PGNd | 30 Sep 16:30 2014
Picon

is SW build's PERLLIBDIR config exported for all (s)bin instances?

When PERLLIBDIR=/path/to/sw-perl-mods/ is configured for a SW build, the install's perl5 mods are
installed, as expected, in "/path/to/sw-perl-mods/".

If PERLLIBDIR is NOT in the installed perl's  <at> INC, it can be trivially added to  <at> INC's head in global ENV with

	~/.bashrc
+		export PERL5LIB="/path/to/sw-perl-mods/"

or, limited to context of SW's (s)bins by prepending SW commands

	PERL5LIB="/path/to/sw-perl-mods/" shorewall ...

IIUC, neither may be necessary.

Looking  <at> 

	./share/shorewall/lib.cli-std 
		...
		if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
		$PERL $debugflags $pc $options $ <at> 
		else
		PERL5LIB=${PERLLIBDIR}
		export PERL5LIB
		$PERL $debugflags $pc $options $ <at> 
		fi
		...

that stanza appears to functionally prepend all user-land exec of SW (s)bins with
PERL5LIB=${PERLLIBDIR}, the perl-mod dir-path config'd at build time.

(Continue reading)

robyr6@gmail.com | 30 Sep 10:32 2014
Picon

problem with mangle table

Hi all,
I'm new to this list so "hi! and thanks for any support you can give me :)".

I'm experiencing a problem with packet mangling ( I think ), in my configuration there are 2 providers, balanced in this way

prov1  1    1    -        eth0        x.x.x.x    track,balance    -
prov2   2    2    -        eth2        y.y.y.y    track,balance    -

all is working, the packets are put out of the interfaces in a round robin like method.

but now, my customer wants that an ftp service behind firewall is exposed only trought prov1, so I decided to act in this way:

rules file:
DNAT    net    loc:x.x.x.211    tcp    20    -    ip_pub_on_provider_1
DNAT    net    loc:x.x.211    tcp    21    -    ip_pub_on_provider_1

mangle file:
MARK(1):P          x.x.x.211/32 0.0.0.0/0      all


But, the connections are not allways going out with eth0, sometimes going out with eth2.

Can you help me with this problem ? I suppose is a mangle problem.

Regards,
roby
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
PGNd | 29 Sep 17:01 2014
Picon

how to build-time modify build46 script's host-specific rpm install target-locations?

Sourcing shorewall-git (commit 0ac97c4) on openSUSE 13.1.

Using SW's UNMODIFIED upstream ./release/*.specs in building rpms

Building rpms with

	cd ./release
	setversion 4.6.4.git_0ac97c4
	git commit -a -m "working"
	cd ../
	/usr/local/src/shorewall-build/tools/build/build46 -tr -cil6Ls 4.6.4.git_0ac97c4
		...
		Shorewall 4.6.4.git_0ac97c4 Build complete - Mon Sep 29 06:10:15 PDT 2014
	ls -al *rpm
		-rw-r--r-- 1 root root 535K Sep 29 06:10 shorewall-4.6.4-git_0ac97c4.noarch.rpm
		-rw-r--r-- 1 root root 292K Sep 29 06:10 shorewall6-4.6.4-git_0ac97c4.noarch.rpm
		-rw-r--r-- 1 root root  54K Sep 29 06:10 shorewall6-lite-4.6.4-git_0ac97c4.noarch.rpm
		-rw-r--r-- 1 root root  54K Sep 29 06:10 shorewall-core-4.6.4-git_0ac97c4.noarch.rpm
		-rw-r--r-- 1 root root  41K Sep 29 06:10 shorewall-init-4.6.4-git_0ac97c4.noarch.rpm
		-rw-r--r-- 1 root root  55K Sep 29 06:10 shorewall-lite-4.6.4-git_0ac97c4.noarch.rpm

Note that the rpms' install targets for the sbins are

	rpm -qlp *rpm | grep sbin
		/sbin/shorewall
		/sbin/shorewall6
		/sbin/shorewall6-lite
		/sbin/shorewall-lite

The build process' location vendor/host-specific rc for == 'suse' appears to be sourced from

	cat ./code/Shorewall-core/shorewallrc.suse
		#
		# SuSE Shorewall 4.5 rc file
		#
		BUILD=                                                #Default is to detect the build system
		HOST=suse
		...

It contains var defs that are incorrect for host == suse. In particular, looking at

	PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
	SBINDIR=/sbin                                         #Directory where system administration programs are installed

'Somewhere' in SW's upstream build46 process, one's corrected (PERLLIBDIR), the other's not (SBINDIR),
and propagated to the resulting, built rpms' install targets, e.g.

	rpm -qlp shorewall-4*rpm | egrep "sbin|perl" | sort -r | tail -n 2
		/usr/lib/perl5/vendor_perl/5.18.1/Shorewall/Accounting.pm
		/sbin/shorewall

openSUSE project's release-up-to-date, downstream packaging .spec

	https://build.opensuse.org/package/view_file/security:netfilter/shorewall/shorewall.spec?expand=1

corrects these values with a ./configure stanza under %install; I assume that's considered to be
'correct' config for host == suse.

Its built rpms' install targets include

	rpm -qlp ./shorewall-4.6.3.4-157.1.noarch.rpm | egrep "sbin|perl" | sort
		/usr/lib/perl5/vendor_perl/5.18.1/Shorewall
		/usr/lib/perl5/vendor_perl/5.18.1/Shorewall/Accounting.pm
		...
		/usr/sbin/rcshorewall
		/usr/sbin/shorewall

Attempting to correct them for builds using SW's upstream build process, using included .specs,

exporting corrected PERLLIBDIR, SBINDIR, etc ENV vars prior to build46 exec has no effect on outcome;
still "/sbin/..."

OTOH, manually correcting, pre-build

	perl -pi -e \
	 's|^.*(PERLLIBDIR=).*|${1}\${PREFIX}/lib/perl5/vendor_perl/5.18.1|g; \
	  s|^.*(SBINDIR=).*|${1}/usr/sbin|' \
	./code/Shorewall-core/shorewallrc.suse
	git commit -a -m "fix rc"
	...
	./build46 ...

causes the build to fail

	...
	Building shorewall-core-4.6.4-git_0ac97c4.noarch.rpm...
	Building shorewall-4.6.4-git_0ac97c4.noarch.rpm...
	Step "do_rpmbuild -ba /usr/src/packages//SPECS/shorewall.spec" FAILED

chekcing the manual step

	rpmbuild -ba /usr/src/packages//SPECS/shorewall.spec
		...
		Shorewall Version 4.6.4.git_0ac97c4 Installed
		+ /usr/lib/rpm/brp-compress
		+ /usr/lib/rpm/brp-suse
		calling /usr/lib/rpm/brp-suse.d/brp-99-pesign
		Processing files: shorewall-4.6.4-git_0ac97c4.noarch
!!		error: File not found: /usr/src/packages/BUILDROOT/shorewall-4.6.4-git_0ac97c4.x86_64/sbin/shorewall
		Executing(%doc): /bin/sh -e /var/tmp/rpm-tmp.qI45DA
		+ umask 022
		+ cd /usr/src/packages/BUILD
		+ cd shorewall-4.6.4
		+ DOCDIR=/usr/src/packages/BUILDROOT/shorewall-4.6.4-git_0ac97c4.x86_64/usr/share/doc/packages/shorewall
		+ export DOCDIR
		+ /usr/bin/mkdir -p /usr/src/packages/BUILDROOT/shorewall-4.6.4-git_0ac97c4.x86_64/usr/share/doc/packages/shorewall
		+ cp -pr COPYING /usr/src/packages/BUILDROOT/shorewall-4.6.4-git_0ac97c4.x86_64/usr/share/doc/packages/shorewall
		+ cp -pr INSTALL /usr/src/packages/BUILDROOT/shorewall-4.6.4-git_0ac97c4.x86_64/usr/share/doc/packages/shorewall
		+ cp -pr changelog.txt /usr/src/packages/BUILDROOT/shorewall-4.6.4-git_0ac97c4.x86_64/usr/share/doc/packages/shorewall
		+ cp -pr releasenotes.txt /usr/src/packages/BUILDROOT/shorewall-4.6.4-git_0ac97c4.x86_64/usr/share/doc/packages/shorewall
		+ cp -pr Contrib/ipsecvpn Contrib/swping Contrib/swping.init Contrib/tunnel /usr/src/packages/BUILDROOT/shorewall-4.6.4-git_0ac97c4.x86_64/usr/share/doc/packages/shorewall
		+ cp -pr Samples /usr/src/packages/BUILDROOT/shorewall-4.6.4-git_0ac97c4.x86_64/usr/share/doc/packages/shorewall
		+ exit 0

		RPM build errors:
		    bogus date in %changelog: Tue Oct 03 2007 Tom Eastep tom <at> shorewall.net
		    bogus date in %changelog: Thu Mar 24 2007 Tom Eastep tom <at> shorewall.net
		    File not found: /usr/src/packages/BUILDROOT/shorewall-4.6.4-git_0ac97c4.x86_64/sbin/shorewall

What's the appropriate method for passing corrected/reconfigured vendor/host-specific values to the
SW build46 script?

Goal here is to get to a clean/correct host-specific, build46 process from upstream sources.

------------------------------------------------------------------------------
Slashdot TV.  Videos for Nerds.  Stuff that Matters.
http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
PGNd | 27 Sep 20:39 2014
Picon

SW git/head build script (makeshorewall/build46) ignoring specified version, looks for / fails to find "4.6.4" tarball

Building SW from git/HEAD sources

when I exec a 

	touch shorewall-pkg.config
	SW_BUILD="/usr/local/src/shorewall-build/tools/build/build46"
	SW_BUILD_OPTS="-tr -cil6Ls"
	${SW_BUILD} ${SW_BUILD_OPTS} 4.6.X.X

fails at

	...
	Creating /usr/local/src/shorewall-build/BUILD/HEAD/shorewall-core-4.6.X.X.tgz...
	Creating /usr/local/src/shorewall-build/BUILD/HEAD/shorewall-4.6.X.X.tgz...
	Creating /usr/local/src/shorewall-build/BUILD/HEAD/shorewall6-4.6.X.X.tgz...
	Creating /usr/local/src/shorewall-build/BUILD/HEAD/shorewall-lite-4.6.X.X.tgz...
	Creating /usr/local/src/shorewall-build/BUILD/HEAD/shorewall-init-4.6.X.X.tgz...
	Creating /usr/local/src/shorewall-build/BUILD/HEAD/shorewall6-lite-4.6.X.X.tgz...
	Building shorewall-core-4.6.X-X.noarch.rpm...
	Step "do_rpmbuild -ba /usr/src/packages/SPECS/shorewall-core.spec" FAILED

checking

	cat $SW_BUILD
		...
		do_rpmbuild() {
		    RPM=yes rpmbuild --target noarch-linux $ <at>  >> $LOGFILE 2>&1
		}
		...

testing

	rpmbuild --target noarch-linux -ba /usr/src/packages/SPECS/shorewall-core.spec

returns

	Building target platforms: noarch-linux
	Building for target noarch-linux
	error: File /usr/src/packages/SOURCES/shorewall-core-4.6.4.tgz: No such file or directory

Note above it reported

	Creating /usr/local/src/shorewall-build/BUILD/HEAD/shorewall-core-4.6.X.X.tgz...

but it's complaining about

	.../shorewall-core-4.6.4.tgz

being missing.

Shouldn't the build script search for the *specified* version's tarball?

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
PGNd | 26 Sep 22:26 2014
Picon

export list of dynamic blacklist items?

I'm working on my firewall atm, tearing it down, restarting it, etc.

I also happen to be getting 'pestered' at a couple of my IPs during the process.

`shorewall drop` is, of course, very handy.

On SW restart, though, I lose the blocks on the dropped IPs.

What's the mechanism for capturing the complete list of current SW blacklisted items?  I'd like to grab it,
placing it in a persistent IPSET at SW stop, then reload at SW start.

I _thought_ I'd read that the dynamic blacklist IS in an IPSET, but a quick check of `ipset -L` doesn't
display it ...

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
Vincent Ng | 26 Sep 06:56 2014
Picon

Shorewall Allow IPSec traffic

Dear All,

I have a question here, may i know how to configure when i need to allow the dynamic road warriors to connect my office by using IPSec? 

--

 

Best Regards,

 

Vincent Ng


------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
PGNd | 24 Sep 18:14 2014
Picon

troubleshooting SW v4.6.3.4 interface failures during boot sequence?

I'm (still) trying to troubleshoot SW + interface behavior on boot/startup.  The boot process reports
failures on interface checks, which resolve 'automagically' after boot's completed.

Looking at my system's boot log

	journalctl -xb | awk '/vpn/ || /shorewall/ || ((/ifup/ || /ifdown/ || /service/)  && (/eth0/ || /tun1/))'

		Sep 24 08:02:07 fw shorewall-init[935]: Initializing "Shorewall-based firewalls": Stopping
Shorewall Lite....
		Sep 24 08:02:08 fw shorewall-init[935]: done.
		Sep 24 08:02:08 fw shorewall-init[935]: Stopping Shorewall6 Lite....
		Sep 24 08:02:08 fw shorewall-init[935]: done.

... shorewall-init has done its thing,

		Sep 24 08:02:09 fw systemd[1]: Starting ifup managed network interface eth0...
		-- Subject: Unit network <at> eth0.service has begun with start-up
		-- Unit network <at> eth0.service has begun starting up.
		Sep 24 08:02:10 fw ifup[1682]: eth0      device: Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI
Express Gigabit Ethernet Controller (rev 06)
		Sep 24 08:02:26 fw systemd[1]: Started ifup managed network interface eth0.
		-- Subject: Unit network <at> eth0.service has finished start-up
		-- Unit network <at> eth0.service has finished starting up.

... the external interface, eth0, is up,

		Sep 24 08:02:58 fw systemd[1]: Starting ifup managed network interface tun1...
		-- Subject: Unit network <at> tun1.service has begun with start-up
		-- Unit network <at> tun1.service has begun starting up.
		Sep 24 08:02:58 fw ifup[3146]: tun1
		Sep 24 08:02:58 fw ifup[3213]: tun1
		Sep 24 08:02:58 fw ifup[3146]: tun1      Set 'tun1' persistent and owned by uid 499 gid 499

... the vpn tunnel interface, tun1, is up,

		-- Subject: Unit openvpn.service has begun with start-up
		-- Unit openvpn.service has begun starting up.
		-- Subject: Unit openvpn.service has finished start-up
		-- Unit openvpn.service has finished starting up.

... the openvpn.service is up,

next, shorewall-lite starts

		Sep 24 08:03:13 fw systemd[1]: Starting shorewall-lite...
		-- Subject: Unit shorewall-lite.service has begun with start-up
		-- Unit shorewall-lite.service has begun starting up.
		Sep 24 08:03:13 fw shorewall-lite[3450]: Starting Shorewall Lite....

... but fails to ping the 1st provider's interface, eth0,

		Sep 24 08:03:14 fw shorewall-lite[3450]: BAD ping  <at>  INTFC=eth0
		Sep 24 08:03:14 fw shorewall-lite[3450]: Initializing...
		Sep 24 08:03:15 fw shorewall-lite[3450]: Processing init user exit ...
		Sep 24 08:03:16 fw shorewall-lite[3450]: Processing tcclear user exit ...
		Sep 24 08:03:16 fw shorewall-lite[3450]: Setting up Route Filtering...
		Sep 24 08:03:16 fw shorewall-lite[3450]: Setting up Martian Logging...
		Sep 24 08:03:16 fw shorewall-lite[3450]: Setting up Accept Source Routing...
		Sep 24 08:03:16 fw shorewall-lite[3450]: Setting up Proxy ARP...
		Sep 24 08:03:16 fw shorewall-lite[3450]: Adding Providers...
		Sep 24 08:03:17 fw shorewall-lite[3450]: WARNING: Interface eth0 is not usable -- Provider prov1 (1)
not Started
		Sep 24 08:03:17 fw shorewall-lite[3450]: WARNING: Interface tun1 is not usable -- Provider prov2 (2)
not Started
		Sep 24 08:03:17 fw shorewall-lite[3450]: WARNING: No Default route added (all 'balance' providers are down)
		Sep 24 08:03:17 fw shorewall-lite[3450]: NOTICE: Default route restored
		Sep 24 08:03:17 fw shorewall-lite[3450]: Preparing iptables-restore input...
		Sep 24 08:03:17 fw shorewall-lite[3450]: Running /usr/sbin/iptables-restore...
		Sep 24 08:03:17 fw shorewall-lite[3450]: IPv4 Forwarding Enabled
		Sep 24 08:03:17 fw shorewall-lite[3450]: Processing start user exit ...
		Sep 24 08:03:17 fw shorewall-lite[3450]: Processing started user exit ...
		Sep 24 08:03:17 fw shorewall-lite[3450]: done.
		-- Subject: Unit shorewall-lite.target has begun with start-up
		-- Unit shorewall-lite.target has begun starting up.

... shorewall-lite never announces that it "has finished starting up."

Shorewall6-lite begins startup,

		Sep 24 08:03:17 fw systemd[1]: Starting shorewall6-lite...
		-- Subject: Unit shorewall6-lite.service has begun with start-up
		-- Unit shorewall6-lite.service has begun starting up.
		Sep 24 08:03:17 fw shorewall6-lite[3819]: Starting Shorewall6 Lite....
		Sep 24 08:03:17 fw shorewall6-lite[3819]: Initializing...
		Sep 24 08:03:17 fw shorewall6-lite[3819]: Processing init user exit ...
		Sep 24 08:03:17 fw shorewall6-lite[3819]: Processing tcclear user exit ...
		Sep 24 08:03:18 fw shorewall6-lite[3819]: Setting up Proxy NDP...
		Sep 24 08:03:18 fw shorewall6-lite[3819]: Preparing ip6tables-restore input...
		Sep 24 08:03:18 fw shorewall6-lite[3819]: Running /usr/sbin/ip6tables-restore...
		Sep 24 08:03:18 fw shorewall6-lite[3819]: IPv6 Forwarding Enabled
		Sep 24 08:03:18 fw shorewall6-lite[3819]: Setting up IPv6 Interface Forwarding...
		Sep 24 08:03:18 fw shorewall6-lite[3819]: Processing start user exit ...
		Sep 24 08:03:18 fw shorewall6-lite[3819]: Processing started user exit ...
		Sep 24 08:03:18 fw shorewall6-lite[3819]: done.
		-- Subject: Unit shorewall6-lite.target has begun with start-up
		-- Unit shorewall6-lite.target has begun starting up.
		-- Subject: Unit shorewall6-lite.target has finished start-up
		-- Unit shorewall6-lite.target has finished starting up.

and finishes successfully.

But, immediately AFTER boot's complete, at shell, both ping to the 'net via eth0,

	ping 8.8.8.8 -c1
		PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
		64 bytes from 8.8.8.8: icmp_seq=1 ttl=48 time=61.6 ms
		
		--- 8.8.8.8 ping statistics ---
		1 packets transmitted, 1 received, 0% packet loss, time 0ms
		rtt min/avg/max/mdev = 61.663/61.663/61.663/0.000 ms

and ping to the other side of the vpn, via tun1,

	ping 192.168.0.10 -c1
		PING 192.168.0.10 (192.168.0.10) 56(84) bytes of data.
		64 bytes from 192.168.0.10: icmp_seq=1 ttl=64 time=45.8 ms
		
		--- 192.168.0.10 ping statistics ---
		1 packets transmitted, 1 received, 0% packet loss, time 0ms
		rtt min/avg/max/mdev = 45.833/45.833/45.833/0.000 ms

work correctly, and SW status shows,

	shorewall-lite status
		Shorewall Lite-4.6.3.4 Status at fw - Wed Sep 24 09:03:25 PDT 2014

		Shorewall Lite is running
		State:Started (Wed Sep 24 08:03:17 PDT 2014) from /usr/local/etc/shorewall/IPv4/
(/var/lib/shorewall-lite/firewall compiled by Shorewall version 4.6.3.4)

	shorewall6-lite status
		Shorewall6 Lite-4.6.3.4 Status at fw - Wed Sep 24 09:03:43 PDT 2014

		Shorewall6 Lite is running
		State:Started (Wed Sep 24 08:03:18 PDT 2014) from /usr/local/etc/shorewall/IPv6/
(/var/lib/shorewall6-lite/firewall compiled by Shorewall version 4.6.3.4)

that both SF4 & SW6 are up & running.

The progress/state DURING boot, and AFTER boot are not consistent.  I've do not understand why the
interfaces are up, SW seems to fail, then ends up working anyway.

What do I check to find/fix the SW startup fail on interfaces DURING boot?

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
Hristo Benev | 24 Sep 16:17 2014
Picon

Shorewall stable contains 4.6.4-beta1

shorewall-4.6.4-beta1 does not contain any files.

I did try to sync manually but no updates.

Hope it is just an typo in a script somewhere.

Thanks

Hristo

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
James Andrewartha | 24 Sep 10:13 2014
Picon

Shorewall iptrace not working

Hi,

I'm running Shorewall 4.6.2.2 on Debian 7.6 (wheezy) with Linux
3.2.60-1+deb7u3, and shorewall iptrace doesn't work - no output appears
in the kernel log. It wasn't working back when I was running 4.5.5.3
(the version shipped with wheezy) which is one reason I upgraded. IIRC
it did work for a day or two after I last rebooted. The TRACE entry does
show up in the raw table.

I realise it's probably more of a kernel issue, but I thought I'd ask
here first and see if anyone had any suggestions for what I could
investigate. It's also coming up to school holidays so I can perform
some more in-depth debugging if necessary.

http://pastebin.com/Uc4Vc4H6 has shorewall version and ip (addr|route)
show per the support guide. The system is the core firewall, it used to
run quagga too but I moved that off to another system after upgrading to
4.6.2.2 as I was still having problems even after adding nohostroute in
shorewall-providers.

Thanks,

--

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
Dik .... | 23 Sep 17:12 2014
Picon

kernel: Can't find ip_set type hash:ip

Running Shorewall on Proxmox 3.3 (Debian 7). Proxmox native firewall disabled. This machine has been
running for>1yr with no reboot. This problem has only happened in the last week.

When I run /sbin/shorewall restart it hangs at :

 # /sbin/shorewall restart
Compiling...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...

I have to ctrl-c three times to get it to continue. Each time I get the following in /var/log/messages
before it completes.

kernel: Can't find ip_set type hash:ip

/var/log/messages finally reads :

kernel: Can't find ip_set type hash:ip
kernel: Can't find ip_set type hash:ip
kernel: Can't find ip_set type hash:ip
root: Shorewall restarted

The rules already in place aren't effected but I can't add or remove anything.

------------------------------------------------------------
#/sbin/shorewall version
4.5.5.3

#ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:60:6e:6e:60:b2 brd ff:ff:ff:ff:ff:ff
    inet 4XX.XXX.XXX.XXX/32 brd 4XX.XXX.XXX.XXX scope global eth0:2
    inet 1XX.XXX.XXX.XXX/24 brd 1XX.XXX.XXX.255 scope global eth0
    inet 2XX.XXX.XXX.XXX/32 brd 2XX.XXX.XXX.XXX scope global eth0:0
    inet 3XX.XXX.XXX.XXX/32 brd 3XX.XXX.XXX.XXX scope global eth0:1
4: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/void
9: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.1/8 brd 10.255.255.255 scope global vmbr0

#ip route show
10.0.0.101 dev venet0  scope link
10.5.5.5 dev venet0  scope link
10.0.0.130 dev venet0  scope link
10.3.3.3 dev venet0  scope link
10.0.0.110 dev venet0  scope link
10.0.1.1 dev venet0  scope link
10.0.0.104 dev venet0  scope link
10.0.1.2 dev venet0  scope link
1XX.XXX.XXX.0/24 dev eth0  proto kernel  scope link  src 1XX.XXX.XXX.XXX
10.0.0.0/8 dev vmbr0  proto kernel  scope link  src 10.0.0.1
default via 1XX.XXX.XXX.254 dev eth0 		 	   		  
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
jonetsu@teksavvy.com | 23 Sep 02:59 2014

Using TC in both IPv4 and IPv6

Hello,

  For advanced TC, only tcrules can be different regarding IPv4/IPv6
because tcrules can contain IP addresses.  So far, what I observed is
that an IPv6 rule must be processed by shorewall6.  Which would make
sense.  What I'm not sure about though, is that the 'IPv6 Support' says
that when using TC with both, that one side must be disabled by having
TC_ENABLED=No and TC_CLEAR=No in that side.

  So if there are both IPv4 and IPv6 tcrules used, does this mean that,
for instance the IPv6 side is disabled and then shorewall AND
shorewall6 ae run and the IPv6 tcrules will be processed even though it
is marked disabled in shorewall6.conf ?  As you see, I'm not sure how
it goes.  Any help much appreciated.

Thanks.

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

Gmane