Norman Henderson | 23 Feb 11:48 2016
Picon

shorewall-init not reacting to tunnel interface change

Hi, I'm running shorewall 4.5.21.6 on Ubuntu 14.04.1 on one system and on 14.04.3 on another system. Working on some failover scenarios I installed shorewall-init first using aptitude, then by hand (also 4.5.21.6). Either way appeared to work fine. I configured /etc/default/shorewall-init with PRODUCTS="shorewall" and IFUPDOWN=1.

I have some openvpn tunnels that are providers i.e. have their own routing tables and corresponding ip rules (route_rules). The problem is, that if I run (e.g.) service openvpn stop tun5 - shorewall does not reconfigure accordingly. That is to say, ifconfig tun5 reports Device not found - however, ip rule still shows the rule corresponding to that tunnel and ip route still shows the corresponding table.

If I manually run shorewall restart, then the rule disappears and the routing table is cleared.  Also, /var/lib/shorewall/tun5.status toggles from 0 to 1 only after the manual shorewall restart. Behavior is analogous when I restart the tunnel - a manual "shorewall restart" is needed before anything appears to change.

What is interesting, is that if I do an ifdown eth0 or ifup eth0, shorewall-init DOES reconfigure appropriately (a different provider and different route_rules of course). But I can't use ifup or ifdown on an openvpn tunnel, they don't appear in /etc/network/interfaces.

What am I missing? Or is this simply unsupported, in which case I guess I can put an explicit shorewall restart into the openvpn configs...

Thanks in advance!
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
c.monty | 22 Feb 17:17 2016
Picon

Configuration - appropriate configuration with 2 default gateways

Hello!
 
I need your support to define an appropriate configuration for the network architecture I have documented in the attachment.
 
There are some things that make this network architecture "special":
1. 2 default gateways according to this howto https://www.thomas-krenn.com/en/wiki/Two_Default_Gateways_on_One_System
2. Routed configuration on Proxmox VE server according to this howto https://pve.proxmox.com/wiki/Network_Model#Routed_Configuration
3. Masquerading (NAT) on 2 NICS according to this howto https://pve.proxmox.com/wiki/Network_Model#Masquerading_.28NAT.29
 
The definition of 2 default gateways ensures that any traffic on LAN 192.168.178.0/24 will communicate via gateway 192.168.178.1, and any other traffic on LAN 10.0.0.0/24 and DMZ 10.1.0.0/24 will communicate via gateway 10.0.0.1 and 10.1.0.1 respectively.
 
This configuration is working based on the howto guides w/o firewall.
The challenge is to add firewall functionality, but I don't know if I need to revert back the modifications in/etc/network/interfaces or /etc/iproute2/rt_tables.
 
The main question is:
Who can support with the configuration of shorewall?
How should /etc/shorewall/interfaces be defined?
How many zones should be in /etc/shorewall/zones?
Do I need to define multiple providers in /etc/shorewall/provides to enable 2 default gateways?
 
 
THX
Attachment (network.pdf): application/pdf, 140 KiB
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Benny Pedersen | 21 Feb 13:41 2016
Picon

shorewall blocking mail bot

iptables -I INPUT -p tcp --dport 25 -m string --algo bm --string 
'ylmf-pc' -j DROP

how to add that silly bot to shorewall rules ?

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Subscribe | 20 Feb 03:50 2016

Openvpn on port 53 instead of 1194

 Following is my environment. Attached is the output from the shorewall dump

OS: Ubuntu 15.10 64bit Desktop on Laptop
Shorewall version: 4.6.4.3

llist <at> LeosGameLaptop:~$ sudo ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
state DOWN group default qlen 1000
    link/ether 80:fa:5b:13:29:be brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
    link/ether 80:19:34:b8:c8:e2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.208/24 brd 192.168.1.255 scope global dynamic wlan0
       valid_lft 2782sec preferred_lft 2782sec
    inet6 fe80::8219:34ff:feb8:c8e2/64 scope link
       valid_lft forever preferred_lft forever
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
state DOWN group default
    link/ether 52:54:00:68:a4:11 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master
virbr0 state DOWN group default qlen 500
    link/ether 52:54:00:68:a4:11 brd ff:ff:ff:ff:ff:ff
20: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 172.20.17.184/22 brd 172.20.19.255 scope global tun0
       valid_lft forever preferred_lft forever

5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master
virbr0 state DOWN group default qlen 500
    link/ether 52:54:00:68:a4:11 brd ff:ff:ff:ff:ff:ff

llist <at> LeosGameLaptop:~$ sudo ip route show
default via 172.20.16.1 dev tun0  proto static  metric 50
default via 192.168.1.1 dev wlan0  proto static  metric 600
169.254.0.0/16 dev virbr0  scope link  metric 1000
172.20.16.0/22 dev tun0  proto kernel  scope link  src 172.20.17.184 
metric 50
173.245.209.129 via 192.168.1.1 dev wlan0  proto static  metric 600
192.168.1.0/24 dev wlan0  proto kernel  scope link  src 192.168.1.208 
metric 600
192.168.122.0/24 dev virbr0  proto kernel  scope link  src 192.168.122.1

I've been running shorewall for a few years now, but have run into the
following problem recently.

My shorewall files were created from the single interface example and are:

---------zones ----------------
###############################################################################
#ZONE   TYPE    OPTIONS                 IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
ovpn    ipv4
--------------------------------

----------- interfaces ----------------
###############################################################################
?FORMAT 2
###############################################################################
#ZONE   INTERFACE       OPTIONS
net     eth0           
dhcp,optional,tcpflags,logmartians,nosmurfs,sourceroute=0
net      wlan0          
dhcp,optional,tcpflags,logmartians,nosmurfs,sourceroute=0
ovpn    tun0              dhcp,optional
---------------------------------------------

----------- policy -----------------------------------------------

#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
fw              net             ACCEPT
ovpn            net             ACCEPT
net             all             DROP            info
ovpn            all             DROP            info
# The FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
------------------------------------------------------------------

------------ rules ---------------------------
#ACTION         SOURCE          DEST            PROTO   DEST   
SOURCE          ORIGINAL        RATE            USER/   MARK   
CONNLIMIT       TIME            HEADERS         SWITCH          HELPER
#                                                       PORT   
PORT(S)         DEST            LIMIT           GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW

# Drop packets in the INVALID state

Invalid(DROP)  net              fw              tcp

# Drop Ping from the "bad" net zone.. and prevent your log from being
flooded..

Ping(DROP)      net             fw

# Permit all ICMP traffic FROM the firewall TO the net zone

ACCEPT          fw              net             icmp
#
# Permit openvpn

ACCEPT:info     ovpn            fw              udp     -       1194
ACCEPT:info     fw              ovpn            udp     1194
--------------------------------------------------------------------------------------

I've set up a new laptop and found that when using the Openvpn client,
shorewall rejects packets for destination port 53. 

================================================================================
Feb 20 13:32:54 LeosGameLaptop kernel: [11141.270388]
Shorewall:fw-ovpn:REJECT:IN= OUT=tun0 SRC=172.20.17.184 DST=198.18.0.2
LEN=77 TOS=0x00 PREC=0x00 TTL=64 ID=1421 DF PROTO=UDP SPT=13415 DPT=53
LEN=57
Feb 20 13:32:54 LeosGameLaptop kernel: [11141.270396]
Shorewall:fw-ovpn:REJECT:IN= OUT=tun0 SRC=172.20.17.184 DST=61.9.194.49
LEN=77 TOS=0x00 PREC=0x00 TTL=64 ID=42653 DF PROTO=UDP SPT=13415 DPT=53
LEN=57
Feb 20 13:32:54 LeosGameLaptop kernel: [11141.270405]
Shorewall:fw-ovpn:REJECT:IN= OUT=tun0 SRC=172.20.17.184 DST=61.9.195.193
LEN=77 TOS=0x00 PREC=0x00 TTL=64 ID=47650 DF PROTO=UDP SPT=13415 DPT=53
LEN=57
================================================================================

Openvpn is listening on 1194, so I'm not sure where port 53 gets
involved. Suspected the Ubuntu dnsmasq, but after disabling this, the
problem remains. Have posted this question on the Ubuntu network forum,
but found no takers.

netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address        
State       PID/Program name
tcp        0      0 127.0.0.1:1194          0.0.0.0:*              
LISTEN      15776/openvpn  
tcp        0      0 127.0.1.1:53            0.0.0.0:*              
LISTEN      1759/dnsmasq   
tcp        0      0 192.168.122.1:53        0.0.0.0:*              
LISTEN      1452/dnsmasq   
tcp        0      0 127.0.0.1:631           0.0.0.0:*              
LISTEN      6607/cupsd     
tcp        0      0 127.0.0.1:25            0.0.0.0:*              
LISTEN      2247/master    
tcp6       0      0 ::1:631                 :::*                   
LISTEN      6607/cupsd     
tcp6       0      0 ::1:25                  :::*                   
LISTEN      2247/master    
udp        0      0 0.0.0.0:59475          
0.0.0.0:*                           1093/avahi-daemon:
udp        0      0 0.0.0.0:44297          
0.0.0.0:*                           15776/openvpn  
udp        0      0 0.0.0.0:5353           
0.0.0.0:*                           1093/avahi-daemon:
udp        0      0 0.0.0.0:24280          
0.0.0.0:*                           7767/dhclient  
udp        0      0 127.0.1.1:53           
0.0.0.0:*                           1759/dnsmasq   
udp        0      0 192.168.122.1:53       
0.0.0.0:*                           1452/dnsmasq   
udp        0      0 0.0.0.0:67             
0.0.0.0:*                           1452/dnsmasq   
udp        0      0 0.0.0.0:68             
0.0.0.0:*                           7767/dhclient  
udp        0      0 0.0.0.0:631            
0.0.0.0:*                           1224/cups-browsed
udp6       0      0 :::2277                
:::*                                7767/dhclient  
udp6       0      0 :::5353                
:::*                                1093/avahi-daemon:
udp6       0      0 :::58274               
:::*                                1093/avahi-daemon:

Thanks

Attachment (dump.txt.gz): application/gzip, 7737 bytes
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Tom Eastep | 19 Feb 22:51 2016
Picon

Shorewall 5.0.5

The Shorewall team is pleased to announce the availability of Shorewall
5.0.5.

Problems Corrected:

1)  Previously, an interface could be erroneously assigned to two
    different providers and the compiler did not flag that as an error.

    The compiler now correctly catches this violation.

2)  The alignment of the output of the 'shorewall[6] show macros'
    command has been corrected.

New Features:

1)  The .ip[6]tables-restore-input file may now include comments which
    indicate the origin of the rules, similar to the ip[6]tables
    comments that are generated when TRACK_RULES=Yes in
    shorewall[6].conf. This additional information is added when
    TRACK_RULES=File.

    Note: This change also enhances TRACK_RULES=Yes by adding tracking
    comments to additional generated ip[6]tables rules.

2)  The output of 'shorewall[6] show actions' is now sorted.

3)  The macro file headers have been updated to use the new
    column names. Also, some macros now invoke other macros rather than
    duplicating their rules. This is intended to ease future
    maintenance (Tuomo Soini).

4)  Additional documentation articles have been updated to use the new
    column names (Tuomo Soini).

Thank you for using Shorewall.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Rafal | 19 Feb 20:34 2016
Picon

Iptables chain to Shorewall - how to?

Hi!

Please help me how to add to Shorewall that Iptables Rule.

This rule works perfectly fine for Iptables and blocking port 25 for 
internal LAN connection to server.
Blocking unwanted virus\trojans etc. sending spam behind NAT.  (infection)

I add this manualy in terminal:

iptables -l loc2net -p tcp --dport 25 –jDROP

This rule show in loc2net chain and it is working perefecly good.

I have made some attempts in Shorewall but no one add rule to "loc2net 
chain" and
working partially or not working at all.

Please give me some advice.

Greetings.

Rafal

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Ob Noxious | 19 Feb 05:29 2016
Picon

SMB from "net" zone

Hi,

For a special use case, I need to give access to a CIFS service (445/tcp) from the WAN. I'm struggling quite hard to sort this out. After finding that Samba wasn't the culprit and tshark showed no traffic on the interface related to TCP port 445, I got back to basics :-)

I tried the simplest form of tests from another (unrelated) host on the internet :

"nc -z destination-host 446" and the logs showed the expected "DROP" hits. Fine! Trying "nc -z destination-host 445" showed nothing in the logs.

"shorewall show | less" and searching for "445" showed it was present in the in the "Drop" chain. So I copied /usr/share/shorewall/action.Drop to /etc/shorewall/action.Drop and commented there the "SMB( <at> 3)" line.

"shorewall reload" and try again "shorewall show | less". Now the SMB rules are in the "Reject" chain! Ok then... same drill with "action.Reject" and commented the "SMB( <at> 3)" line.

Again, "shorewall reload" and "shorewall show | less" does not show any "445" port info. This should be good but it's not! "nc -z destination-host 445" still does not produce any DROP log while with port 446 it does.

What am I missing here?

I'm using Shorewall 5.0.2.1

--
ObNox
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Steve Wray | 16 Feb 23:23 2016
Picon

Translating from existing policy routing to Shorewall

Hi,
I have an existing, working example of policy routing and I'd like to see if its possible to implement this in Shorewall.

ip rule ls shows:

0:      from all lookup local
0:      from xxx.xxx.xxx.121 lookup eth2
0:      from all to xxx.xxx.xxx.121 lookup eth2
0:      from xxx.xxx.xxx.122 lookup eth2
0:      from all to xxx.xxx.xxx.122 lookup eth2
1:      from all fwmark 0x200/0x200 lookup TProxy
999:    from all lookup main
32765:  from all lookup balance
32767:  from all lookup default

I've been reading the Shorewall documentation on providers, rtrules etc and can't see how this fits together.

Thanks

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Zenny | 9 Feb 16:31 2016
Picon

ad blocking to all connections out from a LOC zone

Hi,

Usually I add restricted URLs from lists like adaway to /etc/hosts
file to a client computer.

But is there a way to implement all over a certain zone (usually LOC)
from the shorewall itself?

Thanks!

/z

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Benny Pedersen | 8 Feb 07:08 2016
Picon

shorewall6 snat

ip6tables -A POSTROUTING -p tcp -m tcp --dport 43 -j SNAT --to-source 
your_ipv6_address

how is this above done in shorewall ?

(slaac workaround)

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Brian J. Murrell | 2 Feb 19:33 2016
Picon

time-of-day routing

I have two providers, one is fast (with a bigger usage cap), one is
slow (with a smaller usage cap) so I generally default route through
the fast one as the dedicated primary route with the slow sitting back
as secondary (i.e. for just when the first one goes down, not round-
robin).

But the slow provider zero-rates (does not count usage) from 2am-8am.

What would be ideal would to be able to configure Shorewall with time-
of-day route rules.  I may (or may not) necessarily want to completely
move the dedicated default route to the slower connection but I might
like to configure a handful of routes (i.e. route-rules) as preferring
the slower connection, during 2-8am.

Given that I don't think the iproute package has any concept of time,
cron is probably the tool here.

Thoughts?

b.
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140

Gmane