Paolo Prandini | 13 Sep 19:57 2014
Picon

How to limit bandwidth hog

I have a question that maybe has a general interest.
Sometimes it happens that a customer has really a fast connection and
can saturate the bandwidth to our email server, maybe just 5 seconds,
but effectively every bit is allocated to this connection, and it is
quite annoying for the other users.
Is it possible to make connections share the available bandwidth in
a fair way?
I mean, the total available bandwith is 10 Mb/s and if we have only
1 connection it can use all the 10 Mb/s ( maybe 90% of them? just to
allow new connection to show up ) ; but if we have 2 connections they
are limited to 5 Mb/s each, and so on.
I studied the various howtos for shorewall bandwidth control, but
I couldn't figure out a solution.
Thanks in advance to everybody for any suggestion!
Paolo

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
Kenneth Jacker | 13 Sep 19:24 2014

Dynamic DNS Within Shorewall Files

Good day!

I just wanted to check with the list that, in fact, there is no way to
have an IP address change during Shorewall's "run time".

My "params" file currently contains something like this:

     DESKTOP=`dig +short desktop.mynetgear.com`

(I know that Tom discourages using domain names in the Shorewall files.
But for the above to work, I must use NETGEAR's name.  I can't use a
numeric address, because I don't know what it might be!)

Here's what I found in the ML archives:

     *  On Thu, 2003-10-09 at 08:11, niels at wxn.nl wrote:

       > But when the IP adress of this dynamic hostname updates to a
       > new address it doesn't work anymore the only way to let it work
       > with an updated hostname seems to be a "shorewall restart"
       > 
       > Is there any solution to let shorewall update this without
       > having to restart the firewall?
       > 

       No. See http://shorewall.net/configuration_file_basics.htm#dnsnames

       -Tom

I followed the above link.  At first I thought that maybe Shorewall
(Continue reading)

Tom Eastep | 13 Sep 17:33 2014
Picon

Shorewall 4.6.3.3

Shorewall 4.6.3.3 is now available for download.

Problems corrected:

1)  Including a PREROUTING SECTION in the accounting file
    unconditionally resulted in a fatal error:

    ERROR: The PREROUTING SECTION is not allowed when
           ACCOUNTING_TABLE=filter

2)  Previously, the compiler could generate many superfluous rules to
    enforce the 'tcpflags', 'nosmurfs' and 'maclist' interface options.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
(Continue reading)

Tom Robinson | 10 Sep 09:45 2014
Picon

ERROR: The PREROUTING SECTION is not allowed when ACCOUNTING_TABLE=filter /etc/shorewall/accounting (line 13)

# shorewall version
4.5.20
CentOS 5.10

Hi,

I hope that I'm just being completely blinkered by something and an idiot. Maybe someone can
enlighten me. Please hit me with a clue stick!

I don't understand why, when I've set ACCOUNTING_TABLE=mangle in /etc/shorewall/shorewall.conf:

# grep '^ACCOUNTING_TABLE' /etc/shorewall/shorewall.conf
ACCOUNTING_TABLE=mangle

I get this error when checking shorewall:

# shorewall check
Checking...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Checking /etc/shorewall/hosts...
Determining Hosts in Zones...
Locating Action Files...
Checking /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Adding Anti-smurf Rules
Adding rules for DHCP
(Continue reading)

Grant Pasley | 8 Sep 04:45 2014
Picon

DNAT on pppoe not working.

good day all

i have shorewall-4.6.3.2 running on centos 2.6.32-431.23.3.el6.x86_64. i 
have 2 ethernet interfaces, eth0 and eth1. eth0 is lan 192.168.65.0/24 
and eth1 is only used for a pppoe adsl account with dynamic ip address 
from isp.
i am trying to forward incoming remote desktop connections to a windows 
server, the connections are hitting the firewall but not getting as far 
as the windows server. i have the following info:

vim /etc/shorewall/rules

DNAT            net             loc:192.168.65.2        tcp     3389

shorewall show nat:

Chain net_dnat (1 references)
  pkts bytes target     prot opt in     out     source destination
     0     0 DNAT       tcp  --  *      *       0.0.0.0/0 
0.0.0.0/0           tcp dpt:3389 to:192.168.65.2

tail -f /var/log/messages:

Sep  7 22:41:33 sentinel kernel: Shorewall:xis-fw:ACCEPT:IN=ppp0 OUT= 
MAC= SRC=120.146.190.53 DST=197.87.29.171 LEN=52 TOS=0x18 PREC=0x00 
TTL=99 ID=6044 DF PROTO=TCP SPT=56452 DPT=3389 WINDOW=8192 RES=0x00 SYN 
URGP=0

so as per above, connection hits firewall, is accepted, knows to forward 
to windows server, but no traffic being passed on to windows server if 
(Continue reading)

Paolo Nesti Poggi | 5 Sep 20:20 2014

Re: Changed ISP and DNAT stopped working for external IP addresses

Den 05-09-2014 16:37, Wayne S skrev:
At 9/5/2014 06:29 AM, you wrote:
Hi
We use a shorewall 4.4.11.6, with a 3 NIC setup (net - dmz - localnet) that has been working flawlessly for years.
Now we have changed broadband provider and with it we've got new IP addresses.
I've reconfigured shorewall with the new addresses and since then we no longer have functioning DNAT for boxes that are forwarded from IP different from the main IP address.

As far as I could see, for doing the provider change we only needed to edit the params (params for main IP and ekstra IPs)and  masq file (main IP), apart from of course /etc/network/interfaces and /etc/dhcp/dhcpd.conf

Having done those changes everything works OK, even DNAT from the main IP to boxes on DMZ or localnet, whilst the DNAT rules for boxes forwarded to from other IPs in the address range are not working at all (ssh: connect to host 89.233.14.37 port 22: Connection timed out)

What is in your masq file? and what type of ISP connection do you have? I have fios that uses pppoe and the pppoe link goes through a 10.0.0.0 ip address. Therefore I cannot include 10.0.0.0 in the masq file without causing problems similar to yours.

The masq file is:
#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK
eth0                    10.0.0.0/8,\
                        169.254.0.0/16,\
                        172.16.0.0/12,\
                        192.168.0.0/16  89.233.14.34

That is we're using our main IP address for everything.

About the connection: it's a fiber connection and in our end there are a media converter and a switch, we connect our NIC to the switch. I don't know the underlying technology.

Could I try having something else in the masq file? I tryed removing it but nothing works any longer if I do that.
/paolo

Wayne S



------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
Paolo Nesti Poggi | 5 Sep 12:29 2014

Changed ISP and DNAT stopped working for external IP addresses

Hi
We use a shorewall 4.4.11.6, with a 3 NIC setup (net - dmz - localnet) 
that has been working flawlessly for years.
Now we have changed broadband provider and with it we've got new IP 
addresses.
I've reconfigured shorewall with the new addresses and since then we no 
longer have functioning DNAT for boxes that are forwarded from IP 
different from the main IP address.

As far as I could see, for doing the provider change we only needed to 
edit the params (params for main IP and ekstra IPs)and  masq file (main 
IP), apart from of course /etc/network/interfaces and /etc/dhcp/dhcpd.conf

Having done those changes everything works OK, even DNAT from the main 
IP to boxes on DMZ or localnet, whilst the DNAT rules for boxes 
forwarded to from other IPs in the address range are not working at all 
(ssh: connect to host 89.233.14.37 port 22: Connection timed out)

I hope you can help me find a way to further troubleshoot this.

I've re-read the section regarding the 3-interface setup: 
http://shorewall.net/three-interface.htm
and the
DNAT troubleshooting http://shorewall.net/FAQ.htm#faq1a and #faq1b

The routes I'm troubleshooting all show 0 packets in the output of 
'shorewall show nat', however the ISP ensures me that they are not 
dropping anything (this is a 200Mb/sec symmetric connection).

The output of 'shorewal show nat' for one of the hosts in question is:
      0     0 DNAT       tcp  --  *      *       0.0.0.0/0 89.233.14.37 
        multiport dports 22,80,443,3690,8000,5001,3306 to:192.168.37.37
      0     0 DNAT       udp  --  *      *       0.0.0.0/0 89.233.14.37 
        multiport dports 5001,22,3306 to:192.168.37.37

where doing 'ssh 89.233.14.37' from a  host outside of this network 
should connect me to my box on 192.168.37.37 in the local network.
If I set up a Windows PC with static address 89.233.14.37 and connect it 
to the switch of my provider I can ping it from outside, but if I try 
and connect to my box on 192.168.37.37 I only get "Connection timed out"

Do you have any idea of what might be going wrong and/or how I can move 
forward in troubleshooting this issue?

I have attached a dump file.

Many thanks, Paolo

Attachment (shorewall_dump.gz): application/x-gzip, 63 KiB
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
Tom Eastep | 4 Sep 02:21 2014
Picon

Shorewall 4.6.3.2

Shorewall 4.6.3.2 is now available for download.

Problems Corrected:

1)  The shorewall[6]-actions manpages previously contained incorrect
    examples of the usage of table names with builtin actions.

    Incorrect:

	FOOBAR,filter,mangle

    Correct:

	FOOBAR   builtin,filter,mangle

2)  Previously, if /etc/iproute2/rt_tables was not writeable, then
    KEEP_RT_TABLES=No behaved like KEEP_RT_TABLES=Yes. Now, a warning
    message is issued if that file is not writeable and KEEP_RT_TABLES
    is set to No.

      WARNING: /etc/iproute2/rt_tables is missing or is not writeable

3)  In earlier 4.6.3 versions, the help text from shorewall-lite and
    shorewall6-lite included two versions of the 'run' command.

      run <command> [ <parameter> ... ]
      ..
      run <function> [ <parameter> ... ]

    The second one has now been deleted.

New Features:

1)  Eric Teeter has contributed a Citrix Goto Meeting macro.

Thank you for using Shorewall.

-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
PGNd | 3 Sep 06:00 2014
Picon

implementing lsm, per 'MultiISP' example, "device=" spec not propagating from lib.private to lsm config include

I'm setting up intfc monitoring using lsm in a 2-intfc MultiISP config.

Following

	http://shorewall.net/MultiISP.html#lsm

I've created 

	cat /lib.private
		...
		start_lsm() {
			killall lsm 2> /dev/null
		cat <<EOF > /usr/local/etc/lsm/shorewall.conf
		connection {
			name=Prov1
			checkip=XX.XX.XX.XX
			device=$EXTIF
			ttl=2
		}
		connection {
			name=Prov1
			checkip=YY.YY.YY.YY
			device=$VPNIF
			ttl=2
		}
		EOF
			rm -f /usr/local/etc/shorewall/*.status
			/usr/local/sbin/lsm \
			 -c /usr/local/etc/lsm/lsm.conf \
			 -p /var/run/lsm/lsm.pid >> /var/log/lsm.log
		}
		...

	/started
		if [ "$COMMAND" = start -o -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
			start_lsm
		fi

	/restored
		if [ -z "$(ps ax | grep 'lsm ' | grep -v 'grep ' )" ]; then
			start_lsm
		fi

After compile/push, 

	/usr/local/etc/lsm/shorewall.conf

is created & populated on the remote.

But, the

	"device="

is empty,

	cat /usr/local/etc/lsm/shorewall.conf
		connection {
			name=Prov1
			checkip=XX.XX.XX.XX
			device=
			ttl=2
		}
		connection {
			name=Prov1
			checkip=YY.YY.YY.YY
			device=
			ttl=2
		}

$EXTIF & $VPNIF are used throughout the fw, elsewhere.  It's not clear why 'device=' is not getting
populated ...  bad config?  

Poring over the multiISP wiki page some more ...

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
Steve Wray | 3 Sep 03:34 2014
Picon

firewalld support?

Hi,
I've been hearing about firewalld and how this will become the default in future releases of Redhat and therefore CentOS. Its possible it might show up in other places like Ubuntu, maybe even Debian.

https://fedoraproject.org/wiki/FirewallD

Shorewall has been great, we use Puppet and an excellent Shorewall module which makes managing a distributed firewall configuration very easy.

I didn't find anything regarding Shorewall support. Is there any plan to support this?

Thanks!


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
PGNd | 2 Sep 21:23 2014
Picon

please clarify `shorewall run` usage with shorewall{, 6}-lite

I've compiled and deployed to a remote instance

	shorewall-lite version
		4.6.3.1

my firewall config includes a number of  <at> lib.private declared functions

they're seen  <at>  the remote instance in the pushed fw script; for example,

	cat /var/lib/shorewall-lite/firewall
		...
		load_ipsets4() {
		        SH="/bin/sh"
		        IPSET="/usr/sbin/ipset"
		...

v4.6.3's new `shorewall run ...` support
(https://www.mail-archive.com/shorewall-users <at> lists.sourceforge.net/msg17241.html) is quite
useful.  in a centrally-managed scheme, the runnable scripts need be in the context of the remote
instance.  i.e,. using 'shorewall{,6}-lite' to exec.

fyi, checking on the remote, there are duplicate/different usage docs  <at>  `help`

	shorewall-lite help
		Usage: shorewall-lite [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>
		where <command> is one of:
		...
		   run <command> [ <parameter> ... ]
		...
		   run <function> [ function ... ]
		...

and if I try to exec it

	shorewall-lite run load_ipsets4

I get an odd return

	Usage: /var/lib/shorewall-lite/firewall [ options ] <command>

	<command> is one of:
	   start
	   stop
	   clear
	   disable <interface>
	   down <interface>
	   enable <interface>
	   reset
	   refresh
	   restart
	   status
	   up <interface>
	   version

	Options are:

	   -v and -q        Standard Shorewall verbosity controls
	   -n               Don't update routing configuration
	   -p               Purge Conntrack Table
	   -t               Timestamp progress Messages
	   -V <verbosity>   Set verbosity explicitly
	   -R <file>        Override RESTOREFILE setting

and the function, itself, is not executed

can correct usage be clarified further?  or is it likely a bug?

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/

Gmane