Øyvind 'bolt' Hvidsten | 17 Feb 13:07 2015
Picon

ICMP connection tracking in Raspbian

I found an unexpected issue today when configuring a Raspberry Pi as a 
WAN emulator (AP with packet loss, high, variable ping, etc). In the 
kernel of Raspbian (a Debian variant), version 3.18.5 at the time of 
writing, ICMP ping requests are tracked.

Thus, with a default policy of DROP for wlan2net, the following rule did 
not do what I expected:
-----------------------------------
SECTION NEW
Ping(ACCEPT) wlan net - - - - 1/sec:10
-----------------------------------

This would allow a flood of pings from wlan to net, as long as it was 
from and to the same machines.

However, putting the accept rule in the ALL section, followed by a DROP 
rule to counteract the default ALLOW rule for ESTABLISHED did what I 
wanted: one ping every second, with a pool of 10.
-----------------------------------
SECTION ALL
Ping(ACCEPT) wlan net - - - - 1/sec:10
Ping(DROP) wlan net
-----------------------------------

Connection tracking in progress:
-----------------------------------
$ shorewall show connections | grep icmp
icmp 1 29 src=10.101.0.53 dst=173.194.112.130 type=8 code=0 id=256 
src=173.194.112.130 dst=10.0.10.34 type=0 code=0 id=256 mark=0 use=2
-----------------------------------
(Continue reading)

Sassy Natan | 17 Feb 00:14 2015
Picon

Shorewall with Overlapping IPs

Hi Everyone,

I'm facing a problem which I hope someone will might help me here.

I'm trying to build a VPN site 2 site with my current shorewall + openswan configuration with a overlapping IP on both ends.

Here is my Topology.

Site A:
eth0 - 172.16.0.0/24 - Internal LAN
eth1 - 10.0.0.0/24 - LAB LAN
eth2 - X.Y.Z.M - Public IP address


Site B
eth0 - 192.168.0.0/24 - Internal LAN
eth1 - 10.0.0.0/24 - LAB LAN
eth2 - N.O.L.P - Public IP address


I want to setup a VPN from the Internal LAN of Site B (192.168.0.0/24) to the LAB LAN of Site A (10.0.0.0/24)

The problem is that Site B already have in it's local routing table setup to route traffic for the network ID 10.0.0.0/24 via the ETH1 interface. So traffic can't be routed to the remote site A, without (1) disabling this network or (2) do some NAT magic.

Since option 1 is not really an option, I made sure to configure my IPsec tunnel to use the a virtual NETID of 172.31.0.0/24 as the subnet of site A which I want to share on with site B.

Basically this mean that when machine from site B (with an IP of 192.168.0.X) want to talk with machine from site A (with an IP address 172.16.0.X) it basically send the packets to 172.31.0.X.

Once the FW on site A get's the packet for the 172.31.0.X , I use DNAT to route it back to the packet to 10.0.0.X.

This however doesn't seems to work, which is why I'm asking the community help.

The first question I have in mind is if  have to create a fake virtual Interface (like a TAP Device) which will be configure with the IP address of 172.31.0.1 in order this to work?

(OpenSwan with netkey do not create a virtual interface such as when you use the klips or mast module)

When creating a TAP device or an alias device (like eth0:1) I can easily ping from one site to the other, but then I will have to configure and change setting in the interface, zone, policy and rules files which is something I want to avoid (I have multi ISP in my configuration with mutli VPNs site to site, including a road vpn client so my setup is a little bit more complicated).

I have look into the netmap, masq and nat files under shorewall, but as far as I can tell nothing works.

Doing more debugging it seems like the IPSEC device is not really applying my settings, as when I do traceroute to a machine in site A with IP address of 172.16.0.X to a machine is Site B with an IP of 192.168.0.X  i would expect to the see the next hope after my firewall (site A) is to go to the next firewall IP (site B) ending at the dest machine. However the route goes to the public internet which explain that the IPSEC doesn't consider this packet as a packet which got out from the NETID of 172.31.0.X even if I do SNAT.

Is it somehow connect to a pre-routing issues?

I know there are some doc on how to setup IPSEC with shorewall, but in most cases I do it without shorewall involved (expect of configuring the roles to allow traffic from both network and disabling NAT within them)

Any Ideas?

Thank You
Sassy
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
shorewall | 16 Feb 00:27 2015

Multi-ISP without routing cache

Hallo,

I'm updating some shorewall firewalls from CentOS6 to CentOS7. They have
multiple internet providers.
With CentOS6 kernel, routes were cached, and the same target was always
reached via the same internet provider and the same IP. In linux-3.6,
routing cache was removed, and I'm facing problems in CentOS7 accessing
services which track where a client is coming from. 
The routing cache solution was sub-optimal, since all the sources were going
to use the same provider to access the same host, but it did work. I worked
around the problem by statically defining which provider to use to access
the problematic services, changing the provider when needed (see LSM 0.178
and 0.179). But again this solution is not optimal.
So, is it possible in Shorewall to make sure that the same triplet (source
ip, dest ip, dest port) will always go with the same provider?

If not, I found a thread here
http://www.spinics.net/lists/netfilter/msg55150.html .
There, the outgoing packets are added to appropriate ipsets in the
POSTROUTING mangle chain. The set is chosen based on the outgoing interface
(i.e. the provider) chosen by the routing algorithm.
The ipsets are of type hash:ip,port,ip.
Then, the ipsets are used to mark subsequent packets to always go to the
same provider.

Is it possible to do something like this in Shorewall? If not, would it be
fine to add an ACTION in the magle file, similarly to ADD/DEL in rules file?
(or maybe, would it be possible to specify which chain to add the rule for
ADD/DEL in rules?)

Thank you
Luigi

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
Raimonds Cicans | 13 Feb 21:03 2015
Picon

IPSEC & masq

Hello.

I have following Shorewall (4.5.21.10) configuration (simplified)

--- Zone file ---
zlan ipv4
zdmz ipv4
zinet ipv4
zvpn ipv4

--- Interfaces file ---
zlan lan
zdmz dmz
zinet inet

--- Hosts file ---
zvpn inet:remote_internal_lan,remote_external_ip ipsec

--- Masq file ---
inet dmz
inet lan

--- Policy file ---
$FW all ACCEPT
zlan zinet ACCEPT
zlan zdmz ACCEPT
zlan zvpn ACCEPT

zinet all DROP info
all all REJECT info

--- Tunnels file ---
ipsec zinet remote_external_ip

---------------------

Everything is working fine, but I need to add access from zdmz zone to zvpn.
In FreeSwan configuration only zlan have access to zvpn, so it looks I 
need some
kind of masquerading.
Is this theoretically possible?

I tried following:
1. step
add to beginning of Policy file:
zdmz zvpn ACCEPT

2. step
add to beginning of Masq file
inet:remote_internal_lan dmz ip_of_lan_interface

But when I try to ping zvpn hosts from zdmz I get:
Shorewall:zdmz2zinet:REJECT:IN=dmz OUT=inet ... SRC=some_zdmz_ip 
DST=some_zvpn_ip

Honestly speaking in second step I tried almost all possible 
combinations of IP/net addresses
and when I ping I always get same error.

What I am doing wrong?

Thank you for any help in advance.

Raimonds Cicans

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
Marko Weber | 8000 | 13 Feb 16:55 2015
Picon

typo on page?

http://shorewall.net/upgrade_issues.htm#idp8704902640

Beginning with Shorewall 4.6.0, ection headers are now preceded by '?'

means

Beginning with Shorewall 4.6.0, Section headers are now preceded by '?'

or ?

greetings , Marko

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
Matthias F. Brandstetter | 13 Feb 02:21 2015
Picon

Unable to setup DNAT via VPN

Hello, I am running Shorewall 4.5.5.3 on a Debian machine.

I have a firewall (10.8.0.1) connected to an internal server (10.8.0.2) via OpenVPN. On the firewall the VPN interface is called tun0. So in my shorewall configuration I have this:

$ cat interfaces #ZONE INTERFACE OPTIONS - lo ignore vpn tun+ optional net eth+ dhcp,physical=+,routeback,optional $ cat zones #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall vpn ipv4 net ip $ cat policy #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK $FW net ACCEPT $FW vpn ACCEPT vpn all ACCEPT net all DROP info

Now I want to forward all traffic from the public net coming to TCP port 2222 on the firewall to the internal server port 22. So I have added the following two lines:

$ cat rules ACCEPT net $FW tcp 2222 DNAT:info net vpn:10.8.0.2:22 tcp 2222

In my shorewall.conf file I have this line:

IP_FORWARDING=On

However, this does not seem to work.
In the log file I can see these lines:

Feb 13 01:59:44 helios kernel: [2390648.826670] Shorewall:net_dnat:DNAT:IN=eth0 OUT= MAC=52:54:ed:88:f9:f5:5c:5e:ab:03:66:c0:08:00 SRC=<client-IP> DST=<firewall-IP> LEN=60 TOS=0x00 PREC=0x00 TTL=55 ID=21389 DF PROTO=TCP SPT=38026 DPT=2222 WINDOW=29200 RES=0x00 SYN URGP=0

What am I missing here?

Cheers!


--
Matthias F. Brandstetter
haimat <at> gmail.com
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
h15234 | 8 Feb 01:59 2015

shorewall startp/stop works ok, but during pkg version upgrade drops network and needs network+shorewall restarts?

Hi

I recently inherited a few linuxes box with Shorewall on them.

They needs some clean up so I'm taking it one step at a time.

First I'm dealing with startup and shutdown.

I notice that when shorewall's installed and running on a local system (Opensuse 13.2), if I do a package
upgrade to a newer version of shorewall (using the distro's "zypper dup" command), that the upgrade
occurs OK, but the network drops and I need to restart shorewall (always) and the network (sometimes).

Then everything's back to normal.

I don't have any problems with normal shorewall startup / shutdown, either on boot or from the command line. 
Only when I do this package upgrade.

Not really an issue if the machine's local (THIS one is). BUt I can see this could be a nasty problem if I'm remote.

I notice that there's some custom systemd startup scripts in here.  I also see there's been some discussion
in the recent past on the list about systemd startup issues and so on.  

I don't know enough about what's going on DURING the pkg upgrade yet, but thought I'd ask here to figure out
where to poke 1st.

Is there a setting or procedure to prevent something like this in Shorewall?  I can't quite figure out what
would be unique to the pkg upgrade procedure that's not also done in a start/stop.

Cheers,

Hanlon

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
Tom Eastep | 7 Feb 00:49 2015
Picon

Shorewall 4.6.6.2

Shorewall 4.6.6.2 is now available for download.

Problems Corrected:

1)  The compiler failed to parse the construct +<ipset>[n] where n is an
    integer (e.g., +bad[2]).

2)  Orion Paplawski has provided a patch that adds 'ko.xz' to the
    default MODULE_SUFFIX setting. This change deals with recent Fedora
    releases where the module names now end with ".ko.xz".

    In addition to Orion's patch, the sample configurations have been
    modified to specify MODULE_SUFFIX="ko ko.xz".

Thank you for using Shorewall,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
Joseph DeGraw | 5 Feb 18:46 2015
Picon
Picon

Forwarding 81 to internal lan webserver

Hello,

I installed Shorewall for the first time last night and I am very 
impressed. I installed it to try and fix an issue that I really do not 
understand.

I have a typical 2 interface setup. I have comcast as my ISP. I did a 
redirect on port 2100 to my local computer to play a game and it works 
fine. So, I know redirect works ok.

Now, I have a client that I have designed a webpage for and it is hosted 
on one of my other local computers. Its ip is 10.0.1.33 I can access it 
fine locally. But what I wanted to do is redirect port 5000 on the FW to 
10.0.1.33:80 . This would let my client view their new website and 
critique it. However, What happens when they try 
(www.renuecomputers.com:5000) is that they end up at my company website 
(www.renuecomputers.com) so I tried having them test it by my external 
ip:5000 and I get the same outcome. They never make it to the internal 
computer (10.0.1.33) and end up at my website on the FW.

If I shutdown my company website (apache2) and have them try again then 
the browser errors out on the connection.

This is my rule for the redirect to my internal webserver:

DNAT net loc:10.0.1.33:80 tcp 5000

I did re-read the the docs on the two-interface setup and anything else 
I could find but really do not have a clue. Anyone ever experience 
something like this?

What am I missing? or How should I troubleshoot this ?

Thank you,

JD

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
Gilbert Robert | 4 Feb 21:37 2015

ipsec and shorewall

Hi,

I would like to establish an IPSEC connection from one site to one site.
Site A is a Cisco ASA and site B is a Linux Debian Wheezy

On site A we don't have any access, but on site B we can do what we want.
I installed Shorewall 4.5.5.3 and openswan 1:2.6.37-3+deb7u1

I spent a lot of time trying to connect those 2 sites like this

site B                                                                           site A
[ 10.1.0.0 ] -----[ 10.1.0.1 / eth0 143.123.123.121/28 ] ..... [ 190.120.87.165 ]---[193.198.43.0]
                               eth0 143.123.123.122

This would be relatively simple if Site A did not want nat in the VPN. In fact they want to see only one source
address from the network B for example
the 143.123.123.122. They don't want to see rfc1918 addresses in subnet B.

I read and reread the pages of shorewall but I'm a little bit confused now.
I can establish IPsec phase I but the second not. Ipsec therefore works but it appears that phase II stuck.

My part of config:

interfaces
vpn	ppp0	-
net	eth0

hosts
vpn	eth0:193.198.43.0/24   ipsec

masq
eth0	10.1.0.0/24	143.123.123.122  -       -       -       mode=tunnel,tunnel-dst=193.198.43.0/24

tunnels
ipsec	net	  190.120.87.165/32       vpn

Many thanks in advance for you help and lights ....

Gilbert R.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
Andrew DeMaria | 1 Feb 00:36 2015
Picon

Cannot connect to remote PPTP vpn

Shorewall group,

I am having a hard time connecting to a remote PPTP from a LAN computer
and was hoping I could get some hints on what could be going wrong.

Here is what I know:

The remote VPN server is an Asus router. At time of writing it was
71.208.224.179.  It is setup for PPTP with 128 bit MPPE encryption.

I can connect on my android phone if I am on verizon's network, but I
cannot connect if I am on the LAN network.  Likewise I cannot connect on
my laptop on the LAN network.

I have run a tcpdump on the router while trying to connect to the VPN
from the LAN.  At a high level it seems that traffic is making it
through for the initial connection setup and there are also some further
PPP packets but it seems that the conversation just goes silent.

I have tried setting up shorewall in two different manners with the same
results:
-  Using AUTOHELPERS=Yes
-  Specifying HELPERS=amanda,ftp,irc,netbios-ns,pptp,sane,sip,snmp,tftp
and using the following rule in conntrack:

?if __PPTP_HELPER
CT:helper:pptp:PO -   -   tcp 1723
?endif

Any ideas?

Thanks much.
Andrew


             +-------------+                      
             | Asus Router |                      
             |  VPN PPTP   |  71.208.224.179      
             +-------------++                     
                            |                     
                            |            XXXXXXX  
       XXXXXXXXXXXXXXXX     |      XXXXXXX     X  
     XX               XXX   |     X            XX 
     X    Time Warner  X+---+---+XX  Verzion    X 
    XX      Cable     XX         X             XX 
    X                 X          XX            X  
    XX            XXXXX            XXXX       XX  
      XXX      XXX+---+              XXXX++XXXX   
         XXXXXXX      |                   |       
                      |                   |       
                      |                   |       
                      |                   |       
        76.187.111.93 |                   |       
                   +--+-------+           | Works!
                   |Shorewall |           |       
                   |  Router  |           |       
                   +---+------+           |       
       172.16.17.1/24  |                  |       
                       |                  |       
                  XXXXX+XX       +--------++      
 172.16.17.99    XX      X       | Android |      
+---------+     XX  LAN  X       +---------+      
| Laptop  +-----+X      XX       |                
+---------+      XXX    +--------+                
     Doesn't Work  XXXXXX   Doesn't Work          
Attachment (shorewall.dump.gz): application/gzip, 13 KiB
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

Gmane