Jan Lühr | 9 Jul 11:49 2014
Picon

Limiting Bandwith per ip?

Hello folks,

I'm new on shorewall while using shorewall4 and shorewall6 on Debian
Wheezy (4.5.5.3)
Beeing confused about http://shorewall.net/simple_traffic_shaping.html
I'd like to ask:

Shorewall4 and 6 are used on a central Router on our network, while
doing Masquerading for IPv4. How can I limit the total bandwith per
client-IP-Adresse to 5 MBit/s?

Keep smiling
yanosz

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Db Clinton | 8 Jul 19:08 2014
Picon

Interfaces arguments won't compile

Hi,
Shorewall on a new installation isn't compiling and reports this error:

ERROR: Invalid BROADCAST address /etc/shorewall/interfaces (line 2)

I've read that until version 4.2.x there was a bug that could lead to this error, but I'm using 4.4.26.1-1. And in any case, I haven't got a BROADCAST column. The problem goes away when I remove all arguments (tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0) from the interface entry. Any one argument will make the compile fail. As I'd like to use arguments, does anyone have any idea what I should be doing differently?
Thanks,
David
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Ruud Baart | 8 Jul 14:30 2014
Picon

Blocking DNS cache queries

Good day,

I have a problem in protecting one of our DNS severs (Debian, bind9). 
One of our DNS servers is attacked with cache queries. Our servers are 
protected the best way I can but this type of requests are coming from 
everywhere and I can not find a effective way of stopping these queries.

The queries look like these (tcpdump):
14:17:52.521563 IP 36.234.214.186.7824 > <my DNS server>.53: 47574+ A? 
kjaveb.sfbsodnssbsdbsdbsndbsidbdfwff.fsf.crayumm.com. (70)
14:17:52.522458 IP 72.37.49.70.49040 > <my DNS server>.53: 17713+ A? 
mdsfcn.sfbsodnssbsdbsdbsndbsidbdfwff.fsf.crayumm.com. (70)
14:17:52.523229 IP <my DNS server>.53 > 36.234.214.186.7824: 47574 
Refused- 0/0/0 (70)
14:17:52.523313 IP <my DNS server>.53 > 72.37.49.70.49040: 17713 
Refused- 0/0/0 (70)

Bind security  log:
08-Jul-2014 14:18:37.276 client 192.225.235.160#46655 
(mxgbcfqdqdsh.www.fh1688.cn): query (cache) 
'mxgbcfqdqdsh.www.fh1688.cn/A/IN' denied
08-Jul-2014 14:18:37.632 client 192.225.236.196#43452 
(ibermzmjingh.www.fh1688.cn): query (cache) 
'ibermzmjingh.www.fh1688.cn/A/IN' denied
08-Jul-2014 14:18:37.632 client 192.225.232.157#27740 
(mzgrqlylyrsv.www.fh1688.cn): query (cache) 
'mzgrqlylyrsv.www.fh1688.cn/A/IN' denied
08-Jul-2014 14:18:38.128 client 23.208.175.177#41119 
(wjkrofctef.www.fh1688.cn): query (cache) 
'wjkrofctef.www.fh1688.cn/A/IN' denied
08-Jul-2014 14:18:38.181 client 24.87.218.48#10407 
(ibqlqzkheb.www.fh1688.cn): query (cache) 
'ibqlqzkheb.www.fh1688.cn/A/IN' denied
08-Jul-2014 14:18:38.577 client 108.117.95.12#13816 
(efml.www.fh1688.cn): query (cache) 'efml.www.fh1688.cn/A/IN' denied

I have configured bind with rate limits, no recursion etc. And I have 
installed fail2ban. All these countermeasures are not sufficient. With 
extreme strict fail2ban rules I banned +/- 25.000 IP addresses in a few 
hours but the DNS cache queries still continue.

fial2ban log:
2014-07-08 14:23:12,337 fail2ban.actions: WARNING [named-refused] Ban 
23.49.193.58
2014-07-08 14:23:12,662 fail2ban.actions: WARNING [named-refused] Ban 
66.190.8.57
2014-07-08 14:23:12,993 fail2ban.actions: WARNING [named-refused] Ban 
24.6.177.245
2014-07-08 14:23:13,316 fail2ban.actions: WARNING [named-refused] Ban 
24.252.152.111
2014-07-08 14:23:13,656 fail2ban.actions: WARNING [named-refused] Ban 
25.145.60.69
2014-07-08 14:23:13,987 fail2ban.actions: WARNING [named-refused] Ban 
24.249.113.165
2014-07-08 14:23:14,334 fail2ban.actions: WARNING [named-refused] Ban 
24.213.230.250
2014-07-08 14:23:14,699 fail2ban.actions: WARNING [named-refused] Ban 
23.217.118.188
2014-07-08 14:23:15,029 fail2ban.actions: WARNING [named-refused] Ban 
23.228.90.135
2014-07-08 14:23:15,353 fail2ban.actions: WARNING [named-refused] Ban 
24.181.151.152
2014-07-08 14:23:15,684 fail2ban.actions: WARNING [named-refused] Ban 
24.42.26.21

I can't find a pattern in the banned IP addresses: they don't belong to 
one or a few IP address blocks.

So my question: is there a way to drop DNS query cache requests with 
shorewall without interfering the intended DNS service?

--

-- 

Met vriendelijke groeten/Regards,
Tiswe/R.J. Baart Automatisering B.V.

Ruud Baart

Tel: +31 6 51318104

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
OBones | 7 Jul 10:07 2014
Picon

Use an interface when it is present

Hello,

I have a quite simple and classical setup with eth0 being local network 
and eth3 being the net interface which masquerades local.
The setup is using shorewall 4.4, works just fine and I'm very happy 
with it, many thanks for your dedicated hard work.

 From times to times, I have issues with the network connection on eth3 
and then decide to plugin a data enabled cell phone in modem mode which 
gives me the usb0 interface. Note that eth3 does not go down, the link 
is still up but hardly responsive.
I have thus declared usb0 in the interfaces file with the optional flag 
like this:

net    usb0    optional
net    eth3    -
loc    eth0    -

I also have this in the masq file:

usb0    10.10.10.0/24
eth3    10.10.10.0/24

What I would like is that when usb0 is present, all packets are routed 
through its gateway and nothing goes through eth3 until I unplug usb0.
In my current setup, two default routes are created, one through eth3 
with metric 0, the other through usb0 with metric 10, which that all 
packets are routed through eth3.
Manually editing the default route that goes through for eth3 via the 
route command setting a metric above 10 makes it work. However, this 
does not "stick" when a reboot or shorewall restart occurs.
I have searched the documentation for the "metric" keyword and found it 
inside the providers file. To me, this looked like the solution and so I 
went forward and declared two providers like this:

cell    1    1    -    usb0    detect    -
adsl    2    2    -    eth3    detect    fallback,track

However, when I plug the usb0 interface, the route for eth3 does not get 
change and still gets its metric value of 0.

I must have missed something obvious and would very much appreciate your 
help here.

Regards,
Olivier

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
TN Patriot | 6 Jul 15:00 2014
Face
Picon

Confused, as usual...


Hi folks,

  I've honestly tried reading the FAQ's and the other references on the
  Shorewall website, but I either just don't know what I'm looking at or for, or
  somehow missed it.

  My small problem - I've installed apcupsd on my Slackware 14.1 and need to
  somehow make port 3551 open/seeable for apcupsd to work correctly.

  Any help with this is greatly appreciated, and my apologies if it's something
  so simple an idiot should have been able to do it (I'm obviously slower than
  Forrest Gump :(  )

   JB

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Lee Brown | 6 Jul 11:45 2014

Shorewall 4.6.1.2 / CentOS6.5 / ipset / SELinux

Dear All,

I could find no reference to SELinux in the documentation to this,
hopefully it helps others.
When I added ipset into the mix and played around from the command
line, everything worked as expected.  However during boot, shorewall
complains:

00:36:00 ERROR: ipset names in Shorewall configuration files require
Ipset Match in your kernel and iptables /etc/shorewall/rules (line 39)

And immediately after boot a shorewall start is totally successful.
This is a SELinux enforcement issue in my case:

type=AVC msg=audit(1404632169.296:45): avc:  denied  { create } for
pid=2761 comm="ipset" scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:system_r:shorewall_t:s0 tclass=netlink_socket
type=SYSCALL msg=audit(1404632169.296:45): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=3 a2=c a3=7fff5f7f9590 items=0 ppid=2760
pid=2761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipset"
exe="/usr/sbin/ipset" subj=system_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1404632169.299:46): avc:  denied  { create } for
pid=2763 comm="ipset" scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:system_r:shorewall_t:s0 tclass=netlink_socket
type=SYSCALL msg=audit(1404632169.299:46): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=3 a2=c a3=7ffffe3fc1c0 items=0 ppid=2762
pid=2763 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipset"
exe="/usr/sbin/ipset" subj=system_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1404632169.301:47): avc:  denied  { create } for
pid=2765 comm="ipset" scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:system_r:shorewall_t:s0 tclass=netlink_socket
type=SYSCALL msg=audit(1404632169.301:47): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=3 a2=c a3=7fff63d428e0 items=0 ppid=2764
pid=2765 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipset"
exe="/usr/sbin/ipset" subj=system_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1404632169.402:61): avc:  denied  { create } for
pid=2810 comm="ipset" scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:system_r:shorewall_t:s0 tclass=netlink_socket
type=SYSCALL msg=audit(1404632169.402:61): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=3 a2=c a3=7fff51509c50 items=0 ppid=2809
pid=2810 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipset"
exe="/usr/sbin/ipset" subj=system_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1404632169.405:62): avc:  denied  { create } for
pid=2812 comm="ipset" scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:system_r:shorewall_t:s0 tclass=netlink_socket
type=SYSCALL msg=audit(1404632169.405:62): arch=c000003e syscall=41
success=no exit=-13 a0=10 a1=3 a2=c a3=7fffc9256d20 items=0 ppid=2811
pid=2812 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ipset"
exe="/usr/sbin/ipset" subj=system_u:system_r:shorewall_t:s0 key=(null)
type=AVC msg=audit(1404635091.599:45): avc:  denied  { create } for
pid=2761 comm="ipset" scontext=system_u:system_r:shorewall_t:s0
tcontext=system_u:system_r:shorewall_t:s0 tclass=netlink_socke

which may be resolved with:

semanage fcontext -a -t iptables_exec_t /path/to/ipset
restorecon -v /path/to/ipset

(you'll need policycoreutils-python installed)

documented at:

https://lists.fedoraproject.org/pipermail/selinux/2010-June/012680.html

Regards - lee

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Lee Brown | 6 Jul 12:08 2014

Manually specify gateway MAC

Hi,

One of the providers I use has their gateway on the other side of a
radio bridge several miles away.  Occasionally the MAC detection that
Shorewall does fails and prevents Shorewall from starting.

Is there a way to specify the MAC address manually for these gateways
in the providers file?  I couldn't see anyway to specify it.

Thanks -- lee

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Tom Eastep | 4 Jul 22:53 2014
Picon

Shorewall 4.6.1.4

Shorewall 4.6.1.4 is now available for download.

Problems Corrected:

1)  The DSCP match in the mangle and tcrles files didn't work with
    service class names such as EF, BE, CS1, ... (Thibaut Chèze)

2)  The SAVE and RESTORE actions were disallowed in the OUTPUT chain in
    tcrules and mangle; this was a regression from 4.6.21.

Thank you for using Shorewall.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Tom Eastep | 1 Jul 04:12 2014
Picon

Shorewall 4.5.21.3

Shorewall 4.5.21.3 is now available for download.

Problems Corrected:

1)  Use of the 'IfEvent' action resulted in a compilation failure:

      ERROR: -j is only allowed when the ACTION is INLINE with no
        parameter /usr/share/shorewall/action.IfEvent (line 139)
         from /etc/shorewall/action.SSHKnock (line 8)
         from /etc/shorewall/rules (line 31)

Thank you for using Shorewall.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Gerhard Wiesinger | 24 Jun 19:48 2014

Shorewall and routebacks with default gateway not on firewall

Hello,

I've the following configuration:
Internet <=> Host with fixed IP <=> OpenVPN Tunnel <=> Firewall Host 
with dynamic IP <=> DMZ

Firewall Host with dynamic IP isn't the gateway.

I've configured:
1.) "Host with fixed IP" a DNAT forward into the OpenVPN Tunnel (OK):
SMTP(DNAT)      net             vpndmz:192.168.x.y
SMTP(DNAT)      $FW             vpndmz:192.168.x.y
2.) "Firewall Host with dynamic IP" forward into the DMZ again:
SMTP(DNAT)      vpndmz          dmz:192.168.x.y

Everything works fine except the shorewall rules on "Firewall Host with 
dynamic IP".

Packets go from "Firewall Host with dynamic IP" to DMZ, responses from 
DMZ go back to "Firewall Host with dynamic IP" but then they are not 
routed into the OpenVPN Tunnel back again but to the default gateway 
(which is of course not working).

I read already http://shorewall.net/MultiISP.html, 
http://shorewall.net/PacketMarking.html and 
http://shorewall.net/manpages/shorewall-route_rules.html and some other 
sites but I still didn't get a working version.

What's the recommended way?
Via mangle?
Via multiple providers?

What I've tried so far (config partly listed):
ERROR: A provider interface must have at least one associated zone 
/etc/shorewall/providers

/etc/shorewall/mangle
MARK(2)         vpndmz          dmz

/etc/shorewall/providers
p_main  1       1       -               eth0 detect          track,balance
p_vpn   2       2       -               tun36 detect          
track,optional,loose

/etc/shorewall/zones
dmz     ipv4
vpndmz  ipv4
p_main  ipv4
p_vpn   ipv4

/etc/shorewall/interfaces
dmz     DMZ_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth2
vpn     TUN_IF tcpflags,nosmurfs,routefilter,logmartians,physical=tun0
vpndmz  tun36 tcpflags,nosmurfs,routeback,logmartians,physical=tun36

If something is unclear, just ask.

BTW: Please have a look at the Port Knocking patch :-)

Thank you.

Ciao,
Gerhard

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Guilsson . | 23 Jun 18:56 2014
Picon

External connection appear coming from internal Shorewall IP - different ports

I have a weird need covered by FAQ 1F (http://shorewall.net/FAQ.htm#faq1f) using "ugly hack" mentioned there.

RULES: DNAT net loc:10.10.10.33:8888 tcp 8888
MASQ: eth1:10.10.10.33  eth0  10.10.10.11  tcp  8888
(eth0: Internet, eth1: local lan)

When the public port (8888) is the same as internal port (8888), WORKS fine.

I need to use different ports: 8888 external, 88 internal

I tried several combinations:
DNAT net loc:10.10.10.33:88 tcp 8888
eth1:10.10.10.33 eth0 10.10.10.11:8888 tcp 88
eth1:10.10.10.33 eth0 10.10.10.11:88 tcp 8888

none worked.

Any hints ?
Thanks
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems

Gmane