PGNd | 20 May 21:39 2015
Picon

switching from bridge static -> DMZ'd dynamic IP in multiISP setup -- how to still 'detect' the ISP's GW addr?

With my current ISP I have a static allocation over DSL, setup as

	'net
	 |
	ISP's GW
	 |
	ADSL bridge
	 |
	 | (staticIP}
	Router/Firewall: shorewall

I use a MultiISP config, that includes

	/params
		#NAME       #  MARK   DUP  INTC     GW      OPTS           COPY
		 ispStatic  1  0x100  main  EXT_IF  detect  track,balance  INT_IF
		...

With this config, IIUC, the GW == 'detect' populates $SW_ETH0_GATEWAY with the IP addr of "ISP GW".

I'm switching ISP to ATT Uverse, where I'll have a Dynamic IP allocation

	'net
	 |
	ISP's GW
	 |
	 | (dynamic IP)
	Uverse router
	 | (NAT'd DMZ IP == 192.168.4.XXX, "Static" )
	 |
(Continue reading)

Marius Stan | 20 May 19:11 2015
Picon

Dynamic blacklisting a specific port

Hello,

Lately I've been running into a situation that might call for a feature
request:
I'm running fail2ban to ban bot requests to our web and smtp/imap services.
The action for fail2ban is set to shorewall; this way we have all
firewall rules injected from the same interface. All fail2ban does is to
issue shorewall drop/allow [IP] commands.

But: sometimes real clients get banned. Whether they forgot their email
password, or forgot Caps Lock on, doesn't matter.
The thing is it would be nice if, banned on smtp for example, they
should still be able to access our site to issue a support request.
So here's the feature request:
Is there a way to add a rule to the dynamic blacklist to drop packets to
only one or, maybe, a few specific ports, and therefore allowing the
rest of the traffic ?
I've had a look into the sources and it looks like the drop/allow
functions get called in multiple ways, accounting for IP ranges and
maybe more parameters that I'm not aware of.
So to me it's not that trivial to accomodate the desired change. Even
so, all modificatios would dissapear upon upgrading, which makes things
more difficult to manage.

Thanks,
Marius

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
(Continue reading)

OddieX | 20 May 19:10 2015
Picon

Hello, have a problem with Shorewall, RT Tables and multiple IP Alias per interfeaz

Hello everybody! I need help with this...


I have 2 ISP and DMZ, and have an error when do shorewall restart: "ERROR: ip route -4 replace..."

Here with the config will be better understood...




/etc/network/interfaces (Have 4 ip in eth0 all with the same gateway, and one ip in eth1)

auto eth0
iface eth0 inet static
address 201.41.93.210
netmask 255.255.255.248

post-up ip route add 201.41.93.210/32 dev eth0 src 201.41.93.210 table TELEF01
post-up ip route add default via 201.41.93.209 table TELEF01
post-up ip rule add from 201.41.93.210 table TELEF01
post-down ip rule del from 201.41.93.210 table TELEF01

auto eth0:1
iface eth0:1 inet static
address 201.41.93.211
netmask 255.255.255.248
post-up ip route add 201.41.93.211/32 dev eth0:1 src 201.41.93.211 table TELEF02
post-up ip route add default via 201.41.93.209 table TELEF02
post-up ip rule add from 201.41.93.211 table TELEF02
post-down ip rule del from 201.41.93.211 table TELEF02


auto eth0:2
iface eth0:2 inet static
address 201.41.93.212
netmask 255.255.255.248
post-up ip route add 201.41.93.212/32 dev eth0:2 src 201.41.93.212 table TELEF03
post-up ip route add default via 201.41.93.209 table TELEF03
post-up ip rule add from 201.41.93.212 table TELEF03
post-down ip rule del from 201.41.93.212 table TELEF03


auto eth0:3
iface eth0:3 inet static
address 201.41.93.213
netmask 255.255.255.248
post-up ip route add 201.41.93.213/32 dev eth0:3 src 201.41.93.213 table TELEF04
post-up ip route add default via 201.41.93.209 table TELEF04
post-up ip rule add from 201.41.93.213 table TELEF04
post-down ip rule del from 201.41.93.213 table TELEF04

auto eth1
iface eth1 inet static
address 200.41.183.21
netmask 255.255.255.252
post-up ip route add 200.41.183.21 dev eth1 src 200.41.183.21 table IPLAN01
post-up ip route add default via 200.41.183.22 table IPLAN01
post-up ip rule add from 200.41.183.21 table IPLAN01
post-down ip rule del from 200.41.183.21 table IPLAN01


allow-hotplug eth2
iface eth2 inet static
        address 172.16.0.183
        netmask 255.255.255.0
        network 172.16.0.0
        broadcast 172.16.0.255

-------------------------------------
/etc/iproute2/rt_tables

#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
1       TELEF01
2       TELEF02
3       TELEF03
4       TELEF04
5       IPLAN01


-------------------------------------
In shorewall.conf i have: USE_DEFAULT_RT=No
-------------------------------------
/etc/shorewall/providers (Only need balance with TELEF01 and IPLAN01)

#NAME           NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS         COPY
TELEF01                1       1          main            eth0:201.41.93.210      201.41.93.209   track,balance=1     eth3
TELEF02                2       2          main            eth0:201.41.93.211      201.41.93.209   track,balance=0     eth3
TELEF03                3       3          main            eth0:201.41.93.212      201.41.93.209   track,balance=0     eth3
TELEF04                4       4          main            eth0:201.41.93.213      201.41.93.209   track,balance=0     eth3
IPLAN01                 5       5          main            eth1                           200.41.183.22   track,balance=2     eth3

------------------------------------
/etc/shorewall/interfaces

net     eth0                    tcpflags,nosmurfs,routefilter=1,sourceroute=1
net     eth1                    tcpflags,nosmurfs,routefilter=1,sourceroute=1
dmz     eth2                    tcpflags,nosmurfs,routefilter=1,logmartians,sourceroute=1

---------------------------------------


When i do shorewall start first time allright OK, but later i do shorewall restart and have the error:

"ERROR: Command "ip -4 route replace 201.41.93.211 gateway 201.41.93.209"

And... When i need some IP route to some alias IP, only route to 201.41.93.210 although put ip "rule add from 172.16.0.35 table TELEF03", but by IPLAN01 if it I I think it's because something is wrong with the settings ip aliases...


Tank U!!!


MarC














------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
PGNd | 20 May 18:14 2015
Picon

Best-practices for dynamic IP tracking/integration with shorewall on linux with widely available toold?

I'm running a border router/firewall, switched from a static IP -> a dynamically changing IP.

I'm interested in best-practice (among many options) for tracking that IP change and pushing it to 'all'
the places that need it -- particularly shorewall.

Sure, It's 'doable' many ways -- I'd like to hear what 'you' use and why.

My OS is

	opensuse/64 v13.2

with these pkgs installed

	shorewall 4.6.9
	ddclient version 3.8.2
	wicked 0.6.18
	systemd 210
	kernel 4.0.4
	iproute2 4.0
	iptables v1.4.21
	bind 9.10.2
	nsupdate 9.10.2

The IP is dynamically assigned from my ISP.

I want to track & detect IP changes, and update the IP address to current/correct value in all the places it's used.

With the collection of pkgs above there are a variety of ways of tracking that IP change: shorewall's "lsm",
wicked's if-up/-down scripts, ddclient, DIY scripts, etc.

My current inclination is to use ddclient's "use=web, web=checkip.dyndns.com" remote IP check,
scheduled for a check every 5-10m.

ddlcient then updates services with that new IP, including an nsupdate of a hostname's short-ttl 'A'
record on my bind9 server, which authoritative for the zone.

This seems to work well enough.

With shorewall in the mix, however, and the need to update it as well, 

(1) Is there any good reason to NOT use ddclient to drive the updates, and use shorewall's "lsm" script instead?

I'm well aware of 'lsm'

	Link Status Monitor (LSM)
	  http://shorewall.net/MultiISP.html#lsm

	LSM - Link Status Monitor
	  http://lsm.foobar.fi/ 

and the claims/admonitions that 

	--	it performs more sophisticated monitoring than the simple SWPING script that preceded it
	--	Like many Open Source products, LSM is poorly documented.   

OTOH ddclient is well documented, and widely available with distro's packaging ...

(2) if ddclient is used, the current IP is passable from within the ddclient.conf as an argument to a
"postscript=" script that can be called to execute on each/any IP change.  What's the correct way to get
that IP value "into" shorewall and usable as a parameter value?  Does shorewall need to be restarted, or can
that data be dynamically pushed into it?

(3) Since shorewall is launched/controlled by systemd, as is the system's wicked network stack, in what
order should

	(a) ddlcient detection/push of IP change
	(b) shorewall detection of IP change, or restart 
	(c) wicked if-down, if-up or ip addr change

be done, & should those actions be driven by the tools 'natively', or through systemd's control?

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
Vieri Di Paola | 20 May 08:22 2015
Picon

shorewall tarpit auto-blacklist

Hi,

Can the shorewall rules TARPIT action be used to automatically blacklist all IP addresses that try to connect to the tarpit ports?

Can a custom shell command be triggered/executed whenever there's an "action match" (eg. attacker connects to a port where there's a shorewall TARPIT rule and shorewall launches a custom shell command and passes attacker IP address as argument)? My guess is that it can't because shorewall isn't a service and it's launched only once to set up iptables. Correct?

So, what options do I have to automatically blacklist IP addresses that fall into the tarpit?

Thanks,

Vieri


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
AleCaste | 17 May 18:55 2015
Picon

Shorewall with Suricata in IPS mode

Hello all,

We are using shorewall version 4.5.21.6 and we cannot make the firewall work 
with Suricata IPS (using nfqueue on queue number 0).
If we set the policy (in policy file):

net            $FW    ACCEPT

... then we can see that suricata receives traffic (http requests we are 
sending) and those requests are logged alright.
But if we change the policy to:

net            $FW    NFQUEUE(0)

... then suricata receives no traffic.
We also tried to change the policy to:

net            $FW    DROP

... and then add the rule (in rules file):

NFQUEUE(0)      net    $FW           tcp        http,https

... but this configuration does not work either.
What are we doing wrong?
If there is a "net $FW NFQUEUE(0)" policy or a rule "NFQUEUE(0) net $FW tcp 
http,https"... why is it that http traffic is not being passed to suricata 
on queue 0 as we would expect?

Thanks a lot
Ale 

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
aleph de | 17 May 15:53 2015
Picon

IPv6 rule for DNS service over a Hurricane Electric /tunnelbroker IPv6 tunnel? How do I stop this DROP?

I'm setting up a home router/firewall.

It's runnning Shorewall-lite & Shorewall6-lite.

I have an IPv6 tunnel provided by Hurricane Electric's tunnelbroker.

I have a VPS with a DNS secondary that needs to communicate to a DNS primary that's on my home DNS primary, over IPv6.

At the moment, my shorewall logs on the home router are showing this DROP

	May 17 06:24:57 yoda kernel: [235522.153692] shorewall:net2fw:DROP IN=sit1 OUT= 
TUNNEL=H.H.H.H->L.L.L.L SRC=2600:...:1234 DST=2001:...:0100 LEN=72 TC=0 HOPLIMIT=60 FLOWLBL=0
PROTO=TCP SPT=44927 DPT=53 WINDOW=28800 RES=0x00 SYN URGP=0 MARK=0x100 

Where

	H.H.H.H is the IPv6 tunnel's IPv4 endpoint  <at>  Hurricane Electric
	L.L.L.L is the IPv6 tunnel's IPv4 endpoint  <at>  my office, i.e. my static IPv4
	2600:...:1234 is IPv6 address of the DNS 2ndary  server  <at>  the VPS
	2001:...:0100 is IPv6 address of the DNS primary server  <at>  the office

I don't understand the interfaces involved in that DROP 

	... IN=sit1 OUT=  TUNNEL=H.H.H.H->L.L.L.L SRC=2600:...:1234 DST=2001:...:0100 ...

What specific IPv6 Shorewall rule do I need to create to allow this traffic?

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
Justin Pryzby | 15 May 21:26 2015

limiting conntrack ctevents

I'm using conntrackd; and wondered if shorewall-conntrack syntax allows
limiting conntrack to only "assured,destroyed" events as described here:
http://conntrack-tools.netfilter.org/manual.html#sync-iptables-filtering

The intent is to reduce CPU use.

I see that's possible using CT:helper:..(...), but doesn't seem to be possible
without "helper".  Am I wrong?

Thanks,
Justin

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
Eric Koome | 15 May 00:28 2015
Picon

SIP messaging - Masquarading troubles

Hi all,

I have two servers with public and private IP address running a sip proxy on eth0 and asterisk box on eth1.
Each box is running Shorewall 4.5.21. Making calls within a server is fine but I would like the sip proxy to
also use asterisk box on the other machine for load balancing.

However for some reason calls and qualify OPTIONS packets are not being passed over asterisk box to the
other sip proxy based on tcpdump and ngrep. I suspect my masquerade rules are to blame but after countless
tweaking, this is failing me.

Scenario (addresses have been scrambled)
       OPTIONS (qualify=yes)
BOX 1  Asterisk ----------------> Sip Proxy 
10.131.45.56 :5060        178.89.67.12:5060
              OPTIONS
BOX 2 Sip proxy ---------------->  Asterisk
178.89.67.12:5060                    10.131.45.56 :5060

These packets are not being answered with 200 OK.

This is what I have in my configs:
rules
ACCEPT net        $FW                udp            5060  <------- Accept sip requests to sip proxy

Policy
loc     net     ACCEPT
$FW     net     ACCEPT
loc     $FW     ACCEPT
$FW     loc     ACCEPT
net     all     DROP        info
all     all     REJECT      info

masq
BOX 1
INTERFACE:DEST     SOURCE      ADDRESS     PROTO   PORT(S) IPSEC   MARK    USER/   SWITCH  ORIGINAL
#                                           GROUP       DEST
eth0:178.89.67.12   10.131.45.56     -    udp     5060 <------- asterisk to proxy through eth0

BOX 2
INTERFACE:DEST     SOURCE      ADDRESS     PROTO   PORT(S) IPSEC   MARK    USER/   SWITCH  ORIGINAL
#                                           GROUP       DEST
eth1:10.131.45.56  178.89.67.12   -       udp     5060 <-------- proxy to asterisk through eth1

What am i missing?

Eric                            

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
Mike Walker | 12 May 01:42 2015
Picon

Shorewall + IPSEC + Racoon

Machine in question is Debian 5 running 2.6.26-2-amd64.
Shorewall version is 4.0.15
IPSec Tools version is 1:0.7.1-1.3+lenny2
Racoon version is 1:0.7.1-1.3+lenny2

This system is making an IPSec connection with a Watchguard firewall.  If I set a Shorewall policy of "all all ACCEPT" I can pass traffic in both directions through the tunnel.  However, with my current configuration I am able to get traffic to pass from the Watchguard side, but any traffic I try to pass through it ends up Host Unreachable with this line in the Shorewall log...

May 11 03:08:40 iqonline-gw kernel: [63836226.948493] Shorewall:FORWARD:REJECT:IN=eth0.10 OUT=eth1 SRC=10.128.3.3 DST=192.168.4.99 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=20461 SEQ=1834 MARK=0x5

I'm running OpenVPN on the vpn zone, and IPSEC on the sec zone.

My subnet here: 10.128.0.0/9
Watchguard subnet: 192.168.0.0/21
v10 is basically my internal and ext all all my external vlans.

HOSTS:
sec             eth1:10.128.0.0/9
vpn             eth1:10.128.0.0/9

INTERFACES:
net     eth1            detect          routefilter,norfc1918,blacklist
v10     eth0.10         detect          routeback
ext     eth0.76         detect          routeback
ext     eth0.230        detect
ext     eth0.231        detect
ext     eth0.232        detect
vpn     tun+

MASQ:
eth1    eth0.10

POLICY:
fw              all             ACCEPT
v10             all             ACCEPT
ext             all             ACCEPT
sec             all             ACCEPT
vpn             all             ACCEPT
net             all             DROP            6
all             all             REJECT          6

RULES:
ACCEPT  net:192.168.0.0/21      all

TUNNELS:
openvpnserver:1194              net     0.0.0.0/0
ipsec                           net     0.0.0.0/0

ZONES:
fw      firewall
sec     ipsec     # I've tried ipv4 here and ipsec in HOSTS
v10     ipv4
net     ipv4
ext     ipv4
vpn     ipv4


Any help would be greatly appreciated, as I've been beating on this for days and Googled myself to insanity.  I've stripped my config down to the bare minimum to eliminate errors but I just can't get her to budge.  Thank you!!!


-Mike Walker

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
Tom Eastep | 6 May 23:29 2015
Picon

Shorewall 4.6.9

The Shorewall Team is pleased to announce the availability of Shorewall
4.6.9.

Problems Corrected:

1)  This release contains defect repair from Shorewall 4.6.8.1 and
    earlier releases.

2)  The means for preventing loading of helper modules has been
    clarified in the documentation.

3)  The SetEvent and ResetEvent actions previously set/reset the event
    even if the packet did not match the other specified columns. This
    has been corrected.

4)  Previously, the 'show capabilities' command was ignoring the
    HELPERS setting. This resulted in unwanted modules being autoloaded
    and, when the -f option was given, an incorrect capabilities file
    was generated.

5)  Previously, when 'wait' was specified for an interface, the
    generated script erroneously checked for required interfaces on all
    commands rather than just start, restart and restore.

New Features:

1)  There is now a TCPMSS Target (TCPMSS_TARGET) capability. Your
    iptables and kernel must support this capability in order to use
    the CLAMPMSS option in shorewall.conf and the 'mss=' option in the
    zones, interfaces and hosts files. This capability was added when
    it was learned that Debian on ARM doesn't provide the feature.

    When using a capabilities file from at earlier release, the
    compiler assumes that this capability is available, since most
    distributions have traditionally provided the capability.

2)  The CLI manpages now state explicitly that 'list' and 'ls' are
    synonyms for 'show' and refer the reader to the description of
    'show'.

3)  The complete syntax of each CLI command is now repeated in the
    detailed description of the command in the man pages.

4)  Tuomo Soini has contributed a QUIC macro.

5)  The JabberSecure macro is now deprecated. Configure Jabber to use
    TLS and use the Jabber macro instead. (Tuomo Soini).

6)  The enable and disable commands now execute more quickly on slow
    hardware.

7)  The CLI programs now support a 'reenable' command. This command is
    logically equivalent to a 'disable' command followed by an 'enable'
    command, with the exception that no error is generated if the
    specified interface or provider is disabled at the time the
    command is given.

Thank you for using Shorewall
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y

Gmane