Jeremy Baker | 4 Nov 05:32 2015
Picon

6in4 tunnel, simple traffic shaping

I have a question about simple traffic shaping, and a 6in4 tunnel.  I
have a native ip4 internet connection using interface ppp0, and a 6in4
tunnel to hurricane electric using interface he-ipv6.  I have been using
simple traffic shaping on my ipv4 connection for some time to prioritize
traffic from three separate internal lans, but would like to extend that
to the ipv6 traffic as well.  How do I do that when the ipv6 traffic is
encapsulated within the ipv4 before it goes out ppp0?
--

-- 
Jeremy Baker <jab <at> mbcs.ca>
GnuPGP fingerprint =
EE66 AC49 E008 E09A 7A2A  0195 50EF 580B EDBB 95B6

------------------------------------------------------------------------------
Javier Terceiro López | 3 Nov 17:59 2015
Gravatar

Optional Interface is not usable

Hello, 

I have a new installation with pacemake and shorewall. My system have many nodes, in multi master mode and
two diferent providers too (not balanced providers). With pacemaker I decide where the interface is up
and shorewall is the firewall. It's working fine. Only a warning when shorewall starts: 
--- 
Adding Providers... 
WARNING: Optional Interface bond0.0038 is not usable -- bond0_0038 not Started 
WARNING: Optional Interface bond0.0238 is not usable -- bond0_0238 not Started 
Preparing iptables-restore input... 
--- 

When I want to balance any resource (interface with IP), I have a problem. The routes and rules to work whit
the interface is not load on server (Interface bond0.0038 is not usable -- bond0_0038 not Started) and
firewall doesn't work! I need reload shorewall rules to work. 

Is it posible shorewall load rules and routes for not usable interfaces?jajaja 

Thanks in advanced. 

Javier.

------------------------------------------------------------------------------
Ryan Joiner | 2 Nov 18:54 2015

Disable SIP Helpers in CentOS 5.9

Hello - I run Centos 6 on many firewalls and am able to turn of the SIP helpers by running
rmmod nf_nat_sip
rmmod nf_conntrack_sip

I have a firewall running CentOS 5.9 and Shorewall 4.6.13.2-1.
In CentOS5, I'm unable to run /sbin/rmmod nf_nat_sip because it says ERROR: Module does not exist.

Is there a different way to turn them off in CentOS 5?  Am I looking at trying to disable the SIP helpers the
wrong way or do they simply just not exist in CentOS 5.9?  We are having audio issues and every time it is fixed
disabling those when CentOS 6 is our firewall.  I'm trying to not have to take this site down for rebuilding
with 6 so just thought I'd ask.

Thanks!

------------------------------------------------------------------------------
Jeremy Baker | 30 Oct 19:52 2015
Picon

ipset containing mac addresses

Can I reference an ipset that contains mac addresses only from a
shorewall rule?
--

-- 
Jeremy Baker <jab <at> mbcs.ca>
GnuPGP fingerprint =
EE66 AC49 E008 E09A 7A2A  0195 50EF 580B EDBB 95B6

------------------------------------------------------------------------------
Ed W | 30 Oct 17:26 2015

REJECTing conntrack connection in INVALID state?

Hi,

I have a requirement to REJECT packets for some connections in an 
INVALID conntrack state.  I can't quite figure out how to do this...

What I can do:
- echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
- now I can see these packets in "SECTION INVALID" in shorewall

However, I am nervous of changing the default _loose setting as I have a 
complete multi-gateway setup WITH vpns and I suspect there are some 
hidden effects I haven't thought of.

How can I REJECT packets without an established conntrack entry, 
*without* changing the default nf_conntrack_tcp_loose?  Consulting the 
diagram here:
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
I suspect I need to match in pre-routing or earlier?

Could someone help me with a sample to achieve:
REJECT loc   ppp0  tcp --ctstate invalid

Note, I'm aware that it's not possible/sensible to try and REJECT 
anything other than TCP connections.  The bigger picture is that I need 
to kill some network connections when my internet gateway goes up/down 
(or the clients get into a stuck state) and I can't find a way of doing 
this other than removing the conntrack entries and sticking a REJECT 
rule in to catch the case.

(If anyone has other ideas on how one can send RST packets to force the 
(Continue reading)

PGNd | 28 Oct 17:39 2015
Picon

Opensuse pkgs for SW5?

I'm planning to migrate my SW instances from my-current v4.6.13 to latest-released v5x.

Distro is Opensuse.  13.2, currently.

I prefer packages, but have not (yet) found SW5 packages.

Before resorting to DIY -- anyone know of available SW5 packaging for Opensuse5?  Or plans for them?

Thanks.

------------------------------------------------------------------------------
Tom Eastep | 28 Oct 04:59 2015
Picon

Shorewall 5.0.1.1

Shorewall 5.0.1.1 is now available for download.

Problems Corrected:

1)  More version identification has been removed from configuration
     files (Tuomo Soini).

2)  Previously, if statistical load balancing was used in the providers
     file, the default route in the main table was not deleted during
     firewall start/restart/reload. This prevented providers whose
     default routes were not in the main table from being able to
     recover from the disabled state.

3)  The new "remote_" commands were actually implemented as "remote-"
     commands (with a hyphen rather than an underscore). Also, the
     "remote-reload" command was broken. Additionally, the commands did
     not appear in the help text.

     Because there are already 'safe-*' commands (with a hyphen),
     the documentation has been changed to match the implementation.
     Additionally, the commands have been added to the help text, and
     the 'remote-reload' command has been fixed.

Thank you for using Shorewall,
-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________
(Continue reading)

matt darfeuille | 27 Oct 01:00 2015
Picon

usage message with remote_start command

Hi,

While attempting to run on cygwin the following command remote_start 
I get this usage message:

$ shorewall remote_start

Usage: shorewall [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t 
] <command>
where <command> is one of:
   add <interface>[:<host-list>] ... <zone>
   allow <address> ...
   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ 
<directory> ]
   clear
   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] 
[ <directory name> ] [ <path name> ]
   close <source> <dest> [ <protocol> [ <port> ] ]
   delete <interface>[:<host-list>] ... <zone>
   disable <interface>
   drop <address> ...
   dump [ -x ] [ -l ] [ -m ]
   enable <interface>
   export [ <directory1> ] [<user> <at> ]<system>[:<directory2>]
   forget [ <file name> ]
   help
   ipcalc { <address>/<vlsm> | <address> <netmask> }
   ipdecimal { <address> | <integer> }
   iprange <address>-<address>
   iptrace <iptables match expression>
(Continue reading)

Tom Eastep | 22 Oct 19:53 2015
Picon

Shorewall 4.6.13.2

Shorewall 4.6.13.2 is now available for download.

Problem Corrected:

1)  Previously, if statistical load balancing was used in the providers
     file, the default route in the main table was not deleted during
     firewall start/restart. That route is now correctly deleted.

Thank you for using Shorewall.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Marcelo Bello | 21 Oct 15:09 2015
Picon

Providers: ppp0/1/2 interface detected from IP address

Hi, 

    On my box sometimes the adsl connection is falling on ppp1/ppp2 and not always on ppp0.

     I could investigate hacks to ensure it always goes to ppp0 but I just read on the pppd mailing list that they consider best practice to never assume on which ppp+ interface the connection will be brought up. The solution they give is to use the "linkname adsl" option to pppd and then find the interface name on /var/run/ppp-adsl.pid or if the ip is static just find the interface from the IP address.

     I was wondering if there is anyway to tell shorewall to figure out the right ppp+ interface for my provider. On interfaces file I have
net    ppp+     optional,wait=10,...

On providers I wanted to write: (this is multi-isp)
adsl     1    256    -       ppp+:<ip_address>    -     track,balance=10    -


     However, shorewall does not seem to accept it, so now I have ppp0 there. My next move would be to figure out the interface name with a custom script and add a $ADSL_IFACE variable on the params file then replace ppp0 with $ADSL_IFACE.

    Anything I am missing here? How have other people dealt with this?

Marcelo
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Tom Robinson | 21 Oct 00:53 2015
Picon

VPN and L2TP connection issues

shorewall-4.6.13-0base
openswan-2.6.32-9.el5
CentOS release 5.11
xl2tpd-1.2.8-1

Hi,

I'm migrating a working VPN+L2TP from an ADSL (7Mb/700Kb) link on one host to a Symetric link
(9.5Mb/9.5Mb) on another host. The old, working link is configured under shorewall-4.5.0.3-1.el5 and
used DNAT to transmit L2TP port packets to the internal interface:

rules:
DNAT            roadw           $FW:192.168.0.13 udp    1701    1701

This has been working for some years now and I'm not sure any more why I configured it that way.

Anyway I've started afresh on the new setup following the
http://www.shorewall.net/IPSEC-2.6.html#RW-L2TP article but I can't establish a link through L2TP.
The VPN comes up OK but the L2TP packets are being rejected:

Oct 21 08:59:53 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT=
MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 DST=115.70.189.243 LEN=142 TOS=0x00
PREC=0x00 TTL=117 ID=12707 PROTO=UDP SPT=1701 DPT=1701 LEN=122
Oct 21 08:59:54 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT=
MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 DST=115.70.189.243 LEN=142 TOS=0x00
PREC=0x00 TTL=117 ID=12708 PROTO=UDP SPT=1701 DPT=1701 LEN=122
Oct 21 08:59:56 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT=
MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 DST=115.70.189.243 LEN=142 TOS=0x00
PREC=0x00 TTL=117 ID=12709 PROTO=UDP SPT=1701 DPT=1701 LEN=122
Oct 21 09:00:00 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT=
MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 DST=115.70.189.243 LEN=142 TOS=0x00
PREC=0x00 TTL=117 ID=12710 PROTO=UDP SPT=1701 DPT=1701 LEN=122

A packet trace on the firwall's external interface shows the following:

Capturing on eth1
  0.000000 165.228.94.4 -> 115.70.189.243 ISAKMP Identity Protection (Main Mode)
  0.001157 115.70.189.243 -> 165.228.94.4 ISAKMP Identity Protection (Main Mode)
  0.103565 165.228.94.4 -> 115.70.189.243 ISAKMP Identity Protection (Main Mode)
  0.112520 115.70.189.243 -> 165.228.94.4 ISAKMP Identity Protection (Main Mode)
  0.181415 165.228.94.4 -> 115.70.189.243 IP Fragmented IP protocol (proto=UDP 0x11, off=0)
  0.181417 165.228.94.4 -> 115.70.189.243 ISAKMP Identity Protection (Main Mode)
  0.190797 115.70.189.243 -> 165.228.94.4 ISAKMP Identity Protection (Main Mode)
  0.249522 165.228.94.4 -> 115.70.189.243 ISAKMP Quick Mode
  0.252591 115.70.189.243 -> 165.228.94.4 ISAKMP Quick Mode
  0.283461 165.228.94.4 -> 115.70.189.243 ISAKMP Quick Mode
  0.283462 165.228.94.4 -> 115.70.189.243 ESP ESP (SPI=0xbb1e40f4)
  0.283679 115.70.189.243 -> 165.228.94.4 ICMP Destination unreachable (Port unreachable)
  1.284393 165.228.94.4 -> 115.70.189.243 ESP ESP (SPI=0xbb1e40f4)
  1.284578 115.70.189.243 -> 165.228.94.4 ICMP Destination unreachable (Port unreachable)
  3.283471 165.228.94.4 -> 115.70.189.243 ESP ESP (SPI=0xbb1e40f4)
  3.283669 115.70.189.243 -> 165.228.94.4 ICMP Destination unreachable (Port unreachable)
  7.347466 165.228.94.4 -> 115.70.189.243 ESP ESP (SPI=0xbb1e40f4)
  7.347743 115.70.189.243 -> 165.228.94.4 ICMP Destination unreachable (Port unreachable)
 15.287539 165.228.94.4 -> 115.70.189.243 ESP ESP (SPI=0xbb1e40f4)
 15.287705 115.70.189.243 -> 165.228.94.4 ICMP Destination unreachable (Port unreachable)
 19.578550 165.228.94.4 -> 115.70.189.243 UDPENCAP
 25.289245 165.228.94.4 -> 115.70.189.243 ESP ESP (SPI=0xbb1e40f4)
 25.289446 115.70.189.243 -> 165.228.94.4 ICMP Destination unreachable (Port unreachable)
 35.295989 165.228.94.4 -> 115.70.189.243 ISAKMP Informational
 35.297476 115.70.189.243 -> 165.228.94.4 ISAKMP Informational
 35.301936 165.228.94.4 -> 115.70.189.243 ISAKMP Informational
 35.427432 115.70.189.243 -> 165.228.94.4 ISAKMP Informational

Can someone please point me in the right direction?

Kind regards,
Tom

interfaces:
-               eth1                    tcpflags,nosmurfs,routefilter,logmartians
loc             eth0                    dhcp,routeback,tcpflags,nosmurfs,logmartians
v1015           eth4.1015               routeback,tcpflags,nosmurfs,logmartians
v1031           eth4.1031               tcpflags,nosmurfs,logmartians
motex           eth2                    tcpflags,nosmurfs,logmartians
dmz             eth3                    tcpflags,nosmurfs,logmartians
l2tp            ppp+    -

zones:
fw      firewall
net     ipv4
loc     ipv4
v1015   ipv4
v1031   ipv4
dmz     ipv4
motex   ipv4
roadw   ipsec           mode=tunnel     mss=1400
l2tp    ipv4

tunnels:
ipsecnat                net     0.0.0.0/0                       roadw
l2tp                    roadw   0.0.0.0/0

hosts:
net     eth1:0.0.0.0/0
roadw   eth1:0.0.0.0/0

policy:
loc     net     ACCEPT
loc     v1015   ACCEPT
v1015   loc     ACCEPT
loc     l2tp    ACCEPT          # Allows local machines to connect to road warriors
l2tp    loc     ACCEPT          # Allows road warriors to connect to local machines
l2tp    net     ACCEPT          # Allows road warriors to connect to the internet
v1031   net     ACCEPT
net     v1031   ACCEPT
motex   net     ACCEPT          info
net     motex   ACCEPT
net     all     DROP            info
all     all     REJECT          info

rules:
?SECTION ESTABLISHED
?COMMENT Road Warriors
# prevent IPsec bypass by hosts behind a NAT gateway
L2TP(REJECT)    net                    $FW
REJECT          $FW                     net                     udp     -       1701
# l2tp over the IPsec VPN
ACCEPT          roadw                   $FW                     udp     1701

-- 

Tom Robinson
IT Manager/System Administrator

MoTeC Pty Ltd

121 Merrindale Drive
Croydon South
3136 Victoria
Australia

T: +61 3 9761 5050
F: +61 3 9761 5051   
E: tom.robinson <at> motec.com.au

------------------------------------------------------------------------------
------------------------------------------------------------------------------

Gmane