Trent O'Callaghan | 1 Jul 08:22 2010

http://www.shorewall.net/FAQ.htm#faq84

Hi Tom, et. al.

 

I have tested blacklist for the first time and have found a error with my configuration or a bug.

 

Following http://www.shorewall.net/FAQ.htm#faq84 I place a blacklist entry against my external interface but Shorewall check gives:

 

Checking /etc/shorewall/blacklist...

   WARNING: The entries in /etc/shorewall/blacklist have been ignored because there are no 'blacklist' interfaces : /etc/shorewall/blacklist (line 15)

 

Now where my configuration is different to most is my external interface is a bonded pair eth2 & eth5 so I tested adding eth2 blackest entry to interfaces and the warning disappeared.

 

Should I ignore the warning or should I put in interface entries for all interfaces that make up the bonded interface?

 

Regards,

Trent

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Tom Eastep | 1 Jul 15:28 2010
Picon

http://www.shorewall.net/FAQ.htm#faq84

On 6/30/10 11:22 PM, Trent O'Callaghan wrote:

> I have tested blacklist for the first time and have found a error with
> my configuration or a bug.
>  
> 
> Following http://www.shorewall.net/FAQ.htm#faq84 I place a blacklist
> entry against my external interface but Shorewall check gives:
> 
> Checking /etc/shorewall/blacklist...
> 
>    WARNING: The entries in /etc/shorewall/blacklist have been ignored
> because there are no 'blacklist' interfaces : /etc/shorewall/blacklist
> (line 15)
> 
> Now where my configuration is different to most is my external interface
> is a bonded pair eth2 & eth5 so I tested adding eth2 blackest entry to
> interfaces and the warning disappeared.
> 
> Should I ignore the warning or should I put in interface entries for all
> interfaces that make up the bonded interface?

If you have 'blacklist' specified on any interface in
/etc/shorewall/interfaces, you should not receive that warning message.
So I would like you to:

a) shorewall show -f capabilities > /etc/shorewall/caps
b) tar -czf shorewall.tgz /etc/shorewall
c) Send me the shorewall.tgz archive.

Be that as it may, you should not be describing eth2 and eth5 to
Shorewall at all but rather should only mention the bondN device (e.g.,
'bond0'); it is that device that should have the 'blacklist' option.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Tom Eastep | 1 Jul 22:48 2010
Picon

Shorewall 4.4.11 Beta 2

Beta 2 is now available for testing.

Beta 1 was uploaded but never formally announced; it included a very flawed
implementation of rate limiting for simple traffic shaping which I have
removed in Beta 2. The Beta 2 patch files are against 4.4.10.

Beta 2 includes support for 'vserver' zones. These zones are intended to
simplify configuration of Shorewall on a Linux-vserver host. See
http://www.shorewall.net/Vserver.html for details.

Thank you for testing,
-Tom

--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Grant | 2 Jul 03:25 2010
Picon

Can I restrict uploads only?

My ISP has warned me to stop uploading bittorrent data.  I'd still
like to download, but miro reports an active upload rate even though
I've specified a maximum upload of 0kb/s.  Can I use shorewall to
accomplish this?  I think shorewall only considers the source and
destination of the request, not the source and destination of the
data.  Is that right?

- Grant

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Trent O'Callaghan | 2 Jul 03:41 2010

http://www.shorewall.net/FAQ.htm#faq84

Hi Tom,

Your reply has given me some idea's on where to look for my configuration
error.

Bond1 does not exhibit the issue so looking for what differs between Bond0
and Bond1 gives:

root <at> nper-r1:/etc/shorewall# grep bond1 *
hosts:hw001     bond1:10.2.1.0/24     routeback
hosts:bcast     bond1:255.255.255.255
interfaces:-            bond1           detect          dhcp,tcpflags
rules:ACCEPT+           hw001:bond1:10.240.1.7  dmz             tcp

root <at> nper-r1:/etc/shorewall# grep bond0 *
hosts:inet      bond0:0.0.0.0/0!180.233.128.0/23,180.233.131.0/24
hosts:pub
bond0:180.233.131.0/24,aaa.bbb.ccc.208/30,xxx.yyy.zzz.0/24,180.233.128.0/23
hosts:bcast     bond0:255.255.255.255
interfaces:-            bond0           detect
blacklist,nosmurfs,tcpflags
masq:bond0:!xxx.yyy.zzz.0/24
192.168.0.0/21,10.2.0.0/24,10.2.1.0/24,10.2.2.0/24,10.2.3.0/24!10.2.1.7
180.233.131.7
masq:bond0:xxx.yyy.zzz.0/24
192.168.0.0/21,10.2.0.0/24,10.2.1.0/24,10.2.2.0/24,10.2.3.0/24!10.2.1.7
xxx.yyy.zzz.73
rules:ACCEPT+           inet:bond0:aaa.bbb.ccc.209      $FW             tcp
179
rules:ACCEPT+           inet:bond0:xxx.yyy.zzz.253       $FW             tcp
179
rules:ACCEPT+           inet:bond0:xxx.yyy.zzz.240       $FW             tcp
179

So I tested with masq for bond0 disabled - Result =
Checking /etc/shorewall/blacklist...
   WARNING: The entries in /etc/shorewall/blacklist have been ignored
because there are no 'blacklist' interfaces : /etc/shorewall/blacklist (line
15)

Testing with: hosts:inet      bond0:0.0.0.0/0	- Result =
Checking /etc/shorewall/blacklist...
   WARNING: The entries in /etc/shorewall/blacklist have been ignored
because there are no 'blacklist' interfaces : /etc/shorewall/blacklist (line
15)

Testing without zone:pub - Result =
Checking /etc/shorewall/blacklist...
   WARNING: The entries in /etc/shorewall/blacklist have been ignored
because there are no 'blacklist' interfaces : /etc/shorewall/blacklist (line
15)

I have also tested changing all the bond0 settings to eth2 - Result =
Checking /etc/shorewall/blacklist...
   WARNING: The entries in /etc/shorewall/blacklist have been ignored
because there are no 'blacklist' interfaces : /etc/shorewall/blacklist (line
15)

So I think this proves my configuration as the issue but no luck yet
isolating it.

... success at last ...

hosts:#inet     bond0:0.0.0.0/0!180.233.128.0/23,180.233.131.0/24
hosts:inet
bond0:0.0.0.0/1,128.0.0.0/1!180.233.128.0/23,180.233.131.0/24

Making just this change has removed the " WARNING: The entries in
/etc/shorewall/blacklist have been ignored because there are no 'blacklist'
interfaces ". 

root <at> nper-r1:~# iptables -L -n > black-fixed
root <at> nper-r1:~# diff black-last black-fixed
147a148,164
> Chain blacklst (2 references)
> target     prot opt source               destination
> DROP       all  --  0.0.0.0/8            0.0.0.0/0
> DROP       all  --  10.0.0.0/8           0.0.0.0/0
> DROP       all  --  127.0.0.0/8          0.0.0.0/0
> DROP       all  --  169.254.0.0/16       0.0.0.0/0
> DROP       all  --  172.16.0.0/12        0.0.0.0/0
> DROP       all  --  192.0.0.0/24         0.0.0.0/0
> DROP       all  --  192.0.2.0/24         0.0.0.0/0
> DROP       all  --  192.88.99.0/24       0.0.0.0/0
> DROP       all  --  198.18.0.0/15        0.0.0.0/0
> DROP       all  --  198.51.100.0/24      0.0.0.0/0
> DROP       all  --  203.0.113.0/24       0.0.0.0/0
> DROP       all  --  224.0.0.0/4          0.0.0.0/0
> DROP       all  --  240.0.0.0/4          0.0.0.0/0
> DROP       all  --  255.255.255.255      0.0.0.0/0
>
176a194
> blacklst   all  --  0.0.0.0/0            0.0.0.0/0           ctstate
INVALID,NEW
182a201
> blacklst   all  --  0.0.0.0/0            0.0.0.0/0           ctstate
INVALID,NEW

Can you see any unwanted side effects to the fixed setup?

Kind regards,

Trent O'Callaghan
Network Manager
www.nearmap.com

-----Original Message-----
From: Tom Eastep [mailto:teastep <at> shorewall.net] 
Sent: Thursday, 1 July 2010 9:29 PM
To: shorewall-users <at> lists.sourceforge.net
Subject: Re: [Shorewall-users] http://www.shorewall.net/FAQ.htm#faq84

On 6/30/10 11:22 PM, Trent O'Callaghan wrote:

> I have tested blacklist for the first time and have found a error with 
> my configuration or a bug.
>  
> 
> Following http://www.shorewall.net/FAQ.htm#faq84 I place a blacklist 
> entry against my external interface but Shorewall check gives:
> 
> Checking /etc/shorewall/blacklist...
> 
>    WARNING: The entries in /etc/shorewall/blacklist have been ignored 
> because there are no 'blacklist' interfaces : /etc/shorewall/blacklist 
> (line 15)
> 
> Now where my configuration is different to most is my external 
> interface is a bonded pair eth2 & eth5 so I tested adding eth2 
> blackest entry to interfaces and the warning disappeared.
> 
> Should I ignore the warning or should I put in interface entries for 
> all interfaces that make up the bonded interface?

If you have 'blacklist' specified on any interface in
/etc/shorewall/interfaces, you should not receive that warning message.
So I would like you to:

a) shorewall show -f capabilities > /etc/shorewall/caps
b) tar -czf shorewall.tgz /etc/shorewall
c) Send me the shorewall.tgz archive.

Be that as it may, you should not be describing eth2 and eth5 to Shorewall
at all but rather should only mention the bondN device (e.g., 'bond0'); it
is that device that should have the 'blacklist' option.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Tom Eastep | 2 Jul 05:32 2010
Picon

http://www.shorewall.net/FAQ.htm#faq84

On 7/1/10 6:41 PM, Trent O'Callaghan wrote:

> 
> Can you see any unwanted side effects to the fixed setup?
> 

I'm sorry, but I don't understand a thing you have posted. You are
making random changes to your configuration and finally made the warning
disappear. I think that this may be a bug but without the information I
asked for, we won't make any progress toward a solution.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Roberto C. Sánchez | 2 Jul 14:07 2010

Re: Can I restrict uploads only?

On Thu, Jul 01, 2010 at 06:25:52PM -0700, Grant wrote:
> My ISP has warned me to stop uploading bittorrent data.  I'd still
> like to download, but miro reports an active upload rate even though
> I've specified a maximum upload of 0kb/s.  Can I use shorewall to
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> accomplish this?  I think shorewall only considers the source and
> destination of the request, not the source and destination of the
> data.  Is that right?
> 

The man page for btdownloadcurses clearly state:

       --max_upload_rate kbytes
              maximum rate to  upload  at  in  kilobytes,  0  means  no  limit
              (default 0)

I am assuming that you are using the command line client, since you do
not specify a specific client application you are using.

Regards,

-Roberto

--

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Tom Eastep | 2 Jul 15:58 2010
Picon

http://www.shorewall.net/FAQ.htm#faq84

On 7/1/10 10:17 PM, Trent O'Callaghan wrote:
> Hi Tom,
> 
> Sorry for the confusing email.
> 
> the attachment is only for your use to check for a Bug.
> Happy to receive your findings vi [Shorewall-users]
> 

Thanks, Trent.

Your workaround is okay; another approach would be to specify
'blacklist' in the host file entry that includes 0.0.0.0/0 rather than
breaking that net into two /1's:

inet bond0:0.0.0.0/0!xxx.xxx.128.0/23,xxx.xxx.131.0/24	blacklist

I will give some thought toward how to make this work with your original
configuration.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Grant | 3 Jul 01:18 2010
Picon

Re: Can I restrict uploads only?

>> My ISP has warned me to stop uploading bittorrent data.  I'd still
>> like to download, but miro reports an active upload rate even though
>> I've specified a maximum upload of 0kb/s.  Can I use shorewall to
>  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> accomplish this?  I think shorewall only considers the source and
>> destination of the request, not the source and destination of the
>> data.  Is that right?
>>
>
> The man page for btdownloadcurses clearly state:
>
>       --max_upload_rate kbytes
>              maximum rate to  upload  at  in  kilobytes,  0  means  no  limit
>              (default 0)
>
> I am assuming that you are using the command line client, since you do
> not specify a specific client application you are using.
>
> Regards,
>
> -Roberto

Thank you Roberto.  It sounds like miro will not be able to limit the
upload rate to zero.  Is there a way to do this in shorewall?

- Grant

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Christ Schlacta | 3 Jul 02:18 2010
Picon

Re: Can I restrict uploads only?

torrent machien in the src column, tcp,udp in the proto column, and DROP 
in the first column.

On 7/2/2010 16:18, Grant wrote:
>>> My ISP has warned me to stop uploading bittorrent data.  I'd still
>>> like to download, but miro reports an active upload rate even though
>>> I've specified a maximum upload of 0kb/s.  Can I use shorewall to
>>   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>> accomplish this?  I think shorewall only considers the source and
>>> destination of the request, not the source and destination of the
>>> data.  Is that right?
>>>
>>
>> The man page for btdownloadcurses clearly state:
>>
>>        --max_upload_rate kbytes
>>               maximum rate to  upload  at  in  kilobytes,  0  means  no  limit
>>               (default 0)
>>
>> I am assuming that you are using the command line client, since you do
>> not specify a specific client application you are using.
>>
>> Regards,
>>
>> -Roberto
>
> Thank you Roberto.  It sounds like miro will not be able to limit the
> upload rate to zero.  Is there a way to do this in shorewall?
>
> - Grant
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

Gmane