Kade Hampson | 23 Jan 10:51 2016

Basic Static Routing

Good morning/afternoon,

 

I have been looking at this for the past two days without any success.

I run a layer 3 VPN with the gateway sitting on 192.168.0.254 but I cannot for the life of me get shorewall to forward packets for subnet 192.168.1.0/24 to the gateway…

 

Please help me, I am desperate!

 

If you need any more info please email me back

 

Regards

 

Kade Hampson

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
Vieri Di Paola | 22 Jan 13:24 2016
Picon

wrong source IP address when trying to connect from firewall

Hi,

The following fails (performed from Shorewall firewall host with IP addr. 10.215.144.91):

# telnet 10.252.194.207 25

I can see the following while trying to connect:

# tcpdump -n -i enp2s0f0 host 10.252.194.207
12:55:50.044861 IP 172.20.11.62.39027 > 10.252.194.207.25: Flags [S], seq 3930079856, win 29200,
options [mss 1460,sackOK,TS val 79493620 ecr 0,nop,wscale 7], length 0

I would like to see 10.215.144.91 instead of 172.20.11.62.

What can I try?

Shorewall dump attached.

Thanks,

Vieri

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
Vieri Di Paola | 22 Jan 13:07 2016
Picon

wrong source IP address when trying to connect from firewall

Hi,

The following fails (performed from Shorewall firewall host with IP addr. 10.215.144.91):

# telnet 10.252.194.207 25

I can see the following while trying to connect to the remote host in the CAIB zone:

# tcpdump -n -i enp2s0f0 host 10.252.194.207
12:55:50.044861 IP 172.20.11.62.39027 > 10.252.194.207.25: Flags [S], seq 3930079856, win 29200, options [mss 1460,sackOK,TS val 79493620 ecr 0,nop,wscale 7], length 0

I would like to see 10.215.144.91 instead of 172.20.11.62.

What can I try?

Shorewall dump attached.

Thanks,

Vieri

Attachment (swdump.gz): application/gzip, 58 KiB
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
Tom Eastep | 22 Jan 01:41 2016
Picon

Shorewall 5.0.4

The Shorewall Team is pleased to announce the availability of Shorewall
5.0.4.

Problems Corrected:

1)  There previously existed a slight possibility that starting both
    Shorewall and Shorewall6 simultaneously could lead to a failure
    such as this one:

    Dec 18 13:18:35 elmo.example.com shorewall6[1889]: Loading
        Modules...
    Dec 18 13:18:38 elmo.example.com shorewall6[1889]: Another app is
       currently holding the xtables lock. Perhaps you want to use
       the -w option?
    Dec 18 13:18:40 elmo.example.com shorewall6[1889]:
       ERROR: Cannot Create Mangle chain fooX2349
    Dec 18 13:18:40 elmo.example.com systemd[1]: shorewall6.service:
        main process exited, code=exited, status=255/n/a

    That problem can no longer occur.

2)  Previously, when a source- or destination-specific RATE was
    specified on a logging rule (LOG, ULOG or NFLOG), the compiler
    incorrectly applied both the specified RATE as well as the global
    LOGLIMIT. That has been corrected so that only the specified RATE
    is applied.

3)  Previously, when  <at> caller was used within an action body, the
    compiler would not create unique ip[6]tables chains for each
    invocation of the action, even though the invocations had different
    values of  <at> caller. Now, each invocation of such an action creates a
    separate ip[6]tables chain for each unique caller.

4)  Previously, the 'status -i' command produced error output when
    there were no optional interfaces. That erroneous output is no
    longer produced.

5)  Traffic shaping configurations that use red or codel will now
    produce consistent compiled scripts. Previously, these
    configurations could produce equivalent but different scripts on
    consecutive compilations.

6)  Previously, the Shoreall compiler enforced old rules about where
    country codes could appear. As those restrictions have now been
    removed, the compiler no longer issues messages such as these:

      ERROR: A countrycode list may not be used in this context

New Features:

1)  Shorewall Init is now supported on OpenWRT.

2)  The IPTABLES and IP6TABLES actions in the rules and mangle files
    can now correctly handle logging targets (LOG, ULOG and
    NFLOG). Previously, an attempt to use these targets would result in
    an error similar to:

       ERROR: LOG requires a level

3)  To further reduce the possibility of failures caused by Shorewall
    and Shorewall6 starting concurrently, a new WAIT_OPTION capability
    has been implemented. On systems with that capability, all
    'iptables' and 'ip6tables' commands will use the --wait option.

4)  The .214.service files have been removed and the .service files
    (with the exception of Debian) have been updated to use the
    network-pre.target (Tuomo Soini).

5)  Shorewall, Shorewall6, Shorewall-lite and Shorewall6-lite now
    install /etc/sysconfig/≤product> files for specifying
    start/restart/reload options on those distributions that use
    /etc/sysconfig.

6)  The mangle file now supports an DIVERTHA action that provides
    support for HAProxy.

    To setup the HAProxy configuration described at

http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x,
    place this entry in shorewall-providers(5):

      #NAME  NUMBER   MARK    DUPLICATE  INTERFACE GATEWAY   OPTIONS
      TProxy 1        -       -          lo         -        tproxy

      and use this DIVERTHA entry:

      #ACTION         SOURCE          DEST            PROTO  ...
      DIVERTHA        -               -               tcp

Thank you for using Shorewall,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
Hesham Ahmed | 19 Jan 01:11 2016
Picon

Country Code support in mangle

mangle file currently doesn't support country code list in SOURCE or DEST columns currently. Is it possible to add this functionality or is it not supported at tc/iptables level. A use case for this is to mark specific countries traffic out via the local provider when using multiple WAN providers from different countries (via VPN or Satellite) in /etc/shorewall/providers

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
iji | 15 Jan 19:36 2016
Picon

GRE over IPSec - block GRE w/o IPSec

Hello,

I've been using Shorewall for IPSec VPN servers for ages without any problem. Because of the dynamic
routing I added GRE over IPSec and it works fine. The problem is that in case the IPSec tunnel dies (e.g. not
reliable line), the GRE still transports data itself. However, in this case all the data is unencrypted.

Is there a way to allow GRE only over IPSec tunnel?

Thank you

Vilem

Configuration:

- /etc/shorewall/zones
fw	firewall
net	ipv4
loc	ipv4
ips0	ipv4              # IPSec tunnel
gips0	ipv4       # GRE over IPSec
mgmt	ipv4

- /etc/shorewall/tunnels
gre			net	1.1.1.1   # Partner's public IP
ipsec			net	1.1.1.1   # Partner's public IP

- /etc/shorewall/hosts
ips0	eth2:1.1.1.1			ipsec       # eth2 = WAN interface

- /etc/shorewall/interfaces
net     eth2            tcpflags,nosmurfs,routefilter
mgmt     eth0            tcpflags,nosmurfs,routefilter
loc     eth1            tcpflags,nosmurfs,routefilter,logmartians=0
gips0	gre-gw01a	routeback

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
Sven Kirmess | 15 Jan 18:45 2016
Picon

/etc/init.d/shorewall restart doesn't work

(Bering-uClibc 5.2.3)

/etc/init.d/shorewall restart doesn't work for me. I get the following error message:

firewall# /etc/init.d/shorewall restart
Restarting "Shorewall firewall":    Shorewall is already running
done.
firewall#

The shorewall_restart function in the init script calls $SRWL start, but it should probably call $SRWL restart.

# restart the firewall
shorewall_restart () {
  echo -n "Restarting \"Shorewall firewall\": "
  $SRWL $OPTIONS start 2>&1 && echo "done."
  return 0
}

And what would be the correct way to load a new, changed rules file if not /etc/init.d/shorewall restart?
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
Erich Titl | 9 Jan 11:50 2016
Picon

nf_conntrack: automatic helper assignment is deprecated

Hi everybody

I am running shorewall

kerberos# shorewall version
4.6.13.3

on an embedded system and a spurious message pops up from time to time:

kerberos# [  222.443737] nf_conntrack: automatic helper assignment is
deprecated and it will be removed soon. Use the iptables CT target to
attach helpers instead.

Looking on the net for a solution made me believe this is something that
has to be addressed in the iptables setup.

Anyone with a deeper insight?

Thanks

Erich

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
Tom Eastep | 3 Jan 17:27 2016
Picon

Shorewall 4.6.13.4

Shorewall 4.6.13.4 is now available for download.

Problems Corrected:

1)  This release includes a couple of additional configure/install
     fixes from Matt Darfeuille.

2)  The DROP command was previously rejected in the mangle file. That
     has been corrected.

Thank you for using Shorewall,
-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Tom Eastep | 3 Jan 01:04 2016
Picon

Shorewall 5.0.3.1

Pardon the rapid-fire releases, but hopefully I have uploaded this 
before the distro maintainers have processed 5.0.3.

Problems Corrected:

1)  Previously, the compiler flagged DROP as an error in the mangle
     file. That action is now handled properly.

Thank you for using Shorewall,

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Bill Shirley | 2 Jan 17:26 2016

systemd shorewall[6].service file

[0:root <at> elmo my.tables 130]$ rpm -q shorewall
shorewall-4.6.11.1-2.fc22.noarch

Are there systemd service files for Fedora in Shorewalls code?  I had a problem with my last
re-boot (power outage) where shorewall6.service failed (probably because shorewall.service was
running):
[1:root <at> elmo shorewall6 4]$ systemctl status shorewall6.service
? shorewall6.service - Shorewall IPv6 firewall
    Loaded: loaded (/usr/lib/systemd/system/shorewall6.service; enabled; vendor preset: disabled)
    Active: failed (Result: exit-code) since Fri 2015-12-18 13:18:40 EST; 2 weeks 0 days ago
  Main PID: 1889 (code=exited, status=255)

Dec 18 13:18:31 elmo.example.com shorewall6[1889]: Compiling...
Dec 18 13:18:35 elmo.example.com shorewall6[1889]: Processing /etc/shorewall6/params ...
Dec 18 13:18:35 elmo.example.com shorewall6[1889]: Processing /etc/shorewall6/shorewall6.conf...
Dec 18 13:18:35 elmo.example.com shorewall6[1889]: Loading Modules...
Dec 18 13:18:38 elmo.example.com shorewall6[1889]: Another app is currently holding the xtables lock.
Perhaps you want to use 
the -w option?
Dec 18 13:18:40 elmo.example.com shorewall6[1889]: ERROR: Cannot Create Mangle chain fooX2349
Dec 18 13:18:40 elmo.example.com systemd[1]: shorewall6.service: main process exited, code=exited, status=255/n/a
Dec 18 13:18:40 elmo.example.com systemd[1]: Failed to start Shorewall IPv6 firewall.
Dec 18 13:18:40 elmo.example.com systemd[1]: Unit shorewall6.service entered failed state.
Dec 18 13:18:40 elmo.example.com systemd[1]: shorewall6.service failed.

If you do supply the service files, either shorewall.service needs:
[Unit]
Before=network-online.target shorewall6.service

or shorewall6.service needs:
[Unit]
After=network-online.target shorewall.service

Right now they read:
[Unit]
After=network-online.target

Thanks for all you do,
Bill

------------------------------------------------------------------------------

Gmane