Christian Rößner | 6 Apr 22:59 2014
Picon

How to detect RTP traffic

Hi,

I am looking for a way to detect RTP traffic. Currently I asked some SIP providers to tell me their networks
and set up some rules in tcrules. But I would like a more generic version, where I am provider independent.

My router is a border router and connects PPPoE customers with the internet. What I want to achieve is to
detect SIP/RTP and do QoS/DSCP on these packets.

The default ploicy is to allow trafic between WAN and PPPoE and vice versa. All public IPs. No NATing.

This is, how I currently did it:

/params:
DWNET=193.239.104.0/22
SIPGATE1=217.10.64.0/20
SIPGATE2=217.116.117.0/24
SIPGATE3=212.9.32.0/19
EASYBELL=212.172.97.112/28

/tcrules:
COMMENT Copy connmark to packet mark
RESTORE/0x00FF:T \
		-		-		all
COMMENT VoIP SIP
DSCP(CS3):T	-		-		udp	5060:5076 \
								-	-	0x1
DSCP(CS3):T	-		-		udp	-	5060:5076 \
									-	0x1
CONTINUE:T	-		-		udp	5060:5076 \
								-	-	0x1
(Continue reading)

Bruno Friedmann | 3 Apr 15:00 2014
Picon

Help with configuration bridge/kvm vnet host

Dear shorewall users, I'm at a point I need a bit of help on the following configuration

A main host directly connected to internet with one physical interface eth0 use a bridge
I've setup libvirtd/qemu-kvm on it with one vhost using br0/vnet0 

The vm has also a public ipv4 address (see k* config in zip)

I'm using shorewall from long time now, in 3 interfaces modes or 1 interface from years.
But even after digging in documentation, ml archives or google. It seem I miss something.

Can an hawk expert eyes have a look, and give me feedback about what I've build (but not work as expected)

Summary of what should be working : 
pub/net should only be allowed on specific protocol to fw (main host) or dmz (the vm)
fw and dmz have free access to internet out.

I've certainly lost myself in the different approach, and finally have choose the wrong one.

At the end I will also have ipv6 (but should be able to adapt the v4 to v6)

Thanks for any pointers, or advise you could offer.

[1] zipped file with configuration, ip information & shorewall dump 
obione is the main host, k is the kvm guest
https://dl.dropboxusercontent.com/u/13333867/obione-k.shorewall.zip
--

-- 

Bruno Friedmann 
Ioda-Net Sàrl www.ioda-net.ch

(Continue reading)

İlker Aktuna | 2 Apr 21:39 2014

Re: multi ISP - port based routing

 

 

From: Lee Brown [mailto:leeb <at> ratnaling.org]
Sent: Wednesday, April 02, 2014 12:49 AM
To: Shorewall Users
Subject: Re: [Shorewall-users] multi ISP - port based routing

 

 

 

On Tue, Apr 1, 2014 at 2:25 PM, İlker Aktuna <ilkera <at> kobiline.com> wrote:

Yes. In fact, that's my real problem.
When I try to connect to my SIP proxy (Asterisk) from internet, I come from ppp0 address.
However, Asterisk decides to reply with ppp1 address sometimes. And then I can not register, because my sip client does not accept the reply from ppp1 address.



-----Original Message-----
From: Tom Eastep [mailto:teastep <at> shorewall.net]
Sent: Tuesday, April 01, 2014 10:33 PM
To: shorewall-users <at> lists.sourceforge.net
Subject: Re: [Shorewall-users] multi ISP - port based routing

On 4/1/2014 12:18 PM, İlker Aktuna wrote:
> Exactly; the packet going out from wrong interface (ppp1) also has  wrong IP address (ppp1).
>

Even if the connection was from the net and entered on ppp0?

Try ensuring the following two modules are disabled.  For me if they are enabled, it breaks SIP.  I see I have this disabled on both the firewall machine and the asterisk machine (CentOS5, 2.6.18-348.18.1.el5 kernel)

 

# grep sip /etc/modprobe.d/blacklist.conf

install ip_nat_sip /bin/false

install ip_conntrack_sip /bin/false

 

 

Does that really help about my problem ?

I don’t see them in my “lsmod” output. So they are already disabled ??

 

 

------------------------------------------------------------------------------
------------------------------------------------------------------------------
I.S.C. William | 1 Apr 18:42 2014
Picon

Shorewall 4.5.21 for amd64?

The time available Shorewall 4.5.21 for platforms amd64?

In my server i have shorewall 4.5.5.3, and do not have update.

To look this list in not available ...

Thanks !! .. 
------------------------------------------------------------------------------
------------------------------------------------------------------------------
JC Putter | 1 Apr 12:14 2014
Picon

shorewall rpm's

Hi

What is the difference between the standard RPM's and the RPM's
provided by here
http://www.invoca.ch/pub/packages/shorewall/RPMS/ils-6/noarch/

I am using CentOS 6.5 which RPM set is recommended ?

Thanks

------------------------------------------------------------------------------
Tom Eastep | 31 Mar 19:56 2014
Picon

Shorewall 4.5.21.9

Shorewall 4.5.21.9 is now available for download.

Problems corrected:

1)  The output of 'shorewall show capabilities' always showed the
    'Recent match --reap option' as 'Not Available'. 'shorewall show -f
    capabilities' correctly reported the capability.

2)  When a rules file section other than NEW began with a ?COMMENT
    directive, the comment would erroneously appear in the rule which
    jumps to the section chain as well as in the rules directly related
    to the following entries.

3)  Rule comments were omitted from the compiler's 'trace' output in
    some cases.

4)  When FASTACCEPT=Yes, ESTABLISHED,RELATED accept rules were
    incorrectly omitted from an interfaces's _in and _fwd chains when
    'rpfilter' was specified in the interfaces's entry in
    /etc/shorewall[6]/interfaces.

Thank you for using Shorewall,
-Tom
--

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Hervé Werner | 31 Mar 14:38 2014

Re: Using rpfilter prevents outgoing access

> Unfortunately, the messages were logged before the firewall was
> reloaded:
> 
> State:Started (jeudi 27 mars 2014, 18:23:57 (UTC+0100))
> from /etc/shorewall/
> 
> Mar 27 18:23:13 net-fw:DROP  IN=eth0 OUT= SRC=173.194.40.151
> DST=192.168.1.166 LEN=84 TOS=00 PREC=0x00 TTL=54 ID=765 PROTO=ICMP
> TYPE=0 CODE=0 ID=8127 SEQ=15 MARK=0
> Mar 27 18:23:14 net-fw:DROP  IN=eth0 OUT= SRC=173.194.40.151
> DST=192.168.1.166 LEN=84 TOS=00 PREC=0x00 TTL=54 ID=766 PROTO=ICMP
> TYPE=0 CODE=0 ID=8127 SEQ=16 MARK=0
> 
> NAT Table
> 
> So the firewall was reloaded at 18:23:57 but the last message was
> logged
> at 18:23:14. As a consequence, the dump doesn't show the state of the
> firewall when the messages were being logged.

Hello Tom,

I actually restarted Shorewall to get a working internet connection back
and did the dump afterwards because I knew the issue were already
logged. I understand your process but I can swear you I'm not trying to
fool you ;)

Please find enclosed a proper dump as well as additional information on
my software system. 
This time I was trying to ping DNS server 8.8.8.8.

Please note an error about module 'sch_tbf' when recompiling the policy
(shorewall_restart.txt). Don't know if it is tied to rpfilter.

I also would like to thank you about the 2 patches you wrote, I can
confirm that Shorewall is now working as expected.

Regards,

Hervé
Attachment (shorewall.tar.xz): application/x-xz-compressed-tar, 80 KiB
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Robert Recchia | 28 Mar 13:14 2014
Picon

weird log messages

So lately I have been playing with docker and lxc containers on my centos 6 server.  Right around that time I started getting very weird shore-wall log messages like this



 C110DT2.98.9LN8 O=x0PE=x0TL6 D0D RT=CPTP= OE0I=09 E= <6>Shorewall:fw2net:ACCEPT:IN= OUT=eth0 SRC=xxxxxx  DST=xxxxxxx LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=64768 PROTO=UDP SPT=37867 DPT=53 LEN=61


62e:CETI=OTeh R=9.6..2 S=4152512LN8 O=x0PE=x0TL6 D0D RT=CPTP= OE0I=08SQ1

antACP:N U=t0SC1218110DT2.5.3.4 E=4TS00 RC00 T=4I= FPOOIM YE8CD= D112SQ1

There are more but what do these messages mean 



Robert Recchia
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Christian Rößner | 28 Mar 09:10 2014
Picon

shore wall, pop an ip-up.d/*; TC filter question

Hi,

first of all, thanks that there exists Shorewall! I really, really love that project (since many years).

I have set up an ISP router gateway with advanced routing and TC stuff using shorewall. There are 2 things
that I do not know how to solve directly in shorewall, so I have used a hand made TC script and some rules in /etc/shorewall/started.

My question is, if there exists a way do do it directly with shorewall.

If a clinet connect with PPPoE, accel-ppp (the PPPoE server) call /etc/ppp/ip-up/somescript and sets TC
rules for each new pppX interface. It reads its up and down values from /var/run/radattr.pppX, which is
written by the RADIUS server on connect.

This is my ip-up script:

--------------------------------------------------------------
PPP_IFACE="$1"
PPP_TTY="$2"
PPP_SPEED="$3"
PPP_LOCAL="$4"
PPP_REMOTE="$5"
PPP_IPPARAM="$6"

# Lock this resource
for wait_for_lock in $(seq 1 60); do
        if [ -e /tmp/lock-$PPP_IFACE ]; then
                sleep 1
        else
                touch /tmp/lock-$PPP_IFACE
                break
        fi
done

IP=/bin/ip
TC=/sbin/tc
BANDUP=`grep RP-Upstream-Speed-Limit /var/run/radattr.${PPP_IFACE} | cut -d " " -f 2`
BANDDOWN=`grep RP-Downstream-Speed-Limit /var/run/radattr.${PPP_IFACE} | cut -d " " -f 2`

# deltaweb-services
MAXDOWN=81920
MAXUP=${MAXDOWN}

echo -n "   Clearing tc root, ingress... "
${TC} qdisc del dev ${PPP_IFACE} root    2> /dev/null > /dev/null
${TC} qdisc del dev ${PPP_IFACE} ingress 2> /dev/null > /dev/null
echo "done."

echo -n "   Adding tc classes... "

# add HFSC root qdisc
${TC} qdisc add dev ${PPP_IFACE} root handle 1: hfsc default 121

# add main rate limit class
${TC} class add dev ${PPP_IFACE} parent 1:0 classid 1:1 hfsc \
  sc rate ${MAXDOWN}kibit \
  ul rate ${MAXDOWN}kibit

# interactive
${TC} class add dev ${PPP_IFACE} parent 1:1 classid 1:11 hfsc \
  sc umax 1500b dmax 30ms rate $[${BANDDOWN}/20]kibit \
  ul rate $[${BANDDOWN}/20]kibit

${TC} class add dev ${PPP_IFACE} parent 1:1 classid 1:12 hfsc \
  sc rate $[${BANDDOWN}*3/4]kibit \
  ul rate ${BANDDOWN}kibit

# ultraFast
${TC} class add dev ${PPP_IFACE} parent 1:1 classid 1:13 hfsc \
  sc rate $[${MAXDOWN}/2]kibit \
  ul rate ${MAXDOWN}kibit

# default
${TC} class add dev ${PPP_IFACE} parent 1:12 classid 1:121 hfsc \
  sc umax 1500b dmax 53ms rate $[${BANDDOWN}/2]kibit \
  ul rate ${BANDDOWN}kibit

# large downloads 50Mb - 1000Mb
${TC} class add dev ${PPP_IFACE} parent 1:12 classid 1:122 hfsc \
  sc rate $[${BANDDOWN}/2]kibit \
  ul rate $[${BANDDOWN}/2]kibit

# large downloads 1000Mb+
${TC} class add dev ${PPP_IFACE} parent 1:12 classid 1:123 hfsc \
  sc rate $[${BANDDOWN}/10]kibit \
  ul rate $[${BANDDOWN}/5]kibit

# P2P
${TC} class add dev ${PPP_IFACE} parent 1:12 classid 1:124 hfsc \
  sc rate 64kibit \
  ul rate 64kibit

echo "done."

echo -n "   Adding tc qdiscs... "
${TC} qdisc add dev ${PPP_IFACE} parent 1:11 sfq perturb 10
${TC} qdisc add dev ${PPP_IFACE} parent 1:121 handle 121: sfq perturb 10
${TC} qdisc add dev ${PPP_IFACE} parent 1:122 sfq perturb 10
${TC} qdisc add dev ${PPP_IFACE} parent 1:123 sfq perturb 10
${TC} qdisc add dev ${PPP_IFACE} parent 1:124 pfifo
${TC} qdisc add dev ${PPP_IFACE} parent 1:13 sfq perturb 10
echo "done."

echo -n "   Adding tc filters... "
${TC} filter add dev ${PPP_IFACE} parent 1:0 protocol ip prio 10 u32 \
  match ip tos 0x10 0xff \
  flowid 1:13

# marked interactive traffic
${TC} filter add dev ${PPP_IFACE} protocol all parent 1:0 prio 20 handle 0x1 fw classid 1:11

# ultraFast
${TC} filter add dev ${PPP_IFACE} protocol all parent 1:0 prio 20 handle 0xc fw classid 1:13

# large downloads 50Mb - 1000Mb
${TC} filter add dev ${PPP_IFACE} protocol all parent 1:0 prio 40 handle 0x2 fw classid 1:122

# large downloads 1000Mb+
${TC} filter add dev ${PPP_IFACE} protocol all parent 1:0 prio 50 handle 0x3 fw classid 1:123

# P2P
${TC} filter add dev ${PPP_IFACE} protocol all parent 1:0 prio 60 handle 0x4 fw classid 1:124
echo "done."

echo -n "   Adding tc ingress, filters... "
${TC} qdisc add dev ${PPP_IFACE} handle ffff: ingress

# deltaweb server - 1. subnet
${TC} filter add dev ${PPP_IFACE} parent ffff: protocol all prio 10 u32 \
  match ip dst 193.239.107.16/28 \
  police rate $[${MAXUP}]kibit \
  burst 80kb drop \
  flowid :1

# deltaweb server - 2. subnet
${TC} filter add dev ${PPP_IFACE} parent ffff: protocol all prio 10 u32 \
  match ip dst 193.239.107.48/28 \
  police rate $[${MAXUP}]kibit \
  burst 80kb drop \
  flowid :1

# RNS server
${TC} filter add dev ${PPP_IFACE} parent ffff: protocol all prio 10 u32 \
  match ip dst 193.239.107.32/28 \
  police rate $[${MAXUP}]kibit \
  burst 80kb drop \
  flowid :1

${TC} filter add dev ${PPP_IFACE} parent ffff: protocol all prio 10 u32 \
  match ip src 0.0.0.0/0 \
  police rate $[${BANDUP}]kibit \
  burst 80kb drop \
  flowid :1
echo "done."

# Remove (stale) lock file
rm -f /tmp/lock-$PPP_IFACE
--------------------------------------------------------------

Shorewall is doing the MARKing in tcrules:
--------------------------------------------------------------
##
## PPPoE:
##

COMMENT Copy connmark to packet mark
RESTORE/0x00FF:F \
		-		-		all
COMMENT SIP
CONTINUE:F	-		-		all	-	-	-	0x1
COMMENT P2P
CONTINUE:F	-		-		all	-	-	-	0x4
COMMENT Services deltaweb/RNS
CONTINUE:F	-		-		all	-	-	-	0xC
COMMENT Sipgate
0x1:F		$DWNET		$SIPGATE1	udp
COMMENT Sipgate
0x1:F		$DWNET		$SIPGATE2	udp
COMMENT Sipgate
0x1:F		$DWNET		$SIPGATE3	udp
COMMENT Easybell
0x1:F		$DWNET		$EASYBELL	udp
COMMENT
0x1:F		-		-		udp	5060:5076
0x1:F		-		-		udp	-	5060:5076
0x1:F		-		-		udp	5004:5020
0x1:F		-		-		udp	-	5004:5020
SAVE/0x00FF:F	-		-		udp	-	-	-	0x1
CONTINUE:F	-		-		udp	-	-	-	0x1

0xC:F		$KVM1		$DWNET		all
0xC:F		$KVM2		$DWNET		all
0xC:F		$RNS		$DWNET		all
SAVE/0x00FF:F	-		-		all	-	-	-	0xC
CONTINUE:F	-		-		all	-	-	-	0xC

0x2:F		-		-		tcp	-	-	-	-	-	-	52428800:1048576000
0x2:F		-		-		udp	-	!$UDP_EXCEPTIONS \
									-	-	-	-	52428800:1048576000
0x3:F		-		-		tcp	-	-	-	-	-	-	1048576000:
0x3:F		-		-		udp	-	!$UDP_EXCEPTIONS \
									-	-	-	-	1048576000:

0x4:F		-		-		ipp2p:all \
							edk,dc,gnu,kazaa,bit,apple,winmx,soul,ares
SAVE/0x00FF:F	-		-		all	-	-	-	0x4
CONTINUE:F	-		-		all	-	-	-	0x4
--------------------------------------------------------------

On shorewall restart, started is called:
--------------------------------------------------------------
#!/bin/bash

###############################################################################
# DO NOT EDIT THIS FILE!! UNDER SALTSTACK CONTROL!!                           #
###############################################################################

TC=/sbin/tc

for ppp in $(ip -4 add list | grep "global ppp" | awk '{ print $7; }')
do
	echo "${ppp}:"
	/etc/ppp/ip-up.d/99-rns-limits ${ppp}
done

echo -n "Adding filters to bond1.108, ifb0..."
${TC} filter del dev bond1.108 protocol all parent 1:0 prio 5 handle 0x1 fw classid 1:110 >/dev/null 2>&1
${TC} filter del dev ifb0 protocol all parent 2:0 prio 5 handle 0x1 fw classid 2:110 >/dev/null 2>&1
${TC} filter del dev bond1.108 protocol all parent 1:0 prio 5 handle 0x4 fw classid 1:150 >/dev/null 2>&1
${TC} filter del dev ifb0 protocol all parent 2:0 prio 5 handle 0x4 fw classid 2:150 >/dev/null 2>&1

${TC} filter add dev bond1.108 protocol all parent 1:0 prio 5 handle 0x1 fw classid 1:110
${TC} filter add dev ifb0 protocol all parent 2:0 prio 5 handle 0x1 fw classid 2:110
${TC} filter add dev bond1.108 protocol all parent 1:0 prio 5 handle 0x4 fw classid 1:150
${TC} filter add dev ifb0 protocol all parent 2:0 prio 5 handle 0x4 fw classid 2:150
echo " done"

return 0
--------------------------------------------------------------

So now the first question is, can I somehow call shorewall from inside the ip-up script and set up all TC
directly in shorewall, as I already have done for the internet connection? So I could replace my script and
let shorewall do the job.

The other question is already visible in my started script. It’s the TC filter rules.

I have set up an ifb0 interface, which mirrors the outgoing line (tcclasses):
--------------------------------------------------------------
#NUMBER:	IN-BANDWITH	OUT-BANDWIDTH	OPTIONS		REDIRECTED
#INTERFACE							INTERFACES
1:bond1.108	-		10mbit		classify
2:ifb0		-		10mbit		-		bond1.108

3:bond1.200	50mbit		10mbit
4:bond1.201	25mbit		5mbit
--------------------------------------------------------------

So with shorewall I have set most of my rules in tcfilters. But I could not find a way to set filters based on
packet marks, so I added the lines above in started, which of course is not so great.

I could not find any good reason on the net, why setting such rules on ifb0 woul not make sense. Both rules use
egress and on www.linuxfoundation.org I also found examples like the one in my started script. So
basically settings such filters should be possivle, should it?

0x1 mark in the example above is traffic that is SIP and has its on class. 0x5 are all the ipp2p things, which we
do not really want and so we shape it down:

--------------------------------------------------------------
#INTERFACE:CLASS	MARK	RATE:			CEIL	PRIORITY	OPTIONS
#                               DMAX:UMAX

# bond1.108
1:110			-	2mbit			2mbit	1		tos=0x68/0xfc,tos=0xb8/0xfc
1:120			-	512kbit			2mbit	2		tcp-ack,tos-minimize-delay
1:130			-	5mbit			6mbit	3
1:140			-	2mbit			6mbit	4		default
1:150			-	128kbit			128kbit	5		pfifo

# ifb0
2:110			-	2mbit			2mbit	1		tos=0x68/0xfc,tos=0xb8/0xfc
2:120			-	512kbit			2mbit	2		tcp-ack,tos-minimize-delay
2:130			-	5mbit			6mbit	3
2:140			-	2mbit			6mbit	4		default
2:150			-	128kbit			128kbit	5		pfifo

3:110			0x20	10mbit			10mbit	1		default
4:110			0x20	5mbit			5mbit	1		default
--------------------------------------------------------------

I hope my questions are okay. I really do not want to waste anybodys time. It is just that I am not sure, if I
already found the optimal way of doing things. And it already has some complexity. At least for me :)

Ah, just forgot: this is all on Debian Wheezy, shorewall version:

lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 7.4 (wheezy)
Release:	7.4
Codename:	wheezy

shorewall version: 4.5.5.3

I also put all shorewall stuff together and attached it to this mail.

Kind regards

-Christian Rößner

Attachment (shorewall.tar.bz2): application/x-bzip2, 54 KiB

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

-Christian Rößner

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Rich Wales | 28 Mar 05:54 2014

Set up arbitrary routes in Shorewall?

Is there any way to specify arbitrary host or network routes to be added to a firewall's routing tables in Shorewall?

I have a list of individual destinations (external to my LAN) which I need to reach via a bastion host connected to my firewall via a VPN.  Up till now, I've been adding host routes for these destinations by running a shell script when my firewall starts up -- but I'd prefer to accomplish this in Shorewall if there is a way to do it.

I'm running Shorewall 4.5.16.1 on an Ubuntu 13.10 system.
--
Rich Wales
richw <at> richw.org
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Rich Wales | 27 Mar 20:47 2014

Address ranges in proxyarp?

I'm running Shorewall 4.5.16.1 on an Ubuntu 13.10 system.

Is it possible to specify a CIDR range in the proxyarp file?  Or do I really need to list each individual IP address separately?
--
Rich Wales
richw <at> richw.org
------------------------------------------------------------------------------
------------------------------------------------------------------------------

Gmane