Tom Eastep | 7 Aug 20:11 2014
Picon

Shorewall 4.6.2.4

Shorewall 4.6.2.4 is now available for download.

Problem Corrected:

1)  Previously, inline matches were not allowed in action files, even
    though the documentation stated that they were allowed.

Thank you for using Shorewall.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
(Continue reading)

Daniel Pocock | 5 Aug 20:14 2014

ARP stops, error: No buffer space available


Hi all,

I have a virtual firewall with 4 ports, eth[0-3]

It stopped responding to ARP requests on one of the ports, eth3.  Hosts
would try to ping the machine, running tcpdump on the machine I would
see the ARP "who-has" requests coming in but no answers going back.

I tried pinging out to a host on that port and got no reply.  tcpdump
showed no packet going out.

Traceroute gives an error "No buffer space available":

# traceroute -n 192.168.1.79
traceroute to 192.168.1.79 (192.168.1.79), 30 hops max, 60 byte packets
send probe: No buffer space available

and arping gives a similar error:

# arping -s ab:cd:ef:12:34:56 -i eth3 192.168.1.79
ARPING 192.168.1.79
arping: libnet_write(): libnet_write_link(): only -1 bytes written (No
buffer space available)

I tried putting the interface down and up again:

ifdown eth3
ifup eth3

(Continue reading)

Dale Greenway | 4 Aug 15:21 2014

Re: Pinging from IP aliases?

Hello Johnny

> Check tcpdump while the command  "ping -c1 -I 172.16.1.10 google-public-dns-a.google.com
[http://google-public-dns-a.google.com]" is being run. You'll see that
google-public-dns-a.google.com [http://google-public-dns-a.google.com] is receiving
> a ICMP request from 172.16.1.10. The problem is 172.16.1.10 belongs to a private network so google
doesn't know how to route back to you.

Yeah, that's what I see.  From the OP:

>> When I bind the ping to the internal IP address
>> 
>> ping -c1 -I 172.16.1.10 google-public-dns-a.google.com
>> 
>> it times out.  And you only see ICMP traffic in one direction
>> 
>> tcpdump -i eth0 | grep google-public-dns-a.google.com [http://google-public-dns-a.google.com]
>>    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>>    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
>>    21:10:41.011189 IP 172.16.1.10 > google-public-dns-a.google.com
[http://google-public-dns-a.google.com]: ICMP echo request, id 9556, seq 1, length 64

only the request.

Doing this makes sense now that you describe it.  I thought the firewall 'knew' about its own interfaces &
IPs and didn't need that.  I changed

> #  /etc/shorewall/masq

> eth0                     172.16.1.10
(Continue reading)

Niall O Broin | 4 Aug 10:17 2014

Problems on starting Ubuntu

I had problems yesterday when two servers went down in a data centre due to power problems. The servers are
both KVM hosts which run shorewall to direct traffic to the VMs.

In each case. traffic did not get to the VMs after the restart. One server runs version shorewall 4.4.26.1 on
Ubuntu 12.04.4 and the other runs shorewall version 4.5.21.6 on Ubuntu 14.04 LTS

I was able to do a couple of reboots on the server running shorewall 4.4.26.1  this morning and what I've seen
is that when shorewall starts in run level S (which is Ubuntu standard) then running iptables -L after a
restart seems to show the desired confguration - however, you cannot connect to the VMs from the outside world.

When I moved the shorewall start script to run level 2, behaviour is as expected and desired.

Capturing the output of iptables -L in both cases, I found the following extra rules when shorewall started
in run level S

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps 

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192.168.1.0/24       state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.1.0/24       anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

(Continue reading)

Dale Greenway | 4 Aug 06:44 2014

Pinging from IP aliases?

Hello.

I'm installing Shorewall on my hosted server.

I'm doing stuff step by step so I can understand what does what.  I have some trouble with Pings coming from
private IP aliases.

The server has 2 IPs on its one interface

eth0
  X.15.9.149
  172.16.1.10

The shorewall config that matters is

  /etc/shorewall/interfaces
    net   eth0   tcpflags,nosmurfs,logmartians=1,routefilter=1,sourceroute=0

  /etc/shorewall/zones
    fw    firewall
    net   ipv4

  /etc/shorewall/rules
    ...
    Ping(ACCEPT)   $FW   net
    ...

When I do a 

ping google-public-dns-a.google.com
(Continue reading)

merc1984 | 3 Aug 19:03 2014

Suspected Trojan


Lately I've been noticing that something is hammering away trying to get
out ports 25 and 110.  Since I don't use those and they are closed, I am
suspicious.  https://pastee.org/k73u8  The destination IP isn't running
POP or SMTP either.

Unfortunately, Shorewall doesn't have a mechanism to associate a PID to
an attempt, maybe because the info just isn't there.  I do find that it
is possible to turn on UID reporting, so I added (uid) to each INFO in
the policy file and restarted Shorewall, but I'm still not getting the
UID.
#SOURCE DEST    POLICY          LOG             LIMIT:         
CONNLIMIT:
#                               LEVEL           BURST           MASK
net     $FW     DROP            info(uid)
net     local   DROP            info(uid)
$FW     net     DROP            info(uid)
$FW     local   DROP            info(uid)
local   net     DROP            info(uid)
local   $FW     DROP            info(uid)
#
# THE FOLLOWING POLICY MUST BE LAST
#       
net     all     DROP            info(uid)
all     all     DROP            info(uid)
#LAST LINE -- DO NOT REMOVE

I need to put these 25 and 110 accesses with a PID to try and identify
this trojan.  I'm trying # netstat -apn|grep -w DPT=25 but that hasn't
caught anything yet, and it's not a real solution long-term.
(Continue reading)

Mike Coan | 1 Aug 16:02 2014

Names of network interface cards

List members

Currently using Shorewall 4.5.11 on opensuse 12.3

Building a new firewall using opensuse 13.1.  After installing opensuse 
13.1 I notice that the two NICs are named

enp0s9  and enp0s18  as opposed to
eth0 and eth1

I can manually rename them to eth0 and eth1 and proceed.  In fact, I may 
have done that with 12.3 but I don't remember.

Two questions.

1) In my Shorewall config files can I replace eth0 with enp0s9 and eth1 
with enp0s18 and have things work

2) Is there any benefit to using the new naming scheme?

I guess there is a third question.  My firewall is pretty simple. 
Should I define the interfaces in the params file (e.g. $INT_IF and 
$EXT_IF) to make it easier to handle changes like this in the future?

Mike
--

-- 
Michael A. Coan
Woodlawn Foundation, Inc.
56 Harrison Street, Suite 401
New Rochelle, NY 10801-6560
(Continue reading)

Tom Eastep | 31 Jul 15:57 2014
Picon

Re: Multi VLAN Forward Problem

On 7/31/2014 3:21 AM, Georg Bixa wrote:
> Am 2014-07-31 um 06:18 schrieb Tom Eastep:

>>
>> I would like to understand why this happened. Would you be willing to
>> send me your /etc/shorewall contents so that I could try to reproduce
>> the problem? If so, please:
>>
>> a) shorewall show -f capabilities > /etc/shorewall/capabilities
>> b) tar up the contents of /etc/shorewall
>> c) rm /etc/shorewall/capabilities
>> d) Send the tarball to me privately.
>>
>> While I'm no longer producing patches for Shorewall 4.4, I would like to
>> be sure that the problem isn't present in the latest 4.5 and 4.6
>> releases.
>>
>> Thanks!
>> -Tom
> 
> Of course. I attached the tarball as asked. if you need any further
> information, just email me, i would be happy to assist.
> 

Thanks Georg.

It appears that the problem does not exist in the current versions. I
commented out your net->ene policy, and I see the following in the
generated script:

(Continue reading)

Paul | 31 Jul 06:32 2014
Picon

Auto Response

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
Georg Bixa | 30 Jul 14:16 2014

Multi VLAN Forward Problem

Hello! I am using shorewall for some years now, but i ran into trouble 
with the following multi VLAN setup:

The network had two VLANs (vlan21 and vlan22) which are masqueraded by 
the firewall to a public subnet. vlan22 was running fine, but pakets on 
vlan21 did not get an answer.
I setup another vlan (vlan23) to test so parameters, but that shut 
vlan22 down. Now vlan23 is working but vlan21 and vlan22 are not.

I did some tcpdump and found out that the packets are correctly 
masqueraded and sent out but the response is not forwarded with the 
following errors:

Jul 30 12:26:33 viegw kernel: [99036.969653]
Shorewall:FORWARD:REJECT:IN=ppp0 OUT=vlan21 MAC= SRC=85.25.
182.38 DST=192.168.21.2 LEN=84 TOS=0x00 PREC=0x00 TTL=49 ID=31228
PROTO=ICMP TYPE=0 CODE=0 ID=2970 SEQ=55

Jul 30 12:26:34 viegw kernel: [99037.160452]
Shorewall:FORWARD:REJECT:IN=ppp0 OUT=vlan22 MAC= SRC=85.25.
182.36 DST=192.168.22.2 LEN=84 TOS=0x00 PREC=0x00 TTL=50 ID=36303
PROTO=ICMP TYPE=0 CODE=0 ID=2964 SEQ=59

I have checked routing and config files but did not come up with a 
solution for days.
Any help would be much appreciated!
(i have attached a shorewall dump.)

Best regards,

Georg
Attachment (shorewall_dump.txt.gz): application/gzip, 11 KiB
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
surfer | 27 Jul 19:35 2014
Picon

executing a shorewalls script in lib.private from cmd line?

Reading

	http://shorewall.net/shorewall_extension_scripts.htm

I'm installing a number of convenience scripts in

	/lib.private

It's clear how they're referenced/invoked in the various shorewall stages.

Is it possible to invoke a single script from the shorewall cmd line?

e.g., if

	/lib.private
		...
		setup_sysctls() {
			echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
		}
		...

is there a shell cmd to effectively

	shorewall 'EXEC a PRIVATE SCRIPT' setup_sysctls

?

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds

Gmane