Hatim Diab | 15 Apr 02:31 2010

Please help: Shorewall 4.4.8 captures all traffic as "world" on both loc & net on a bridge firewall

Hello All,

I’ve installed the vanilla shorewall F12, I’ve got it installed on a couple of other servers with no problems. no matter how I define the zones and interfaces, shorewall logs and allows, rejects or drops only traffic to world.

ACCEPT:info     net:<myip>/32           $FW       icmp
Shorewall:world2fw:REJECT:IN=br0

ACCEPT:info     world:<myip>/32           $FW       icmp
Shorewall:world2fw:ACCEPT:IN=br0

Cheers
Hatim

cat zones
###############################################################################
#ZONE    TYPE    OPTIONS            IN            OUT
#                    OPTIONS            OPTIONS
fw        firewall
world        ipv4
net:world    bport
loc:world    bport
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
cat interfaces
###############################################################################
#ZONE    INTERFACE    BROADCAST    OPTIONS
world    br0        detect        bridge,logmartians,nosmurfs,norfc1918
net    br0:eth0
loc    br0:eth1
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
cat policy
#SOURCE        DEST        POLICY        LOG LEVEL    LIMIT:BURST
loc        net        ACCEPT
net        all        DROP        info
all        all        REJECT        info
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE


shorewall version
4.4.8

ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether <> brd ff:ff:ff:ff:ff:ff
    inet6 <>/64 scope link
       valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether <> brd ff:ff:ff:ff:ff:ff
    inet6 <>/64 scope link
       valid_lft forever preferred_lft forever
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:0a:cd:19:d2:56 brd ff:ff:ff:ff:ff:ff
    inet <server IP adress>/25 brd <brcast> scope global br0
    inet6 <>/64 scope link
       valid_lft forever preferred_lft forever


Ps masked information and real Ips

$ ip route show
<my net> dev br0  proto kernel  scope link  src <my ip>
169.254.0.0/16 dev br0  scope link  metric 1004
default via <gateway ip> dev br0


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
Tom Eastep | 15 Apr 03:17 2010
Picon

Re: Please help: Shorewall 4.4.8 captures all traffic as "world" on both loc & net on a bridge firewall

Hatim Diab wrote:
> Hello All,
> 
> I¹ve installed the vanilla shorewall F12, I¹ve got it installed on a couple
> of other servers with no problems. no matter how I define the zones and
> interfaces, shorewall logs and allows, rejects or drops only traffic to
> world.

Please see http://www.shorewall.net/support.htm#Guidelines for the
information that we need to diagnose *connection problems*.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
Gabriel Gonzalez Cano | 15 Apr 12:27 2010

Re: Active FTP not working

Yes, I read that howto before posting here, but I can't see what I'm
doing wrong with the rules configuration, any help is welcome.

Thanks

On Wed, 2010-04-14 at 11:40 -0700, Tom Eastep wrote:
> Gabriel Gonzalez Cano wrote:
> > Hi there,
> > I'm running a FTP server in DMZ zone and I can transfer files in
> > active/passive mode from local zone, but not from net. If I try it from
> > net only works passive FTP mode, in active mode I get a 'connection time
> > out' error after the PORT ftp command.
> > 
> > I'm running shorewall 4.0.6, and nf_conntrack_ftp and nf_nat_ftp are
> > loaded (kernel 2.6.24).
> > 
> > Could someone tell me how to set correctly the rules file to enable
> > active FTP? Now I have these rules:
> > 
> > ACCEPT          loc                     dmz:$FTP_SERVER      tcp     ftp
> > DNAT            net                     dmz:$FTP_SERVER      tcp     ftp
> > -       $FW_EXTERNAL
> > FTP/ACCEPT      dmz                     net
> 
> http://www.shorewall.net/FTP.html
> 
> -Tom
> -- 
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
> 
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 

-- 
Aquest missatge ha estat analitzat per MailScanner
a la cerca de virus i d'altres continguts perillosos,
i es considera que està net.

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
Tom Eastep | 15 Apr 15:46 2010
Picon

Re: Active FTP not working

Gabriel Gonzalez Cano wrote:
> Yes, I read that howto before posting here, but I can't see what I'm
> doing wrong with the rules configuration, any help is welcome.

The article describes using the debugging features of ftp to see what is
going wrong; have you done that? If so, what were the results? If not,
why not?

The article describes kernel log messages reporting that a partial PORT
or PASV reply has been received; have you looked for those? Note that
there is also a suggested additional rule in the event that you are
seeing those messages. Have you found any such messages? If so, did you
try applying the fix?

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
S. J. van Harmelen | 15 Apr 16:43 2010
Picon

Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port

Hi again...

Today I tried to put my Shorewall config in production, but had to undo it
really fast because I had connection problems. When trying to connect to our
website I noticed that it connected, but then wasn't able to load the whole
page in one time. Now I understand how a webpage is loaded (each picture is
a separate call to the webserver) so I know it has something to do with the
limit action that I set...

You already explained how the limit action works:

"The Limit action works by keeping track of how many connections were
made in the last period"

But I still have trouble understanding what you are saying here (sorry). In
the example of loading a webpage with a few pictures in it... Is every
request to the server counted as a new connection? In that case I guess it's
not really useful to set a limit action on a http rule, right? As then it's
quite hard to set the correct limit number to enable normal browsing but
prevent DoS'ing...

I also read about the connlimit option. Should that be a better option in
this case? I take it that this option does indeed just count the total
numbers of concurrent TCP sessions from a specific IP address, the only
drawback is that the connection aren't counted per rule but in total over
all rules, correct?

Any pros and cons I miss? And the doc's don't say what happens when a new
session is started when then limit is reached? Will the w session be logged
and dropped?

Sander

-----Original Message-----
From: Tom Eastep [mailto:teastep <at> shorewall.net] 
Sent: dinsdag 13 april 2010 15:49
To: Shorewall Users
Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to
prevent DoS attackson a specific port

S. J. van Harmelen wrote:
> When reading the 'man shorewall-rules' again I wonder if I can
> accomplice the same behavior with this single rule:
> 
> 
> #ACTION	SOURCE	DEST              	PROTO	DEST	SOURCE
ORIGINAL	RATE      USER/		MARK
> 							PORT(S)	PORT(S)	DEST
LIMIT	  GROUP
>HTTP(DNAT)	net	loc:192.168.1.160	-	-	-	-
s:HTTPACCESS:3/min:3
> 
> 
> It looks to me if this has the same effect as the two rules given
> below (if I understand the rules correctly). So could someone then
> tell me what the difference is (if any) between the two ways to
> achieve this effect?

The above rule is broken in Shorewall releases prior to 4.4.8. So I
don't recommend using it unless

> 
> And one last question... Both limiting rules work by counting the
> current connected TCP sessions right?

No.

The Limit action works by keeping track of how many connections were
made in the last period; if that is greater than the limit, then the
connection is optionally logged then dropped; otherwise, the connection
is accepted.

Using per-IP limiting in the RATE/LIMIT column as shown above involves a
token bucket (http://en.wikipedia.org/wiki/Token_bucket). If the source
IP has a token, then the connection is allowed and the IP has one fewer
tokens; otherwise, the connection is passed to the next applicable rule.
See http://www.shorewall.net/configuration_file_basics.htm#RateLimit.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

----------------------------------------------------------------------------
--
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
Tom Eastep | 15 Apr 18:03 2010
Picon

Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port

S. J. van Harmelen wrote:

> Today I tried to put my Shorewall config in production, but had to undo it
> really fast because I had connection problems. When trying to connect to our
> website I noticed that it connected, but then wasn't able to load the whole
> page in one time. Now I understand how a webpage is loaded (each picture is
> a separate call to the webserver) so I know it has something to do with the
> limit action that I set...
> 
> You already explained how the limit action works:
> 
> "The Limit action works by keeping track of how many connections were
> made in the last period"
> 
> But I still have trouble understanding what you are saying here (sorry). In
> the example of loading a webpage with a few pictures in it... Is every
> request to the server counted as a new connection?

I neither know nor do I care when Web browsers decide to open new
connections to a server. I know that if I look at about:config in my
Firefox (Iceweasel) browser, there is a max-connections-per-server
setting that has the value 15. So I further assume that any limiting of
connections to less than 15 in a short period of time would cause issues
for my browser.

> In that case I guess it's
> not really useful to set a limit action on a http rule, right? As then it's
> quite hard to set the correct limit number to enable normal browsing but
> prevent DoS'ing...

I think, as in all such things, you should start out with a conservative
setting and go from there.

> 
> I also read about the connlimit option. Should that be a better option in
> this case? I take it that this option does indeed just count the total
> numbers of concurrent TCP sessions from a specific IP address, the only
> drawback is that the connection aren't counted per rule but in total over
> all rules, correct?

That's correct.
> 
> Any pros and cons I miss? And the doc's don't say what happens when a new
> session is started when then limit is reached? Will the w session be logged
> and dropped?

Like any netfilter rule, if the rule doesn't match then the connection
is passed on to the next rule.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
Picon

Reply from nat zone with foreign source ip


Hi list,

one of my clients is part of the same subnet as the local Shorewall
interface. If this clients wants to got to the internet its masqueraded by
masq entry and routed out of the egress interface. Beside the physical ip on
the client there is a loopback with a public ip which is not known by
shorewall. Now I want this packet - this time with the source ip of loopback
interface - to go out the same egress interface. 

If I tcpdump on Shorewall local interface I see the packet with correct
source and destination. If I tcpdump on egress interface I see nothing. In
addition nothing is dropped or rejected by log file. This normally happens
if someone forgot to add masq entry.

The client source ip must be the same as the source ip once packet leaves
the firewall on egress interface. 

I tried something like this in masq

egress-if	public-ip	public-ip

but it looks very confusing and of course it doesn't work. 

So my question is: how can I route a packet - originated in a natted zone -
with a different source ip as shorewall expects without changing its source
ip once packet leaves the firewall on egress interface?

So if someone asks himself what the hell I am doing here --> Its about
loadbalancing and DIRECT SERVER RETURN. 

Any idea? Thanks for listening. 

Cheers
Mike

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
S. J. van Harmelen | 15 Apr 20:50 2010
Picon

Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port

Ok... Thanks for the good info. Very much appreciated! 

After reading your comments I decided to use the RATE/LIMIT option (only
available in version 4.4.8) instead, since it has the burst option which
sounds really good in my case :)

I do have one question about that... The doc's say: "After each interval (15
seconds) that passes without a connection arriving, the burst count is
incremented by 1 but is not allowed to exceed its initial setting".

It says "without a connection arriving", but I assume that even if a
connection arrives during the interval (which gets past along to the other
rules and is not matched to the rule in question because the burst count is
0), then after the interval period the burst count in incremented? Or does
the burst count only gets incremented when no new connection arrives at the
rule for at least the duration of the interval period?

Sander

-----Original Message-----
From: Tom Eastep [mailto:teastep <at> shorewall.net] 
Sent: donderdag 15 april 2010 18:03
To: Shorewall Users
Subject: Re: [Shorewall-users] Using the limit action on a DNAT rule to
prevent DoS attackson a specific port

S. J. van Harmelen wrote:

> Today I tried to put my Shorewall config in production, but had to undo it
> really fast because I had connection problems. When trying to connect to
our
> website I noticed that it connected, but then wasn't able to load the
whole
> page in one time. Now I understand how a webpage is loaded (each picture
is
> a separate call to the webserver) so I know it has something to do with
the
> limit action that I set...
> 
> You already explained how the limit action works:
> 
> "The Limit action works by keeping track of how many connections were
> made in the last period"
> 
> But I still have trouble understanding what you are saying here (sorry).
In
> the example of loading a webpage with a few pictures in it... Is every
> request to the server counted as a new connection?

I neither know nor do I care when Web browsers decide to open new
connections to a server. I know that if I look at about:config in my
Firefox (Iceweasel) browser, there is a max-connections-per-server
setting that has the value 15. So I further assume that any limiting of
connections to less than 15 in a short period of time would cause issues
for my browser.

> In that case I guess it's
> not really useful to set a limit action on a http rule, right? As then
it's
> quite hard to set the correct limit number to enable normal browsing but
> prevent DoS'ing...

I think, as in all such things, you should start out with a conservative
setting and go from there.

> 
> I also read about the connlimit option. Should that be a better option in
> this case? I take it that this option does indeed just count the total
> numbers of concurrent TCP sessions from a specific IP address, the only
> drawback is that the connection aren't counted per rule but in total over
> all rules, correct?

That's correct.
> 
> Any pros and cons I miss? And the doc's don't say what happens when a new
> session is started when then limit is reached? Will the w session be
logged
> and dropped?

Like any netfilter rule, if the rule doesn't match then the connection
is passed on to the next rule.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

----------------------------------------------------------------------------
--
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
Jerry Vonau | 15 Apr 23:29 2010
Picon

Re: Reply from nat zone with foreign source ip

On Thu, 2010-04-15 at 19:27 +0200, Michael Weickel - iQom Business
Services GmbH wrote:
> Hi list,
> 
> one of my clients is part of the same subnet as the local Shorewall
> interface. If this clients wants to got to the internet its masqueraded by
> masq entry and routed out of the egress interface. Beside the physical ip on
> the client there is a loopback with a public ip which is not known by
> shorewall. Now I want this packet - this time with the source ip of loopback
> interface - to go out the same egress interface. 
> 
> If I tcpdump on Shorewall local interface I see the packet with correct
> source and destination. If I tcpdump on egress interface I see nothing. In
> addition nothing is dropped or rejected by log file. This normally happens
> if someone forgot to add masq entry.
> 
> The client source ip must be the same as the source ip once packet leaves
> the firewall on egress interface. 
> 
> I tried something like this in masq
> 
> egress-if	public-ip	public-ip
> 
> but it looks very confusing and of course it doesn't work. 
> 
> So my question is: how can I route a packet - originated in a natted zone -
> with a different source ip as shorewall expects without changing its source
> ip once packet leaves the firewall on egress interface?
> 

proxy-arp, maybe?

http://www.shorewall.net/ProxyARP.htm

> So if someone asks himself what the hell I am doing here --> Its about
> loadbalancing and DIRECT SERVER RETURN. 
> 
> Any idea? Thanks for listening. 
> 
> 
> Cheers
> Mike
> 
Jerry

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
Tom Eastep | 15 Apr 23:23 2010
Picon

Re: Using the limit action on a DNAT rule to prevent DoS attackson a specific port

S. J. van Harmelen wrote:

> It says "without a connection arriving", but I assume that even if a 
> connection arrives during the interval (which gets past along to the
> other rules and is not matched to the rule in question because the
> burst count is 0), then after the interval period the burst count in
> incremented? Or does the burst count only gets incremented when no
> new connection arrives at the rule for at least the duration of the
> interval period?

Yes.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

Gmane