Picon

Using 192.168.x.x on external NIC for testing.

Hi there.

I'm testing shorewall before production use on my home network. I've used shorewall before in production environment, but its long time ago.

Any help is appreciated. :-)

My setup:
- FW and client is running from VirtualBox.
- I'm using example files from /usr/share/doc/shorewall/examples/two-interfaces on debian 7.2.0.

Firewall
net: eth0: 192.168.1.175 (from local DHCP)
loc: eth1: 10.29.3.1

Client on the inside (loc)
IP: 10.29.3.2

What works
- FW can ping 8.8.8.8 and test client(10.29.3.2)
- Client can ping FW:eth0(192.168.1.175)
- Client can ping FW:eth1(10.29.3.1)
- SSH connection from outside to FW

What doesn't work
- Ping from client to 8.8.8.8
- w3m to google.com

Keep in mind that I'm using an RFC 1918 private IP address for "net"/eth0. Any ideas as to what I'm missing or doing wrong?

Thanks in advance.

Med venlig hilsen/Kind regards

Michael B. Arp Sørensen
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
Picon

Using 192.168.x.x on external NIC for testing.

Hi there.

I'm testing shorewall before production use on my home network. I've used shorewall before in production environment, but its long time ago.

Any help is appreciatet. :-)

My setup:
- FW and client is running from VirtualBox.
- I'm using example files from /usr/share/doc/shorewall/examples/two-interfaces on debian 7.2.0.

Firewall
net: eth0: 192.168.1.175 (from local DHCP)
loc: eth1: 10.29.3.1

Client on the inside (loc)
IP: 10.29.3.2

What works
- FW can ping 8.8.8.8 and test client(10.29.3.2)
- Client can ping FW:eth0(192.168.1.175)
- Client can ping FW:eth1(10.29.3.1)
- SSH connection from outside to FW

What doesn't work
Ping from client to 8.8.8.8
w3m to google.com

Keep in mind that I'm using an RFC 1918 private IP address for "net"/eth0. Any ideas as to what I'm missing or doing wrong?

Thanks in advance.

Med venlig hilsen/Kind regards
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
KP Kirchdoerfer | 8 Dec 13:29 2013
Picon

NFLOG setting in shorewall.conf

Hi Tom;

running shorewall 4.5.20 I get an error

/sbin/shorewall: /etc/shorewall/shorewall.conf: line 44: syntax error: 
unexpected "("

when I add 
MACLIST_LOG_LEVEL=NFLOG(1,0,1)

to /etc/shorewall/shorewall.conf (as documented in Shorewall Logging)

Though it works in /etc/shorewall/policy

Has this been fixed in later versions?
Do you need more information about my setup?

thx kp

------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
Roland RoLaNd | 5 Dec 13:06 2013
Picon

Warning empty zone - virtual interface

Dear all,

i'm running shorewall with 3 interfaces:

eth0: DMZ
eth1: ISP
eth3: LAN

I need to add a wifi zone that will work on a virtual interface eth0:1 


i've done the following:

/etc/shorewall/host 
dmz        eth0:192.168.30.0/24
wifi         eth0:192.168.40.0/24

/etc/shorewall/interfaces
###############################################################################
FORMAT 2
###############################################################################
#ZONE INTERFACE OPTIONS
net     eth1            tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
loc     eth3            tcpflags,dhcp,nosmurfs,routefilter,logmartians
-     eth0 -


/etc/shorewall/masq
##############################################################################
#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth1 192.168.10.0/24,\
192.168.30.0/24,\
192.168.40.0/24


/etc/shorewall/zones
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
dmz ipv4
wifi ipv4

But when i  do "shorewall restart" i recieve warnings that both wifi and dmz zones are EMTPY as such:

Determining Hosts in Zones...
   WARNING: *** dmz is an EMPTY ZONE ***
   WARNING: *** wifi is an EMPTY ZONE ***


Any  explanation on why is that happening?



------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
Orlandinei Vujanski | 4 Dec 18:13 2013
Picon

QoS

Tom, good afternoon!
I am configuring QoS, but this error in generating tcdevices and tcclasses files as below:


Dec 4 15:03:58 Compiling / etc / shorewall / tcclasses ...
Dec 4 15:03:58 ERROR: Unknown INTERFACE (eth0) / etc / shorewall / tcclasses (line 2)


Dec 4 15:10:04 Compiling / etc / shorewall / tcdevices ...
Dec 4 15:10:04 Tcdevice "eth0 10mbit 10mbit" Compiled.
Dec 4 15:10:04 Compiling / etc / shorewall / tcclasses ...
Dec 4 15:10:04 Tcclass "eth0 1 50 * full/100 full 1" Compiled.
Dec 4 15:10:04 ERROR: No default device class defined for eth0


How can I fix?

thank you
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
Orlandinei Vujanski | 4 Dec 16:59 2013
Picon

QoS - Shorewall

good afternoon!
I can do that via shorewall any request from the 192.168.0.0/24 network to network 10.3.0.0/24 occupy a maximum of 2mbps link?

thank you
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
jen142 | 3 Dec 23:44 2013

Extension Script or systemd for Shorewall dependencies?

Hi,

I installed Shorewall, and launch it with systemd.

If I want to launch some other app, say OpenVPN, only after the
Shorewall is UP, should I use systemd's ExecStartPost=, or the
/etc/shoreline/configfiles/{start,started} Extensions Scripts.

It seems both would work.

Is there any advantage of one way over the other?

Jen

------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
olivier.monaco | 3 Dec 23:03 2013
Picon

Multiple ISP + traffic shapping = poor download speed

Hello,

Thanks for the great Shorewall which has replaced my hard to maintain home-made scripts.

First, what works.

Our local network is 10.48.X.X with multiple vlan, each on a dedicated interface. We use Shorewall 4.4.11
from Debian Squeeze.

We have a 2 ISP:
- isp1 : an optical fiber provider with 10 Mbps.
- isp2 : a DSL provider with 15Mbits/1Mbits.

We use isp2 as the default outgoing provider. The isp1 provider is used for "critical" services (SSH...)
and for incoming connections (VPN...).

Our interfaces file :
========================
isp1    eth0          detect          logmartians,nosmurfs,routefilter=0,tcpflags
isp2    eth1          detect          logmartians,nosmurfs,routefilter,tcpflags
========================

Here is our providers file:
========================
#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS         COPY
isp1  1       0x100   -               eth1            37.X.X.X    track,loose     -
isp2  2       0x200   -               eth2          217.X.X.X      track,balance   -
========================

Here is an extract of our tcrules file:
========================
######################################################################################################################
#MARK   SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS   CONNBYTES         HELPER
#                                               PORT(S) PORT(S)

# ISP1 DNS => ISP1
256     0.0.0.0/0       37.X.X.X
256     $FW             37.X.X.X

# ISP2 DNS => ISP2
512     0.0.0.0/0       127.X.X.X
512     $FW             127.X.X.X

# Google DNS => ISP1
256     0.0.0.0/0       8.8.8.8,8.8.4.4
256     $FW             8.8.8.8,8.8.4.4

# VPN IPsec (out) => ISP1
256     0.0.0.0/0       0.0.0.0/0       udp     500,4500
256     $FW             0.0.0.0/0       udp     500,4500

# Force one host to ISP1
256     10.48.1.10             0.0.0.0/0

# Force all SSH to ISP1
256     0.0.0.0/0             0.0.0.0/0       tcp     22
256     $FW             0.0.0.0/0       tcp     22
========================

Yesterday we added VoIP. To do so, we force traffic from our Asterisk server to go throw ISP1 with a dedicated
public IP and force the traffic from this dedicated public IP to go to Asterisk server (with IP filtering
for security). This works too.

Now, my problem is to put QoS (using TC_ENABLED=Internal). I try many configuration but always have the
same problem: once the isp1 interface is listed in tcdevices, we have poor download speed. Even
with/without other TC configuration.

Here is our tcdevices file:
========================
#NUMBER:	IN-BANDWITH	OUT-BANDWIDTH	OPTIONS		REDIRECTED
#INTERFACE							INTERFACES
1:isp1		10240kbit	10240kbit
========================

We use an external server to test download speed with IP 5.X.X.X so we added in tcrules:
========================
256	0.0.0.0/0	5.X.X.X
$FW	0.0.0.0/0	5.X.X.X
========================

The results are:
- without isp1 in tcdevices => more than 1MB/s (bytes measured with wget command)
-  with isp1 in tcdevices => less than 300 kB/s

If I change bandwidth of isp1 to something more than 70000kbit, all goes right... Other lower value have the
same problem but with different download speed (seems proportional to the interface speed).

Here is a result of the following command: tc -s -d class show dev isp1 ======================== class htb
1:1 root rate 10240Kbit ceil 10240Kbit burst 1598b/8 mpu 0b overhead 0b cburst 1598b/8 mpu 0b overhead 0b
level 7 
      Sent 1111091 bytes 11680 pkt (dropped 0, overlimits 0 requeues 0) 
      rate 83656bit 124pps backlog 0b 0p requeues 0 
      lended: 0 borrowed: 0 giants: 0
      tokens: 17781 ctokens: 17781
========================

Rates seems to be OK.

Have someone the same problem?

Regards,

Olivier Monaco

------------------------------------------------------------------------------
Sponsored by Intel(R) XDK 
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631&iu=/4140/ostg.clktrk
Fábio Rabelo | 3 Dec 20:20 2013
Picon

more then 1 vpn bridged tunnel

Hi to all

I am not shure if this is the place to ask this, it it is not, just
tell, or point me to the right place ...

I am trying to make 2 connections to the same shorewall box using
openvpn um bridge more .

The first one are working for months now ...

But I cannot establish a second connection to the same server from
another shorewall box ...

everything on shorewall and openvpn are exactly the same in both boxes ...

So, the question, I have to create another tunnel in the server just
to serve this new one ?

If no, what is wrong ?

If it is yes ... how can a i this ???

Fábio Rabelo

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Jérôme Blion | 3 Dec 00:16 2013
Picon

UPNP client and server at the same time

Hello,

I have a small question for you.
My setup :
  - One server under Debian Wheezy where Shorewall resides
  - One bridge to allow my LAN (ethernet, wifi, and TV)
  - Several clients

I want to install a UPnP client on the shorewall box.
So I read: http://www.shorewall.net/UPnP.html

/etc/upnpd.conf:
create_forward_rules = yes
forward_rules_append = no
forward_chain_name = forwardUPnP
prerouting_chain_name = UPnP

I defined following interfaces:
     net     ppp0 
dhcp,blacklist,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,upnp,upnpclient
     loc     br0             dhcp,tcpflags,bridge

/etc/default/linux-igd:
     # External interface name.  If undefined then upnpd will not be 
started.
     EXTIFACE=ppp0

     # Internal interface name.  If undefined then upnpd will not be 
started.
     INIFACE=br0

     ALLOW_MULTICAST=yes

/etc/shorewall/rules contains:
     forwardUPnP     net             loc

/etc/shorewall/policy contains:
     loc             net             ACCEPT
     loc             $FW             ACCEPT

The result is:
     # route
     Table de routage IP du noyau
     Destination     Passerelle      Genmask         Indic Metric Ref    
Use Iface
     default         *               0.0.0.0         U     0 0        0 ppp0
     192.168.1.0     *               255.255.255.0   U     0 0        0 br0
     net1lo-bidon.bs *               255.255.255.255 UH    0 0        0 ppp0
     224.0.0.0       *               240.0.0.0       U     0 0        0 br0

Incoming connections are dropped:
     My computer opened the TCP port 61190. I can see dropped packets in 
syslog.
     Server's connections are dropped too (several ports used as I 
opened the client lot of times)

You can see a shorewall dump at this location: 
http://srv-bron.hebergement-pro.org/shorewall_dump.log

What should I try to find the root cause? Do you see any error I could 
have done?

Best regards.
Jerome Blion.

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
Fred Maillou | 2 Dec 20:29 2013
Picon

Masq and source definition

Hello,

  Would it be possible to specify a subnet in masq/source, as in for example 192.168.1.0/24, instead of a series of individual IPs ?

Thanks.
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk

Gmane