Tadd M. Balfour | 13 May 23:46 2014
Picon

new to shorewall > need help with incorrect eth_wan link negotiation

I'm new to Shorewall, but not to Linux.

 

I've been brought on to a project where the Shorewall seems to be hindering the overall bandwidth out to the cloud.

 

The business has a 50M x 5M fiber circuit with TW Cable.

 

When they run a speed test from inside the LAN, they are getting horrible download speeds.  Less than 3MB!

 

The TW Level III Tech indicated that he felt that it was the Firewall that was causing the issues.

My job is to figure out if that is the case.

 

After poking around, I ran the following command:  /sbin/mii-tool -v eth_wan

 

and got these results:

 

eth_wan: negotiated 100baseTx-FD flow-control, link ok

  product info: vendor 00:50:43, model 11 rev 1

  basic mode:   autonegotiation enabled

  basic status: autonegotiation complete, link ok

  capabilities: 1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD

  advertising:  1000baseT-FD 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control

  link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control

 

That looks to me like it is negotiating only a 100 Megabit connection.

Is that correct?

 

What else can I do to see what is going on?

 

Here is some more info:

 

Linux firewall 3.2.1-gentoo-r2 #2 SMP Fri Sep 21 16:28:20 CDT 2012 x86_64 Intel(R) Atom(TM) CPU D525 <at> 1.80GHz Genuine Intel GNU/Linux

 

I'm afraid to make any changes as I don't want to bring this entire business down, but I need to positive identify, if not resolve the issue.

 

Can anyone kindly please advise?

 

Thanks!

 

Tadd in Austin, TX

 

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
emilianovazquez | 13 May 18:22 2014
Picon

TC fails when ppp is down

Hi guys!

In this escenary we have 2 dsl connections (ppp1 and ppp2) with tc filters enabled.

The files have everything and run ok! And ppp1 and ppp2 are fixed in file
/etc/ppp/peers/dsl-provider-eth1[2] with unit=1 and unit=2. This config makes always get the same
number of ppp for eth1 (run ppp1) and eth2 (run ppp2)

The problem is when the machine gets rebooted and one dsl is down.

The error is about a missconfigured interface in /etc/shorewall/tcinterfaces and never goes up.

Is the an "optional" like in /etc/shorewall/interfaces ???

I almost forgot! I'm running Ubuntu 12.04 64bits in a headless server.

Best regards!

Emiliano

Enviado desde mi BlackBerry de Personal (http://www.personal.com.ar/)

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
Lars Erik Dangvard Jensen | 13 May 16:39 2014

brouter and two DMZ

Hi list

We need to put a switch in front of our current firewall to connect our current firewall and a new firewall at the same time, each firewall goes to its own racks.

Instead of powering up a separate hardware switch I was thinking of a brouter since we're not going to use 24 or 48 ports in a switch.

We have a set of public IP addresses which on the figure http://shorewall.net/bridge-Shorewall-perl.html#bridge-router are positioned much like 192.0.2.x range with our current firewall configured with all public IP addresses DNAT'ing to a DMZ in the yellow area.

The idea is to have our ISP uplink and current firewall with public IPs configured connect to a bridge on our new firewall, both firewalls with public IP addresses in the same range.

So I would like to have eth1 on the new firewall DNAT to a DMZ in the green area alongside our current firewall DNAT to a DMZ in the yellow area with IP addresses in the same public IP range.

My question is how eth1 is connected to br0, is it connected like a normal hardware switch, if not how can I connect eth1 to br0 ?

/lars
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
Michael Kress | 10 May 01:56 2014
Picon

routing issue #2

Hi again, sorry, but I'm still having issues with my setup as described 
in my previous posts (multi-isp setup with openvpn and dsl router).
The problem is that if I try to connect from LAN (192.168.5.181) to the 
VPN ip (x.x.x.245) via a DNAT rule, the request gets forwarded, but the 
reply doesn't obviously find the way back.

In detail, the request is on port 993 and is being forwarded from the 
openvpn ip x.x.x.245 on device tun1 to the internal ip 192.168.5.4.
The rule forwarding the request is the following one:
DNAT     lan    lan:192.168.5.4:993     tcp     993     - x.x.x.245

The tcpdump on the target system for port 993:
IP (tos 0x0, ttl  63, id 25228, offset 0, flags [DF], proto: TCP (6), 
length: 64) 192.168.5.181.51933 > 192.168.5.4.993: S, cksum 0x8288 
(correct), 3501222380:3501222380(0) win 65535 <mss 1460,nop,wscale 
4,nop,nop,timestamp 564067697 0,sackOK,eol>
IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: TCP (6), 
length: 60) 192.168.5.4.993 > 192.168.5.181.51933: S, cksum 0x1921 
(correct), 3752783027:3752783027(0) ack 3501222381 win 5792 <mss 
1460,sackOK,timestamp 45978776 564067697,nop,wscale 7>
IP (tos 0x0, ttl  64, id 56928, offset 0, flags [DF], proto: TCP (6), 
length: 40) 192.168.5.181.51933 > 192.168.5.4.993: R, cksum 0x1a7a 
(correct), 3501222381:3501222381(0) win 0

The request finds it's way to 192.168.5.4, because I've used the option 
routeback on the interface eth2.

All the hosts in 192.168.5.0/24 have 192.168.5.251 as a gateway, which 
is eth2 under shorewall.

The providers file:
tonline    1    1    -        eth1        192.168.2.1    track
ipev    2    2    -        tun1        x.x.x.245    track

The rtrules file:
#SOURCE            DEST            PROVIDER    PRIORITY    MARK
  -            x.x.x.18/32    tonline        1000
  -            x.x.x.245/28    ipev        1001
192.168.0.0/24        -            tonline        20001        1
192.168.5.0/24        -            tonline        20001        1
192.168.0.0/24        -            tonline        20002
192.168.5.0/24        -            tonline        20002

zones:
fw    firewall
lan     ipv4
wan     ipv4
vpn     ipv4
dmz     ipv4

So long story short: the communication from lan to lan:192.168.5.4:993 
is working forward, but does not make it's way back.

Coming from outside on the tun1 (x.x.x.245) is fine - the request get's 
forwarded and the reply finds it's way back to the originator of the 
communication.

Have you got any clue about how I can establish the way back?
Thank you!
Regards
Michael

PS: I could use 192.168.5.4 instead x.x.x.245 but that's a bit difficult 
on a smartphone where I cannot really use LAN addresses.

------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
Bill Shirley | 7 May 18:28 2014

My Shorewall configuration crashes kernel 3.13.9

[0:root <at> jabba shorewall]$ rpm -q shorewall
shorewall-4.5.15-1.fc19.noarch

I'm running Fedora 19 on this server and everyone plays nice with kernel-3.12.11-201.fc19.x86_64. 
However, all versions 
of 3.13.9 crash during reboot.

If I disable Shorewall I can boot the new kernel.  But then the kernel dumps when I do a 'shorewall start'.

Anyone have any ideas on how to begin to diagnose this?  I have the partial console output of 'shorewall trace
start' 
from the 3.13 kernel and the full output of that command from the 3.12 kernel.  I would prefer not to post these 
publicly since they have my public IP addresses in them.

Any help is appreciated.

Bill

------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
Vieri Di Paola | 7 May 15:01 2014
Picon

cannot ping through shorewall firewall (second example)

Hi again,

I'd like to add another dump to my report.
I'm unable to ping from host in "LAN" zone with IP address 10.215.144.7 to host in "CAIB" zone with IP address 10.215.5.95.

What could be wrong?

Thanks,

Vieri


Attachment (dump.gz): application/gzip, 124 KiB
------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
Vieri Di Paola | 7 May 13:59 2014
Picon

cannot ping through shorewall firewall

Hi,

I'm having trouble all of a sudden trying to ping through a shorewall firewall. This system was working fine up until now and wasn't updated. I even tried it on a newly installed shorewall.

In the dump I'm attaching I'm trying to ping from 10.215.144.48 to 10.215.134.111 but it's failing.
The echo reply seems to arrive on the shorewall box but isn't sent to the client at 10.215.144.48.

Any ideas?

Vieri

Attachment (dump.gz): application/gzip, 89 KiB
------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
Emiliano Marino | 6 May 22:43 2014

INCLUDE directive on Rules file

Hi! I'm becoming a fan of shorewall. I'm using it for some things and i'm love the easy way it has to configure everything.
At work we use CISCO ASA Firewall and the more I learn of the capabilities of Linux firewall (and routing, brigding, vpn, vlan etc) more I don't want to use cisco :D

Ok, here is the issue:

I'm starting a firewall setup in where I'm defining some rules in separated files that are included using the INCLUDE directive.

It works fine, but when you make a mistake in some of the included files, the compiler hides you the problem saying:

Compiling /etc/shorewall/rules...
      ERROR: INCLUDE file rules.d/out not found /etc/shorewall/rules (line 19)

Is false that the compiler can't find the file. If you copy the contents of the included file inside "rules", and remove the INCLUDE directive for that file; the compiler reveals the true error.

When you fix your mistake it compiles ok (using the INCLUDE directive)

I think this could be a low level bug. Or i'm making things wrong. If it's a bug, How can I report it?

Thanks


------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
Mike Andrewjeski | 5 May 23:31 2014

ERROR: Startup is disabled

Hi List,

Thanks in advance for reading this,  any help is gratefully appreciated.

odd problem, after upgrading to debian wheezy (Shorewall-4.5.5.3) from 
debian squeeze and (Shorewall-4.4.11.6-3+squeeze1)

when doing a start,restart or refresh I see the error:  ERROR: Startup 
is disabled.

shorewall check shows this:  ERROR: The 'zones' file does not exist or 
has zero size

The content of the zones file hasn't changed and has this content in 
both /etc/shorewall & /var/lib/shorewall:
fw firewall
loc ipv4 eth3:0.0.0.0/0
net ipv4 eth2:0.0.0.0/0

Here are the installed packages:
dpkg -l | grep shorewall
ii  shorewall 4.5.5.3-3                     all          Shoreline 
Firewall, netfilter configurator
ii  shorewall-common 4.4.11.6-3+squeeze1           all          
Shoreline Firewall, netfilter configurator - transition package
ii  shorewall-core 4.5.5.3-3                     all          Shorewall 
core components
ii  shorewall-shell 4.4.11.6-3+squeeze1           all          Shoreline 
Firewall, netfilter configurator - transition package

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com

------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
Emiliano Marino | 5 May 18:11 2014

Ipset with timeouts

Hi! This is my first email to the this mail list.

I am playing with ipsets and shorewall and I'm failing to create (using shorewall) an ipset with a default timeout.
When shorewall compiles it throws me a warning saying that the ipset does not exist (it is right), and when it starts at some stage of the init procedure it creates the ipset.
I can't (or don't know how to) change shorewall command to create the ipset. even tried to use the "Init" script, but the ipset is already created when the script is executed. 

So, anybody has a suggestion?
I know that if a make a script that create ipset before shorewall starts I do the thing, but I prefer to do it inside or with shorewall terms.

Sorry my english :)
Thanks in advance
------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce
Filippo Carletti | 5 May 18:24 2014
Picon

MultiISP failover suggestions

Hi,
I'm using shorewall (4.5.18) and lsm (0.163) with a two ISP setup.
I followed documentation and the linuxfest presentation (all provider
balance), but choose to ping remote ip instead of the local gateway.
lsm is started as a service, not by shorewall.
The setup is working, but I'm not sure on what to do when lsm detects
a link down event.
I tried shorewall disable ispX, but it deletes the routing rules, so
the link cannot come back.
I could adjust the mangle file and restart shorewall: would it be a
good idea? Any other suggested option?

I choose not to ping the connection gateway because both gateway are
local and never go down, while especially one connection (wimax) goes
down once in a while and I can detect status pinging a remote ip.

Thanks in advance.

--

-- 
Ciao,
Filippo

------------------------------------------------------------------------------
Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
&#149; 3 signs your SCM is hindering your productivity
&#149; Requirements for releasing software faster
&#149; Expert tips and advice for migrating your SCM now
http://p.sf.net/sfu/perforce

Gmane