gmane.comp.security.shorewall

TC and interfaces

Emiliano Vazquez — 2013-05-23T02:57:24

Hi guys!

I'm having a little problem.
The scenario is:
* Ubuntu 12.10
* 2 ADSL (PPPoE) connections. One on eth1 and the other on eth2
* I run pppd and get both working ok.
* In /etc/default/shorewall put "wait interface ppp0 ppp1" for wait both 
connections on reboot.
* I have a tcinterfaces for each ppp and tcclasses and tcfilters too.

The problems occurs when the system has been rebooted for an update and 
one interface never goes up again. I move on /etc/default/shorewall the 
line "wait interface ppp0 ppp1" to "wait interface ppp0" and reboot 
again to see what happend and problem still there!

What happend? The problem was the tcinterfaces, tcclasses and tcfilters 
have "ppp1" rules and because this link was down every time i start 
Shorewall.  Shorewall says "start failed".
I have to manually delete all lines on tc_ with ppp1 reference and then 
i can get shorewall up and running again.

Is there any way to get this working without have to create 2 different 
/etc/shorewall/* files for both cases? Something like "shorewall disable 
tc ISP1"

Best regards and thanks for read this email.

Re: Redirect incoming port to anotherportinternal.

2013-05-21T22:53:58

Hi Tom,

Fantastic, that worked perfectly.
I did see the FAQ but my internal range isn't NAT'd and I could quite figure
out what to do.
loc:: solved it perfectly.

Thank you very much.

Cheers
Adam

-----Original Message-----
From: Tom Eastep [mailto:teastep< at >shorewall.net] 
Sent: Wednesday, 22 May 2013 12:33 AM
To: shorewall-users< at >lists.sourceforge.net
Subject: Re: [Shorewall-users] Redirect incoming port to another port
internal.

On 05/21/2013 07:07 AM, Tom Eastep wrote:
possible.


e.g.

DNATnetloc::25tcp26-111.111.111.111

-Tom

Re: UDP 38 - my log is flooded

Tom Eastep — 2013-05-21T20:59:11

Note that the dynamic blacklist does not survive a 'shorewall
stop/start' sequence; it does survive a 'shorewall restart' when you are
running later Shorewall versions.

-Tom

Re: UDP 38 - my log is flooded

Øyvind Lode — 2013-05-21T20:07:04

Hm, thanks.

# shorewall drop 77.247.156.58

I got tired looking at 77.247.156.58 cluttering my log.

-----Original Message-----
From: Wayne S [mailto:linux< at >zuik.net] 
Sent: 21. mai 2013 19:36
To: Shorewall Users
Subject: Re: [Shorewall-users] UDP 38 - my log is flooded

At 5/21/2013 12:12 PM, you wrote:


Hi all:

I see a lot of these messages:

#########################

May 19 06:25:54 munin kernel: [3093836.996827] Shorewall:net2fw:DROP:IN=eth0 OUT
= MAC=48:5b:39:ac:1b:5e:00:12:da:a4:14:bf:08:00 SRC=77.247.156.58 DST=x.x.x.x
LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=32900 PROTO=UDP SPT=51327 DPT=38 LEN=56
May 19 06:27:03 munin kernel: [3093906.026783] Shorewall:net2fw:DROP:IN=eth0 OUT
= MAC=48:5b:39:ac:1b:5e:00:12:da:a4:14:bf:08:00 SRC=77.247.156.58 DST=x.x.x.x
LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=32901 PROTO=UDP SPT=51327 DPT=38 LEN=56
May 19 06:28:12 munin kernel: [3093975.060379] Shorewall:net2fw:DROP:IN=eth0 OUT
= MAC=48:5b:39:ac:1b:5e:00:12:da:a4:14:bf:08:00 SRC=77.247.156.58 DST=x.x.x.x
LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=32902 PROTO=UDP SPT=51327 DPT=38 LEN=56

#########################

At the time of writing 3096 entries and counting...

I have filtered out my IP (DST=)

UDP 38 is unknown to me and /etc/services did not give me a clue either.

What's going on?

Thanks

- Øyvind


Port 38 is Route Access Protocol - RAP,  and someone may be trying to add a route to your firewall.

Wayne




------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

Re: UDP 38 - my log is flooded

Wayne S — 2013-05-21T17:36:21

Port 38 is Route Access Protocol - RAP,  and someone may be trying to add a route to your firewall.

Wayne


------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

UDP 38 - my log is flooded

Øyvind Lode — 2013-05-21T16:12:59

Hi all:

I see a lot of these messages:

#########################

May 19 06:25:54 munin kernel: [3093836.996827] Shorewall:net2fw:DROP:IN=eth0 OUT
= MAC=48:5b:39:ac:1b:5e:00:12:da:a4:14:bf:08:00 SRC=77.247.156.58 DST=x.x.x.x
LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=32900 PROTO=UDP SPT=51327 DPT=38 LEN=56
May 19 06:27:03 munin kernel: [3093906.026783] Shorewall:net2fw:DROP:IN=eth0 OUT
= MAC=48:5b:39:ac:1b:5e:00:12:da:a4:14:bf:08:00 SRC=77.247.156.58 DST=x.x.x.x
LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=32901 PROTO=UDP SPT=51327 DPT=38 LEN=56
May 19 06:28:12 munin kernel: [3093975.060379] Shorewall:net2fw:DROP:IN=eth0 OUT
= MAC=48:5b:39:ac:1b:5e:00:12:da:a4:14:bf:08:00 SRC=77.247.156.58 DST=x.x.x.x
LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=32902 PROTO=UDP SPT=51327 DPT=38 LEN=56

#########################

At the time of writing 3096 entries and counting...

I have filtered out my IP (DST=)

UDP 38 is unknown to me and /etc/services did not give me a clue either.

What's going on?

Thanks

- Øyvind




------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

Re: Redirect incoming port to another portinternal.

Tom Eastep — 2013-05-21T14:32:41


e.g.

DNATnetloc::25tcp26-111.111.111.111

-Tom

Re: Redirect incoming port to another portinternal.

Tom Eastep — 2013-05-21T14:07:07

Yes -- Shorewall FAQ 1C.

-Tom

Re: Adding ndpi-netfilter rules

Nuno Fernandes — 2013-05-21T11:45:07

See the thread "Best way to integrate ndpi in shorewall" in the mailling lists.

Best regards,
./npf

On Tuesday 21 May 2013 10:37:34 Göran Höglund wrote:
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

Adding ndpi-netfilter rules

Göran Höglund — 2013-05-21T08:37:34

Hi
Is there any way to insert L7 rules by using the ndpi-netfilter module?

/GH


------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

Redirect incoming port to another port internal.

2013-05-21T05:53:19

Hi all,

I have tried to figure out how to do this one but I think I have just
confused myself more.
My firewall is a 2 interface setup, the same box is my router to my uplink.

I'm not using nat at all and have a public IP range behind this machine.



net = eth0

loc = eth1


Most of my rules are mainly the basic 

HTTP(ACCEPT) net loc:111.111.111.112

SMTP(ACCEPT) net loc:111.111.111.113
etc

This time around though I wish to just redirect (or is it translate) a port
but because I'm not using nat etc I'm not sure if this is possible.

I have a mail server behind my firewall that already has a rule in place
SMTP(ACCEPT) net         loc:111.1111.111.111

So this allows inbound port 25 connections to the machine on loc no issues
at all.



What I want to do is have an incoming connection on port 26 to
111.111.111.111 BUT redirect it to 111.111.111.111 but on port 25, is this
possible?


Cheers
Adam







------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

Re: Masquerade default route for network on internal interface through ipsec built on external/internet interface

Tom Eastep — 2013-05-20T19:51:13

I do, however, see one obvious IP configuration error:

3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
    inet 10.2.0.1/24 brd 10.2.0.255 scope global eth0 <=========
    inet 10.2.0.254/24 brd 10.2.0.255 scope global secondary eth0:3

default via 69.161.96.1 dev eth1
69.161.96.0/24 dev eth1  proto kernel  scope link  src 69.161.96.69
127.0.0.0/8 dev lo  scope link
169.254.0.0/16 dev eth0  scope link
10.1.0.0/24 via 10.2.0.1 dev eth0 <=========
10.2.0.0/24 dev eth0  proto kernel  scope link  src 10.2.0.1

One of the two marked lines is clearly wrong.

-Tom

Re: Masquerade default route for network on internal interface through ipsec built on external/internet interface

Tom Eastep — 2013-05-20T19:13:58


Having looked at the dump, I'm lost as to what problem you are trying to
solve.

-Tom

Masquerade default route for network on internalinterface through ipsec built on external/internet interface

rblake3 — 2013-05-20T18:06:00

            On 5/1/13 9:48 AM, "rblake3" <rblake3< at >hotmail.com> wrote:

    Hello,

    I am currently attempting to masquerade traffic behind an internal interface (eth0) destined for the default gateway to go out of a firewall device located at the other end of an ipsec tunnel.  I have attempted to use the providers feature to do this, but I can not figure out how to keep the ipsec tunnel up while having the traffic forwarded.  At this point, the only thing I can think of is to exclude the far end IP address of the ipsec tunnel and leave everything else to pass through the other device.  However, I was hoping there was a much simpler alternative.

    Quick overview of network:

    [The Internet] <-----> [Corporate HQ - IPSec Device & Firewall (internal: 10.1.0.1)] <—ipsec—> [The Internet] <—ipsec—> [Remote Location – eth1] <—shorewall--> [Remote Location – eth0 (10.2.0.1)] <---> [Internal Network (10.2.0.0/24)]

    I went through the shorewall documentation and was unable to find anywhere that shows this particular example.  I have tried using several configurations in the masq file, but to no avail:

    #INTERFACE SOURCE ADDRESS ...
    eth0 192.168.1.0/24 1.1.1.1

  That rule says that packets routed out of eth0 with SOURCE IP in 192.168.1.0/24 should have their SOURCE IP changed to 1.1.1.1
    #And also tried:
    eth0:10.1.0.1 eth0

  That rule is meaningless. 


    I am hoping the first example above is the correct format; however, that IP is on a far-end device.  Also, I do not have an ipsec0 device since I am using spdadd rules with raccoon that create the static routes of the internal network at headquarters.

    I am certain this is a very simple issue and a solution will be as well, but I cannot seem to wrap my mind around it.  I have included the shorewall & kernel versions below for reference.

    Shorewall version: 4.4.24.1
    Kernel version: 3.4.33-2.24-default (SMP x64)

  It might help us if you posted the output of 'shorewall dump' so we can see what your gateway configuration looks like. Be sure that ipsec-tools are installed before you capture the output.

  -Tom
  You do not need a parachute to skydive. You only need a parachute to skydive twice.

Thank you for your reply.  I had a feeling both of the commands would not help, but I was being hopeful.  At least now I'm certain of what the SOURCE ADDRESS implies (binding to a specific IP on an interface).

Please see attached shorewall dump.  Any assistance would be greatly appreciated.

Ryan
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

Re: ddos attack causes high ksoftirqd cpu use

Tom Eastep — 2013-05-17T21:44:29

On 5/17/13 1:48 PM, "Michael McCallister"
<mikemc-shorewall< at >terabytemedia.com> wrote:


One correction -- use DROP rules rather than NOTRACK.

-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

Re: ddos attack causes high ksoftirqd cpu use

Michael McCallister — 2013-05-17T20:48:05

Tom Eastep wrote, On 5/17/2013 8:14 AM:

Thanks!  I will check that out - that could possibly help for the one 
place I was unable to lose shorewall due to the sheer complexity of the 
rules.

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

Re: ddos attack causes high ksoftirqd cpu use

Michael McCallister — 2013-05-17T20:44:35

Michael McCallister wrote, On 5/16/2013 9:50 AM:

After running a series of tests that to some extent... emulate a < at >#$% 
ton of incoming UDP/DNS connections, I found that dropping shorewall 
altogether worked best for me - 2 things seemed to help, 1) the 
less/simpler the iptables rules, the better, and 2) not loading the 
connection tracking modules - at all, helped a lot.  In this setup, I 
saw CPU use drop a lot, and it does not overrun connection tracking.

Of course, this really limits what you can do with the firewall, but if 
your needs can be trimmed down and you can live without connection 
tracking and the convenience of shorewall, then this seems to help with 
this problem.  Of course, I am not sure to what extent this is specific 
to my setup/kernel/network/hardware - so mileage may vary considerably.




------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

Re: TPROXY/Squid 3 -- and apache on router.

Tom Eastep — 2013-05-17T20:40:24


Yep.

-Tom

Re: TPROXY/Squid 3 -- and apache on router.

Troy Telford — 2013-05-17T20:13:06

On 2013-05-17 15:19:02 +0000, Tom Eastep said:

I hate to bring this up again, but I still can't get the documented 
version to work:'

I'm running Shorewall 4.5.16.1 (debian "sid")

The documented version is:

TPROXY(3129)    eth1                0.0.0.0/0   tcp        80          
-            !192.0.2.144

When I try that syntax, I receive the following error from 'shorewall check':

   ERROR: USER/GROUP only allowed in the OUTPUT chain 
/etc/shorewall/tcrules (line 20)

It appears to me that shorewall/tcrules doesn't have an "ORIGINAL DEST" column.

I am able to find the 'ORIGINAL DEST' column in shorewall/rules, however.

Re: TPROXY/Squid 3 -- and apache on router.

Tom Eastep — 2013-05-17T15:19:02

The doc at www.shorewall.net was wrong and has been corrected.

Thanks,
-Tom

Re: ddos attack causes high ksoftirqd cpu use

Tom Eastep — 2013-05-17T15:14:06


If you can characterize the attack, I have found that adding NOTRACK
rules in /etc/shorewall/conntrack that match the attack profile is
effective in reducing CPU utilization and conntrack table overflow.

-Tom