headers
Emiliano Vazquez | 23 May 2013 04:57
Picon

TC and interfaces

Hi guys!

I'm having a little problem.
The scenario is:
* Ubuntu 12.10
* 2 ADSL (PPPoE) connections. One on eth1 and the other on eth2
* I run pppd and get both working ok.
* In /etc/default/shorewall put "wait interface ppp0 ppp1" for wait both 
connections on reboot.
* I have a tcinterfaces for each ppp and tcclasses and tcfilters too.

The problems occurs when the system has been rebooted for an update and 
one interface never goes up again. I move on /etc/default/shorewall the 
line "wait interface ppp0 ppp1" to "wait interface ppp0" and reboot 
again to see what happend and problem still there!

What happend? The problem was the tcinterfaces, tcclasses and tcfilters 
have "ppp1" rules and because this link was down every time i start 
Shorewall.  Shorewall says "start failed".
I have to manually delete all lines on tc_ with ppp1 reference and then 
i can get shorewall up and running again.

Is there any way to get this working without have to create 2 different 
/etc/shorewall/* files for both cases? Something like "shorewall disable 
tc ISP1"

Best regards and thanks for read this email.

--

-- 
Emiliano Vazquez | PcCentro Informatica & CCTV
(Continue reading)

Permalink | Reply | 0 comments |
headers
Øyvind Lode | 21 May 2013 22:07
Picon

Re: UDP 38 - my log is flooded

Hm, thanks.

# shorewall drop 77.247.156.58

I got tired looking at 77.247.156.58 cluttering my log.

-----Original Message-----
From: Wayne S [mailto:linux <at> zuik.net] 
Sent: 21. mai 2013 19:36
To: Shorewall Users
Subject: Re: [Shorewall-users] UDP 38 - my log is flooded

At 5/21/2013 12:12 PM, you wrote:

	Hi all:
	
	I see a lot of these messages:
	
	#########################
	
	May 19 06:25:54 munin kernel: [3093836.996827] Shorewall:net2fw:DROP:IN=eth0 OUT
	= MAC=48:5b:39:ac:1b:5e:00:12:da:a4:14:bf:08:00 SRC=77.247.156.58 DST=x.x.x.x
	LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=32900 PROTO=UDP SPT=51327 DPT=38 LEN=56
	May 19 06:27:03 munin kernel: [3093906.026783] Shorewall:net2fw:DROP:IN=eth0 OUT
	= MAC=48:5b:39:ac:1b:5e:00:12:da:a4:14:bf:08:00 SRC=77.247.156.58 DST=x.x.x.x
	LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=32901 PROTO=UDP SPT=51327 DPT=38 LEN=56
	May 19 06:28:12 munin kernel: [3093975.060379] Shorewall:net2fw:DROP:IN=eth0 OUT
	= MAC=48:5b:39:ac:1b:5e:00:12:da:a4:14:bf:08:00 SRC=77.247.156.58 DST=x.x.x.x
	LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=32902 PROTO=UDP SPT=51327 DPT=38 LEN=56
(Continue reading)

Permalink | Reply | 1 comment |
headers
Wayne S | 21 May 2013 19:36

Re: UDP 38 - my log is flooded

At 5/21/2013 12:12 PM, you wrote:
Hi all:

I see a lot of these messages:

#########################

May 19 06:25:54 munin kernel: [3093836.996827] Shorewall:net2fw:DROP:IN=eth0 OUT
= MAC=48:5b:39:ac:1b:5e:00:12:da:a4:14:bf:08:00 SRC=77.247.156.58 DST=x.x.x.x
LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=32900 PROTO=UDP SPT=51327 DPT=38 LEN=56
May 19 06:27:03 munin kernel: [3093906.026783] Shorewall:net2fw:DROP:IN=eth0 OUT
= MAC=48:5b:39:ac:1b:5e:00:12:da:a4:14:bf:08:00 SRC=77.247.156.58 DST=x.x.x.x
LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=32901 PROTO=UDP SPT=51327 DPT=38 LEN=56
May 19 06:28:12 munin kernel: [3093975.060379] Shorewall:net2fw:DROP:IN=eth0 OUT
= MAC=48:5b:39:ac:1b:5e:00:12:da:a4:14:bf:08:00 SRC=77.247.156.58 DST=x.x.x.x
LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=32902 PROTO=UDP SPT=51327 DPT=38 LEN=56

#########################

At the time of writing 3096 entries and counting...

I have filtered out my IP (DST=)

UDP 38 is unknown to me and /etc/services did not give me a clue either.

What's going on?

Thanks

- Øyvind

Port 38 is Route Access Protocol - RAP,  and someone may be trying to add a route to your firewall.

Wayne


------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
Permalink | Reply | 0 comments |
headers
Øyvind Lode | 21 May 2013 18:12
Picon

UDP 38 - my log is flooded

Hi all:

I see a lot of these messages:

#########################

May 19 06:25:54 munin kernel: [3093836.996827] Shorewall:net2fw:DROP:IN=eth0 OUT
= MAC=48:5b:39:ac:1b:5e:00:12:da:a4:14:bf:08:00 SRC=77.247.156.58 DST=x.x.x.x
LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=32900 PROTO=UDP SPT=51327 DPT=38 LEN=56
May 19 06:27:03 munin kernel: [3093906.026783] Shorewall:net2fw:DROP:IN=eth0 OUT
= MAC=48:5b:39:ac:1b:5e:00:12:da:a4:14:bf:08:00 SRC=77.247.156.58 DST=x.x.x.x
LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=32901 PROTO=UDP SPT=51327 DPT=38 LEN=56
May 19 06:28:12 munin kernel: [3093975.060379] Shorewall:net2fw:DROP:IN=eth0 OUT
= MAC=48:5b:39:ac:1b:5e:00:12:da:a4:14:bf:08:00 SRC=77.247.156.58 DST=x.x.x.x
LEN=76 TOS=0x00 PREC=0x00 TTL=53 ID=32902 PROTO=UDP SPT=51327 DPT=38 LEN=56

#########################

At the time of writing 3096 entries and counting...

I have filtered out my IP (DST=)

UDP 38 is unknown to me and /etc/services did not give me a clue either.

What's going on?

Thanks

- Øyvind

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
Permalink | Reply | 0 comments |
headers
Göran Höglund | 21 May 2013 10:37
Picon
Favicon

Adding ndpi-netfilter rules

Hi
Is there any way to insert L7 rules by using the ndpi-netfilter module?

/GH

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
Permalink | Reply | 1 comment |
headers
adstar | 21 May 2013 07:53
Favicon

Redirect incoming port to another port internal.

Hi all,

I have tried to figure out how to do this one but I think I have just confused myself more…
My firewall is a 2 interface setup, the same box is my router to my uplink.

I’m not using nat at all and have a public IP range behind this machine.

net = eth0

loc = eth1


Most of my rules are mainly the basic

HTTP(ACCEPT) net loc:111.111.111.112

SMTP(ACCEPT) net loc:111.111.111.113
etc

This time around though I wish to just redirect (or is it translate) a port but because I’m not using nat etc I’m not sure if this is possible.

I have a mail server behind my firewall that already has a rule in place
SMTP(ACCEPT) net         loc:111.1111.111.111

So this allows inbound port 25 connections to the machine on loc no issues at all.

What I want to do is have an incoming connection on port 26 to 111.111.111.111 BUT redirect it to 111.111.111.111 but on port 25, is this possible?


Cheers
Adam





------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
Permalink | Reply | 3 comments |
headers
rblake3 | 20 May 2013 20:06
Picon
Favicon

Masquerade default route for network on internal interface through ipsec built on external/internet interface

On 5/1/13 6:50 PM, "teastep" <teastep <at> shorewall.net> wrote:
            On 5/1/13 9:48 AM, "rblake3" <rblake3 <at> hotmail.com> wrote:
 
Hello,
 
I am currently attempting to masquerade traffic behind an internal interface (eth0) destined for the default gateway to go out of a firewall device located at the other end of an ipsec tunnel.  I have attempted to use the providers feature to do this, but I can not figure out how to keep the ipsec tunnel up while having the traffic forwarded.  At this point, the only thing I can think of is to exclude the far end IP address of the ipsec tunnel and leave everything else to pass through the other device.  However, I was hoping there was a much simpler alternative.
 
Quick overview of network:
 
[The Internet] <-----> [Corporate HQ - IPSec Device & Firewall (internal: 10.1.0.1)] <—ipsec—> [The Internet] <—ipsec—> [Remote Location – eth1] <—shorewall--> [Remote Location – eth0 (10.2.0.1)] <---> [Internal Network (10.2.0.0/24)]
 
I went through the shorewall documentation and was unable to find anywhere that shows this particular example.  I have tried using several configurations in the masq file, but to no avail:
 
#INTERFACE SOURCE ADDRESS ...
eth0 192.168.1.0/24 1.1.1.1
 
That rule says that packets routed out of eth0 with SOURCE IP in 192.168.1.0/24 should have their SOURCE IP changed to 1.1.1.1
#And also tried:
eth0:10.1.0.1 eth0
 
That rule is meaningless.
 
 
I am hoping the first example above is the correct format; however, that IP is on a far-end device.  Also, I do not have an ipsec0 device since I am using spdadd rules with raccoon that create the static routes of the internal network at headquarters.
 
I am certain this is a very simple issue and a solution will be as well, but I cannot seem to wrap my mind around it.  I have included the shorewall & kernel versions below for reference.
 
Shorewall version: 4.4.24.1
Kernel version: 3.4.33-2.24-default (SMP x64)
 
It might help us if you posted the output of 'shorewall dump' so we can see what your gateway configuration looks like. Be sure that ipsec-tools are installed before you capture the output.
 
-Tom
You do not need a parachute to skydive. You only need a parachute to skydive twice.
 
Thank you for your reply.  I had a feeling both of the commands would not help, but I was being hopeful.  At least now I'm certain of what the SOURCE ADDRESS implies (binding to a specific IP on an interface).
 
Please see attached shorewall dump.  Any assistance would be greatly appreciated.
 
Ryan

Attachment (swdump): application/octet-stream, 73 KiB
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
Permalink | Reply | 2 comments |
headers
Emiliano Vazquez | 16 May 2013 17:23
Picon

How to add a route

Hi to everyone on the list!
 
I`m having a problem creating a static route. Let me explain the escenary.
 
I have a PC on the LAN (IP 192.168.1.8) who has conected to another network.
I need to send all request to subnet 192.200.9.0/24 to 192.168.1.8
 
Is there any way to put this line into Shorewall ? i wan`t to do this because when shorewall restarts loose this route.
 
Best regards.
 
 


--
Emiliano Vazquez | PcCentro S.R.L.
White 1611 | C.P. C1407IJG | C.A.B.A.
Office: +54 (11) 4635-7764
Celular: 15.6253.7165
Mail: emilianovazquez <at> gmail.com
Web: http://www.pccentro.com.ar

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
Permalink | Reply | 1 comment |
headers
Michael McCallister | 16 May 2013 09:05
Favicon

ddos attack causes high ksoftirqd cpu use

Hello List!

I got a small (50mbits or so) application layer ddos attack against a 
few name servers (thousands of IPs sending lots of bogus A record 
requests - weird) - one of the name servers was behind a shorewall 
firewall.  That firewall was running a 2.6.18-194.11.1.el5 kernel and 
shorewall-4.4.11.1-1.  I noticed that the shorewall host had ksoftirqd 
using 100% of the CPU during the attack and was kind of slow in general 
as a result - I think this may have affected traffic to other hosts 
behind that firewall as well.  Any ideas what would cause this?  I was 
hoping to avoid this scenario in the future if possible since I plan on 
deploying some other name servers behind shorewall (latest stable on 
2.6.32-358.0.1.el6.x86_64) as a result of this incident, but would 
ideally have a fix for this in place.  I should probably point out that 
the blacklist file had around 500 entries in it - not sure that would 
have any effect on things.

During the attack, the kernel logged a bunch of these: ip_conntrack: 
table full, dropping packet - Possibly the result of connection 
tracking?  Does netfilter even track UDP "connections"?  I thought UDP 
was connectionless.  Is the only workaround for cases like this just to 
have larger connection tracking values in the kernel? Does that help 
with the ksoftirqd CPU use? Or is it best in this case to just not have 
it track connection state for DNS traffic at all and just forward the 
packets along?  How is the ideal solution for this case implemented?

Any help is appreciated!

Michael

P.S.  The attack ended up coming from a bunch of networks mostly in 
Taiwan - had my provider drop traffic from those networks and the 
problem was solved.

------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
Permalink | Reply | 5 comments |
headers
Dash Four | 12 May 2013 00:08

policy question

I have a zone (lets call it "net"), which has more than one network 
device attached to it (all interfaces within that zone are optional) and 
also have a catch-all statement in my "policy" file "all all DROP", 
which, I assumed, will produce a DROP rule at the end of each zone2zone 
chain not explicitly defined in that file.

That is indeed the case for 99% of the zones, but for the net2net chain 
I have ACCEPT rule at the end, not DROP. I am certain I do not have any 
such rule either in my "rules" or "policy" files, so I am wondering what 
is the cause for this?

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
Permalink | Reply | 7 comments |
headers
CACook | 5 May 2013 15:57
Favicon

Transparent Proxy

 

I have a Tor gateway set up, and would like to route all traffic through it. For security, different functions should use different Tor ports, so they have different virtual circuits.

I've assigned port 9110 to be the port for email. My mail client uses SSL for email (POP3s: 995, sSMTP: 465), and I want to direct all accesses to from those ports through the Tor SOCKS port of 9110. This should mean that the mail client sends an email out 465, which is then tunneled by Shorewall (somehow) to 127.0.0.1:9110, and out the Tor network to the exit node, where it then proceeds to the mail server listening on 465.

Anyone know how I would do this in Shorewall?

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
Permalink | Reply | 12 comments |

Gmane