PGNd | 3 Oct 03:25 2014
Picon

Re: ./install.sh for PRODUCT != shorewall fails to create shorewallrc-specified init.d DIR unless PRODUCT == shorewall is installed first

>>  I have to now recollect why I chose NOT to do that. There WAS a 'very valid' reason a couple of eves ago ... 

> I am interested in your reason -- I would prefer to hack up that path rather than risk breaking live installs.

That, if I'm playing back my notes correctly, is exactly the reason I chose this route.

I'm bundling up tarball'd installs for remote deploy (atm, using DIY scripts; eventually, Puppet etc).

With $PREFIX 'hard-coded' on my dev/compile box, it's quite difficult to clobber an existing install by
accidentally omitting DESTDIR= (either by my own doing, or that of a remote admin).

In an env with fewer hands and just local keyboards, DESTDIR= is a fine option.

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
Alan McKay | 3 Oct 02:38 2014
Picon

VOIP stops working after Ubuntu 13.10 --> 14.04 upgrade

Hi guys and gals,

I completely blew away my firewall but saved my shorewall directory.
Went from Ubuntu 13.10 to 14.04 and whatever the cooresponding versions
of Shorewall are on each.

My interfaces changed names so I had a few things to fiddle with regarding
that but I am certain I have that right now.

NAT works for everything else from my home network out.

I run tcpdump on the external interface and I can see my Cisco router trying
to get out.  But I get no dial tone.  Here is a capture going to toronto.voip.ms

You see it still has my internal IP and no mention of my external one.

Anyone have any idea here?

20:30:59.407819 IP (tos 0x68, ttl 63, id 0, offset 0, flags [DF],
proto UDP (17), length 592)
    172.30.99.5.sip > 184-75-215-106.amanah.com.sip: SIP, length: 564
REGISTER sip:184.75.215.106 SIP/2.0
Via: SIP/2.0/UDP 172.30.99.5:5060;branch=z9hG4bK-854a97cc
From: "Alan McKay" <sip:XXXX <at> 184.75.215.106>;tag=6e9831344cbda01co0
To: "Alan McKay" <sip:XXXXX <at> 184.75.215.106>
Call-ID: f48848f0-1c380a75 <at> 172.30.99.5
CSeq: 23635 REGISTER
Max-Forwards: 70
Contact: "Alan McKay" <sip:153478 <at> 172.30.99.5:5060>;expires=180
User-Agent: Cisco/SPA112-1.3.3(015)
(Continue reading)

jonetsu@teksavvy.com | 3 Oct 02:30 2014

IPv6 NAT support ?

Hello,

  Although by its nature IPv6 renders nat obsolete, it seems that in
practice many small setups prefers to use NAT instead of an extended
(seemingly too complicated) IPv6 proper configuration.  I was told that
a recent ip6tables now supports NAT.  If this is true, will there be
also IPv6 NAT support in Shorewall ?

As always, thanks.

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
PGNd | 2 Oct 22:42 2014
Picon

./install.sh for PRODUCT != shorewall fails to create shorewallrc-specified init.d DIR unless PRODUCT == shorewall is installed first

I'm doing manual installs of tarball builds

 <at>  exec of

	cd shorewall-4.6.4-Beta2-19-g205dd6e
	./install.sh shorewallrc.suse

where

	cat shorewallrc.suse
		...
		HOST=suse
		PREFIX=/usr/local/shorewall-custom
		SHAREDIR=${PREFIX}/share
		LIBEXECDIR=${PREFIX}/lib
		PERLLIBDIR=${PREFIX}/lib/perl5
		CONFDIR=${PREFIX}/etc
		SBINDIR=${PREFIX}/usr/sbin
		MANDIR=${PREFIX}/man/
		INITDIR=${PREFIX}/etc/init.d
		INITSOURCE=init.suse.sh
		INITFILE=${PRODUCT}
		AUXINITSOURCE=
		AUXINITFILE=
		SYSTEMD=${PREFIX}/etc/systemd
		SERVICEFILE=${PRODUCT}.service
		SYSCONFFILE=sysconfig
		SYSCONFDIR=${PREFIX}/etc/sysconfig
		SPARSE=
		ANNOTATED=
(Continue reading)

PGNd | 2 Oct 22:20 2014
Picon

tarball's ./install.sh script symlinks/enables incorrect systemd .service

I'm doing manual installs of tarball builds

 <at>  exec of

	cd shorewall-4.6.4-Beta2-19-g205dd6e
	./install.sh shorewallrc.suse

where

	cat shorewallrc.suse
		...
		HOST=suse
		PREFIX=/usr/local/shorewall-custom
		SHAREDIR=${PREFIX}/share
		LIBEXECDIR=${PREFIX}/lib
		PERLLIBDIR=${PREFIX}/lib/perl5
		CONFDIR=${PREFIX}/etc
		SBINDIR=${PREFIX}/usr/sbin
		MANDIR=${PREFIX}/man/
		INITDIR=${PREFIX}/etc/init.d
		INITSOURCE=init.suse.sh
		INITFILE=${PRODUCT}
		AUXINITSOURCE=
		AUXINITFILE=
		SYSTEMD=${PREFIX}/etc/systemd
		SERVICEFILE=${PRODUCT}.service
		SYSCONFFILE=sysconfig
		SYSCONFDIR=${PREFIX}/etc/sysconfig
		SPARSE=
		ANNOTATED=
(Continue reading)

James Andrewartha | 2 Oct 07:29 2014
Picon

USE_DEFAULT_RT changed to Yes

Hi,

I see that in 4.6.0 [1], USE_DEFAULT_RT was changed to Yes by default. I
couldn't find any documentation of this change in the release notes. I
can see why this change was made, however I want to use quagga for
routing, which inserts routes into the main routing table. Although it
looks like zebra (part of quagga) can be configured to use a different
table [2]. I also have a VPN with a subnet routed behind it.

The main thing for me is that policy routing needs to keep working, so
#5 at [3] indicates that just setting USE_DEFAULT_RT=No is the quick
fix. However you've indicated that you want to deprecate it, so what
other options are there? Should I just set zebra to drop its routes into
the balance table? Will they get removed when restarting shorewall?

[1]
http://sourceforge.net/p/shorewall/code/ci/cea237620a136b5f75415f62449d885eaf9e6c3d/
[2] http://www.nongnu.org/quagga/docs/docs-info.html#Static-Route-Commands
[3] http://shorewall.net/MultiISP.html#USE_DEFAULT_RT

Thanks,

--

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

(Continue reading)

jonetsu@teksavvy.com | 2 Oct 02:01 2014

Using Shorewall IPv6

Hello,

  Thanks for your preceeding two replies - much appreciated !

I have three questions regarding running an IPv6 configuration which
could surely benefit from your experience, since they are not directly
related to Shorewall, but happens when using the IPv6 portion.

1) When shorewall6 is run, the following is logged.  Since broadcast
is not supported in Ipv6, logging this is a bit puzzling:

Oct 1 13:04:39 deb kernel: [ 9570.619744] xt_addrtype: ipv6 does not
support BROADCAST matching

2) Once shorewall6 has established a firewall (a very simple one to
start with) there is no netfilter subdirectory in /proc/sys/net/ipv6.
There is in ipv4/, with a few conntrack options.

The following IPv6 modules are loaded:

  nf_conntrack_ipv6      13124  11 
  nf_defrag_ipv6         12720  2 xt_TPROXY,nf_conntrack_ipv6

3) When I use 'ip6tables -L' to verify, ip6tables lists a few things,
then seems to wait for something before displaying more.  Why is that
so ?

Thanks.

------------------------------------------------------------------------------
(Continue reading)

jonetsu@teksavvy.com | 1 Oct 00:27 2014

Missing DropSmurfs action file

Hello.  Using Shorewall6 4.5.5.3 (Debian) and having the firewall
config files in /tmp/shorewall6/ I get: 'ERROR: Missing Action
File (/tmp/shorewall6/action.DropSmurfs)'.  But I did not ask for
any smurf actions to be taken.

This is a very simple test firewall.  Interfaces has no options
declared.

And I removed the action from SMURF_DISPOSITION= in
shorewall6.conf

Also, on this Debian system, the action.DropSmurfs file is only
in the shorewall /usr/share directory, not shorewall6.  Although
I did not ask for any smurf action anyways.

In the Shorewall6 4.5.21.10 upstream source package the DropSmurfs
action is set as 'noinline'.  Does that mean that the workings are now
internal to Shorewall ? Also, 4.5.21.10 does not have any
action.DropSmurfs file.

Thanks.

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
PGNd | 30 Sep 19:51 2014
Picon

Re: kernel: Can't find ip_set type hash:ip

Please keep it onlist.  FYI, HTML posts to ML make it difficult to read.

Your output, compared to mine, is short, and lacking detail

Here,

shorewall version
 4.6.3.4

ipset -V
 ipset v6.23, protocol version: 6

ipset --help | grep -P "hash:ip"
    hash:ip,port,net    7       skbinfo support
    hash:ip,port,net    6       forceadd support
    hash:ip,port,net    5       comment support
    hash:ip,port,net    4       counters support
    hash:ip,port,net    3       nomatch flag support
    hash:ip,port,net    2       Add/del range support
    hash:ip,port,net    1       SCTP and UDPLITE support
    hash:ip,port,ip     5       skbinfo support
    hash:ip,port,ip     4       forceadd support
    hash:ip,port,ip     3       comment support
    hash:ip,port,ip     2       counters support
    hash:ip,port,ip     1       SCTP and UDPLITE support
    hash:ip,mark        2       sbkinfo support
    hash:ip,mark        1       forceadd support
    hash:ip,mark        0       initial revision
    hash:ip,port        5       skbinfo support
    hash:ip,port        4       forceadd support
(Continue reading)

Bas van Schaik | 30 Sep 18:06 2014
Picon

Dynamically connecting interfaces to zones (goal: different policies/rules depending on whether I'm home, in the office, travelling...)

Hi,

This question might have been answered already, but after an afternoon 
of Googling I haven't quite found the right search keywords yet.

What I'm trying to do: depending on where my laptop (with Shorewall and 
OpenVPN) is connected, I'd like to apply different policies in Shorewall.

Whenever I'm travelling:
  1) route all traffic over VPN (that's easy enough - not a Shorewall 
challenge)
  2) enforce (1) using Shorewall by rejecting all traffic from $FW to my 
'net' zone (except to VPN server), to avoid leaking of information when 
the VPN client is down. Traffic to the 'vpn' zone should be allowed.

Whenever I'm at home (to my trusted SSID, or using my trusted router), 
I'd like to:
  1) only route VPN-specific traffic through VPN (again: easy enough)
  2) allow all traffic from $FW to anywhere

So far, I've been trying to set this up using dynamic zones:
  - zone 'untrustednet' that only allows traffic to my VPN server and is 
the default zone for eth0 and wlan0 (I'm using both wifi and ethernet)
  - zone 'trustednet' that is freely accessible from $FW, and by default 
not served by any interfaces.

Then, whenever my laptop connects to my trusted home network, I'd like 
to connect interfaces eth0 and/or wlan0 to the 'trustednet' zone, and 
disconnect them from the 'untrustednet' zone. Automatically, all policy 
that applies to either nets is enabled/disabled.
(Continue reading)

PGNd | 30 Sep 16:30 2014
Picon

is SW build's PERLLIBDIR config exported for all (s)bin instances?

When PERLLIBDIR=/path/to/sw-perl-mods/ is configured for a SW build, the install's perl5 mods are
installed, as expected, in "/path/to/sw-perl-mods/".

If PERLLIBDIR is NOT in the installed perl's  <at> INC, it can be trivially added to  <at> INC's head in global ENV with

	~/.bashrc
+		export PERL5LIB="/path/to/sw-perl-mods/"

or, limited to context of SW's (s)bins by prepending SW commands

	PERL5LIB="/path/to/sw-perl-mods/" shorewall ...

IIUC, neither may be necessary.

Looking  <at> 

	./share/shorewall/lib.cli-std 
		...
		if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
		$PERL $debugflags $pc $options $ <at> 
		else
		PERL5LIB=${PERLLIBDIR}
		export PERL5LIB
		$PERL $debugflags $pc $options $ <at> 
		fi
		...

that stanza appears to functionally prepend all user-land exec of SW (s)bins with
PERL5LIB=${PERLLIBDIR}, the perl-mod dir-path config'd at build time.

(Continue reading)


Gmane