.

Tom Eastep — 2013-05-21T14:07:07

Yes -- Shorewall FAQ 1C.

-Tom

Re: Adding ndpi-netfilter rules

Nuno Fernandes — 2013-05-21T11:45:07

See the thread "Best way to integrate ndpi in shorewall" in the mailling lists.

Best regards,
./npf

On Tuesday 21 May 2013 10:37:34 Göran Höglund wrote:
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

Adding ndpi-netfilter rules

Göran Höglund — 2013-05-21T08:37:34

Hi
Is there any way to insert L7 rules by using the ndpi-netfilter module?

/GH


------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

Redirect incoming port to another port internal.

2013-05-21T05:53:19

Hi all,

I have tried to figure out how to do this one but I think I have just
confused myself more.
My firewall is a 2 interface setup, the same box is my router to my uplink.

I'm not using nat at all and have a public IP range behind this machine.



net = eth0

loc = eth1


Most of my rules are mainly the basic 

HTTP(ACCEPT) net loc:111.111.111.112

SMTP(ACCEPT) net loc:111.111.111.113
etc

This time around though I wish to just redirect (or is it translate) a port
but because I'm not using nat etc I'm not sure if this is possible.

I have a mail server behind my firewall that already has a rule in place
SMTP(ACCEPT) net         loc:111.1111.111.111

So this allows inbound port 25 connections to the machine on loc no issues
at all.



What I want to do is have an incoming connection on port 26 to
111.111.111.111 BUT redirect it to 111.111.111.111 but on port 25, is this
possible?


Cheers
Adam







------------------------------------------------------------------------------
Try New Relic Now & We'll

Re: Masquerade default route for network on internal interface through ipsec built on external/internet interface

Tom Eastep — 2013-05-20T19:51:13

I do, however, see one obvious IP configuration error:

3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
    inet 10.2.0.1/24 brd 10.2.0.255 scope global eth0 <=========
    inet 10.2.0.254/24 brd 10.2.0.255 scope global secondary eth0:3

default via 69.161.96.1 dev eth1
69.161.96.0/24 dev eth1  proto kernel  scope link  src 69.161.96.69
127.0.0.0/8 dev lo  scope link
169.254.0.0/16 dev eth0  scope link
10.1.0.0/24 via 10.2.0.1 dev eth0 <=========
10.2.0.0/24 dev eth0  proto kernel  scope link  src 10.2.0.1

One of the two marked lines is clearly wrong.

-Tom

Re: Masquerade default route for network on internal interface through ipsec built on external/internet interface

Tom Eastep — 2013-05-20T19:13:58


Having looked at the dump, I'm lost as to what problem you are trying to
solve.

-Tom