Emiliano Marino | 6 May 22:43 2014

INCLUDE directive on Rules file

Hi! I'm becoming a fan of shorewall. I'm using it for some things and i'm love the easy way it has to configure everything.
At work we use CISCO ASA Firewall and the more I learn of the capabilities of Linux firewall (and routing, brigding, vpn, vlan etc) more I don't want to use cisco :D

Ok, here is the issue:

I'm starting a firewall setup in where I'm defining some rules in separated files that are included using the INCLUDE directive.

It works fine, but when you make a mistake in some of the included files, the compiler hides you the problem saying:

Compiling /etc/shorewall/rules...
      ERROR: INCLUDE file rules.d/out not found /etc/shorewall/rules (line 19)

Is false that the compiler can't find the file. If you copy the contents of the included file inside "rules", and remove the INCLUDE directive for that file; the compiler reveals the true error.

When you fix your mistake it compiles ok (using the INCLUDE directive)

I think this could be a low level bug. Or i'm making things wrong. If it's a bug, How can I report it?

Thanks


------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
• 3 signs your SCM is hindering your productivity
• Requirements for releasing software faster
• Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
• 3 signs your SCM is hindering your productivity
• Requirements for releasing software faster
• Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
Mike Andrewjeski | 5 May 23:31 2014

ERROR: Startup is disabled

Hi List,

Thanks in advance for reading this,  any help is gratefully appreciated.

odd problem, after upgrading to debian wheezy (Shorewall-4.5.5.3) from 
debian squeeze and (Shorewall-4.4.11.6-3+squeeze1)

when doing a start,restart or refresh I see the error:  ERROR: Startup 
is disabled.

shorewall check shows this:  ERROR: The 'zones' file does not exist or 
has zero size

The content of the zones file hasn't changed and has this content in 
both /etc/shorewall & /var/lib/shorewall:
fw firewall
loc ipv4 eth3:0.0.0.0/0
net ipv4 eth2:0.0.0.0/0

Here are the installed packages:
dpkg -l | grep shorewall
ii  shorewall 4.5.5.3-3                     all          Shoreline 
Firewall, netfilter configurator
ii  shorewall-common 4.4.11.6-3+squeeze1           all          
Shoreline Firewall, netfilter configurator - transition package
ii  shorewall-core 4.5.5.3-3                     all          Shorewall 
core components
ii  shorewall-shell 4.4.11.6-3+squeeze1           all          Shoreline 
Firewall, netfilter configurator - transition package

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com

------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
• 3 signs your SCM is hindering your productivity
• Requirements for releasing software faster
• Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
Emiliano Marino | 5 May 18:11 2014

Ipset with timeouts

Hi! This is my first email to the this mail list.

I am playing with ipsets and shorewall and I'm failing to create (using shorewall) an ipset with a default timeout.
When shorewall compiles it throws me a warning saying that the ipset does not exist (it is right), and when it starts at some stage of the init procedure it creates the ipset.
I can't (or don't know how to) change shorewall command to create the ipset. even tried to use the "Init" script, but the ipset is already created when the script is executed. 

So, anybody has a suggestion?
I know that if a make a script that create ipset before shorewall starts I do the thing, but I prefer to do it inside or with shorewall terms.

Sorry my english :)
Thanks in advance
------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
• 3 signs your SCM is hindering your productivity
• Requirements for releasing software faster
• Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
• 3 signs your SCM is hindering your productivity
• Requirements for releasing software faster
• Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
Filippo Carletti | 5 May 18:24 2014
Picon

MultiISP failover suggestions

Hi,
I'm using shorewall (4.5.18) and lsm (0.163) with a two ISP setup.
I followed documentation and the linuxfest presentation (all provider
balance), but choose to ping remote ip instead of the local gateway.
lsm is started as a service, not by shorewall.
The setup is working, but I'm not sure on what to do when lsm detects
a link down event.
I tried shorewall disable ispX, but it deletes the routing rules, so
the link cannot come back.
I could adjust the mangle file and restart shorewall: would it be a
good idea? Any other suggested option?

I choose not to ping the connection gateway because both gateway are
local and never go down, while especially one connection (wimax) goes
down once in a while and I can detect status pinging a remote ip.

Thanks in advance.

--

-- 
Ciao,
Filippo

------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
• 3 signs your SCM is hindering your productivity
• Requirements for releasing software faster
• Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
Michael Kress | 1 May 15:56 2014
Picon

routing issue

Hi, I'm still having trouble with my setup (multi-isp/openvpn) and it 
seems to be a routing problem, the subnets from the DMZ and LAN can't 
connect to the outside ... worse: some sites are reachable, some not, 
although I have flushed the routing tables. I see no drops or refejcts.

setup:
------
* esxi server
* 2 hwnics
* 3 vswitches (WAN, DMZ, LAN)
* hwnic1 connected to WAN vswitch
* hwnic2 connected to LAN vswitch
* DMZ vswitch has no physical nics attached
* shorewall vm: eth0 in DMZ switch, eth1 in WAN switch, eth2 in LAN switch
eth0: 192.168.0.1/24
eth1: 192.168.2.251/24
eth2: 192.168.5.251/24

the shorewall machine opens a openvpn tunnel tun1 to the vpn server 
x.x.x.18 and has x.x.x.245/32 as an IP address and x.x.x.254/32 as the 
remote endpoint located at the vpn provider.

moreover, what is working: port forwarding by the following rules:

#ACTION  SOURCE DEST                    PROTO   DEST    SOURCE   ORIGINAL
#        #                                      PORT    PORT(S)  DEST
DNAT     vpn    dmz:192.168.0.11        icmp    -       -        x.x.x.245
DNAT     vpn    dmz:192.168.0.11:80     tcp     80      -        x.x.x.245

so far, so good.

The trouble comes with routing and I can't figure out the correct 
settings, it seems.

Some key settings:
==================

/etc/sysconfig/network-scripts/ifcfg-eth0:
DEFROUTE=no

shorewall.conf:
---------------
USE_DEFAULT_RT=Yes
TRACK_PROVIDERS=Yes

interfaces:
-----------
#ZONE        INTERFACE        OPTIONS
vpn         tun1                blacklist,optional
dmz         eth0                blacklist
wan         eth1                blacklist
lan         eth2                blacklist

zones:
------
fw    firewall
lan     ipv4
wan     ipv4
vpn     ipv4
dmz     ipv4

providers:
----------
#NAME    NUMBER    MARK    DUPLICATE    INTERFACE    GATEWAY        OPTIONS        COPY
ipev       1       1        -           tun1        x.x.x.254      track
tonline    2       2        -           eth1        192.168.2.1    track

rtrules:
--------
#SOURCE            DEST            PROVIDER    PRIORITY    MARK
-                  x.x.x.x.18/32   tonline        1000
-                 x.x.x.x.245/28   ipev           1001
192.168.0.0/24        -            tonline        20001        2
192.168.5.0/24        -            tonline        20001        2

I suspect my problem has to do with this file (rtrules).
What I intended to reach:
1st line: I want the connections to the vpn server (vpn provider "ipev") 
over tonline / to build up the tunnel
2nd line: packets to x.x.x.245 handled by ipev (vpn provider)
3rd line: packets from 192.168.0.0/24 (DMZ) to anywhere shall go over 
tonline
4th line: packets from 192.168.5.0/24 (LAN) to anywhere shall go over 
tonline

1st and 2nd are working.
3rd and 4th are not working. I've also tried other priorities.

With other words: I'd like ALL outbound traffic from LAN and DMZ to go 
over tonline.
How can I solve this routing issue?

TIA
Michael

PS: Seems that this is the only remaining issue.  \o/

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get 
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
Marcello Giordano | 29 Apr 23:50 2014
Picon

Multi-Isp and VPN

Hi,

Thanks for this great piece of software!
I'm trying to setup my network as follows:

$FW machine is running shorewall and has two NICs, one (wlan1) connected 
to the internet through a router; the second (eth0) masquerading a subnet.
I recently bought a VPN access (I use OpenVPN on interface tun0) and 
followed the multi-isp howto to set it up two provicers, 1 on wlan1 
(fallback) and 2 on tun0 (balanced).

What I am trying to achieve is to have the $FW and the subnet connected 
to eth0 use the main internet connection through wlan1, and no VPN.

Only one specific user on the $FW (called rtorrent) would have instead 
all is traffic routed through the VPN (I'm marking his packages with "2" 
in tcrules).

This is proving to be extremely tricky. I can route all the traffic from 
the firewall through wlan1 by default, and I can redirect traffic 
through the VPN binding application to the IP address of tun0. The 
specific user though, has no connection whatsoever when I activate the 
tcrule marking his packets...

I am using USE_DEFAULT_RT=no and openvpn is pulling routing rules from 
the server, copying them in the main table.

I attach a dump of my current configuration.

Thank you!

--

-- 
Marcello Giordano

Attachment (dump.gz): application/x-gzip, 9 KiB
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get 
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get 
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
Hristo Benev | 29 Apr 23:07 2014
Picon

Conntrack table high

Hi,

It might be a bit offtopic...

My conntrack table is filling from time to time.

Any suggestions how to find what is the cause?

Thanks

Hristo

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get 
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
Michael Kress | 29 Apr 10:29 2014
Picon

$FW vs fw

Hi, just curious about a little thing ... sometimes I saw $FW in rules files, sometimes fw. When using $FW -
does it have to be declared in params as FW=fw
?
What is the preferred way? fw or $FW?
TIA
Michael
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.  Get 
unparalleled scalability from the best Selenium testing platform available.
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
Michael Kress | 26 Apr 02:57 2014
Picon

openvpn / DNAT

Hi, I have an openvpn interface tun1 which provides me a fixed IP from 
the outside. I'm planning to forward certain ports and protocols to 
certain VMs in the local LAN.

setup:
======
test machine outside my LAN: x.x.x.18

router in my LAN: 192.168.2.1

Shorewall machine in my LAN:
tun1 x.x.x.245
eth0 192.168.0.1
eth1 192.168.2.151 with gw 192.168.2.1

VM in my LAN:
eth0 192.168.0.11 with gw 192.168.0.1

rules file on the shorewall machine:
  DNAT      net   loc:192.168.0.11        icmp    -       - x.x.x.245

I intend to make working: ping from outside to x.x.x.245 and the ping 
gets forwarded to loc:192.168.0.11. Then 192.168.0.11 should send the 
icmp reply back to the outside machine.

What IS working:
================
ping from outside to x.x.x.245, icmp gets forwaded to 192.168.0.11 and 
192.168.0.11 DOES reply.
... as shown by tcpdump:
     x.x.x.18 > 192.168.0.11: ICMP echo request, id 53086, seq 657, 
length 64
02:14:58.029859 00:xx:xx:xx:b1:f9 > 00:xx:xx:xx:8d:f4, ethertype IPv4 
(0x0800), length 98: (tos 0x0, ttl 64, id 46258, offset 0, flags [none], 
proto ICMP (1), length 84)
     192.168.0.11 > x.x.x.18: ICMP echo reply, id 53086, seq 657, length 64
02:14:59.029082 00:xx:xx:xx:8d:f4 > 00:xx:xx:xx:b1:f9, ethertype IPv4 
(0x0800), length 98: (tos 0x0, ttl 55, id 0, offset 0, flags [DF], proto 
ICMP (1), length 84)

i.e. the ICMP echo reply arrives back on the interface eth0.

What is NOT working:
====================
The ICMP echo reply won't get forwarded to x.x.x.18 over tun1.

What do I have to do in order to make that working?

I'm having the same problem with a port forward:
nc -l 6999 ....... on one side
echo "hello" | nc x.x.x.245 6999 ........ on the other side
with a rules file entry
         DNAT      net   loc:192.168.0.11:6999  tcp     6999 - 
x.x.x.245

Same question here. I see the reply on the interface eth0, but I see no 
forward of the reply to tun1.

Thanks in advance
Regards
Michael

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
St├ęphane Pinchaux | 25 Apr 11:17 2014
Picon

Yet an another newbie with routing problem

Dear users, I'm trying to route a public IP to a virtual machine in a virtual network :
☁ Server host ☁ = eth0 => Server = guestbr0 => Virtual machine.
With:
Server's eth0: static server's IP Server's guestbr0: static 192.168.200.1 (virtual bridge, not connected to eth0) VM's eth0: static VM's IP
The VM's IP is routed on the server's IP. I have set up routes on both server, I can ping the VM from the host and vice versa. But... A ping from VM to external IP doesn't work: tcpdump let me see the echo requests on all ports, but the echo reply can be seen only on the server's eth0. A ping from an external connection to the VM's IP doesn't work anymore, but I can see the echo requests on the server's eth0. Some related details : OS : debian wheezy shorewall.conf
IP_FORWARDING=On
zones
net ipv4 gest ipv4
interfaces
net eth0 routefilter,logmartians,routeback,sourceroute=1 guest guestbr0 bridge,dhcp,routeback,logmartians,routefilter
policy
guest all ACCEPT $FW all ACCEPT net guest ACCEPT
Does anybody know what’s wrong? Many thanks! -- Stéphane
------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
Angela Williams | 23 Apr 20:52 2014
Picon

Routing issue wiith two providers

Hi All!
Only I can find these weird problems!

I have pretty much duplicated another customers setup with 3 isp's. Only 
difference is is the new customer on;y has 2 isp's
I have compared all the config files in /etc/shorewall and other than 
the 3 isp to 2 isp changes it all looks good.

The problem is only really with the Fibre isp link. The Adsl line is 
fine. it looks like a routing issue. From home on the internet I can 
only ssh in via the adsl ip address and not via the fire ip. The same 
applies from my Icinga site, I can make an nrpe connection via adsl but 
not via fibre. From the server itself my named server does not seem to 
work either. If I force a default route ot via the adsl named works 
fine! Shutdown shorewall and the problems go away! Not the righr way to 
work!

I have attached the required dump as a gzip tente-dump.gz

Ang

-- 
Angela Williams
angierfw at gmail dot com
Linux/Networking Hacker
Blog http://angierfw.wordpress.com

Smile! Yeshua Loves You!

Attachment (tente-dump.gz): application/x-gzip, 9 KiB
------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform

Gmane