Steven Kiehl | 6 Mar 04:00 2016
Picon

Packet loss in combined IPv4/IPv6 setup

Hey all,

I could use some help getting Shorewall6 working stable in concert with Shorewall.

I just installed Shorewall6 on my router machine about 2 weeks ago and had no trouble, but notice sudden slowdown today after having no visible issue for the couple weeks.  After investigating, I discovered that there's some 30% packet loss and sustained ping times (to Google) in the 45-55ms range.  I hooked up a Windows machine to the cable modem and there was 0% packet loss and ping times in the 35-40ms range.

Also, I noticed that pings to the modem directly would respond for the first 5-10 requests, and then drop completely (Destination host unreachable).  I also noticed that the modem's web interface worked for the first 1-3 page loads and then I would get connection reset errors for every request onward until I rebooted my modem.  I'd then get 5-10 pings and 1-3 page loads and then total drop.  The Internet still (kinda) works, but not the modem web interface.

So, I turned off Shorewall6 and stripped IPv6 from my Internet-facing interface.  Now, running with IPv4-only, there is 0% packet loss and 35-40ms pings just like my laptop was showing, but my laptop could do it with both IPv4 and IPv6, and the web interface worked flawlessly from my laptop.

What could I be doing wrong that would cause conflict between IPv4 and IPv6? Mind you, all these ping tests were run from my router machine directly and just with IPv4 addresses.

My goal is this: Have my router get both an IPv4 and IPv6 address from my ISP, and allow clients to access the Internet in whichever form they'd like.  But I can't even seem to get it to play nicely on the router box.  I've got this same setup on a couple server endpoints, and they both have had no issues, but they don't do any masquerading or client routing of any sort.

With IPv4/v6, my /etc/network/interfaces was set up as follows:

auto eth2
iface eth2 inet dhcp
iface eth2 inet6 dhcp
up sysctl net.ipv6.conf.$IFACE.accept_ra=1
pre-down ip link set dev $IFACE up
post-up /sbin/ifconfig $IFACE mtu 1500

I only have a basic IPv6 setup on the router right now with masq only configured for IPv4 until I'm confident that the router is running stable. So, for the most part, Shorewall6 is set up default with very vanilla interfaces, policy, and rules files.  Everything is very reflective of my IPv4 configs, just adjusted for IPv6.

At present, shorewall and shorewall6 are version 4.4.26.1, standard Ubuntu repo packages.

Any immediate thoughts? Anything else I should provide for diagnostics?

Thank you,

Steve Kiehl

------------------------------------------------------------------------------
------------------------------------------------------------------------------
Ed W | 4 Mar 18:45 2016

Feature request: custom actions in mangle

Hi, Can I suggest a new feature:

- I seem to be ending up with quite a lot of lines in my mangle file...
- Could it be possible to support the action.xxx method of creating new 
tables through this file?

In particular I often want to do something like "if this bit in connmark 
is not set then do the following 3 things, but some of those things will 
be to set the bit".  This gets complex to write in the correct order, 
being able to use actions (ie as per in the rules file) would make this 
significantly neater and less error prone. Effectively I would like to 
declare a (normal) shorewall custom action (just like I would for normal 
rules) and use this in the mangle file

I see no reason to support a second action syntax for actions used by 
mangle, I would propose that the various included actions are simply 
processed by the rules or mangle code as appropriate (since there is a 
small change in supported options between the rules and mangle syntax).  
I guess this means carefully written actions could be used by either 
mangle or rules, but would break if you use features not supported by 
the appropriate subsystem (MARK, SAVE, LOG, etc)?

Note: I do realise there are several complications in implementing this....

Note I am testing with 4.6.13.4.  I apologies in advance if this is 
already in 5.0, it didn't appear to be (but I can see there is a fair 
amount of change happened in 5.0 wrt mangle?)

Thanks for your thoughts

Ed W

------------------------------------------------------------------------------
Eddie | 3 Mar 19:37 2016
Picon

Shorewall Throttling Download Speed

Hi,

While investigating a streaming issue in my network, I was surprised to see a run of Speedtest showing my download speed at around 85Mbps, which is less than half the speed I am supposed to get from my ISP, 200Mbps.  Running a few tests, it appears (on the surface) that Shorewall is throttling this down, because if I turn it off, then I get my advertised 200Mbps.

This is running on a Nethserver install connected directly to my cable modem.  Nethserver is based on CentOS 6.7 and runs Shorewall 4.6.4.3.  The Traffic Shaping option offered by Nethserver is disabled.

Here is the console log of my Speedtest runs, plus I have attached the output from "shorewall dump".

[root <at> NethServer ~]# ./speedtest_cli.py Retrieving speedtest.net configuration... Retrieving speedtest.net server list... Testing from Time Warner Cable (76.91.205.244)... Selecting best server based on latency... Hosted by Time Warner Cable (Los Angeles, CA) [17.74 km]: 9.372 ms Testing download speed........................................ Download: 83.91 Mbit/s Testing upload speed.................................................. Upload: 23.16 Mbit/s [root <at> NethServer ~]# shorewall stop > /dev/null [root <at> NethServer ~]# ./speedtest_cli.py Retrieving speedtest.net configuration... Retrieving speedtest.net server list... Testing from Time Warner Cable (76.91.205.244)... Selecting best server based on latency... Hosted by Time Warner Cable (Los Angeles, CA) [17.74 km]: 9.508 ms Testing download speed........................................ Download: 229.21 Mbit/s Testing upload speed.................................................. Upload: 22.14 Mbit/s [root <at> NethServer ~]# ./speedtest_cli.py Retrieving speedtest.net configuration... Retrieving speedtest.net server list... Testing from Time Warner Cable (76.91.205.244)... Selecting best server based on latency... Hosted by Time Warner Cable (Los Angeles, CA) [17.74 km]: 10.578 ms Testing download speed........................................ Download: 230.89 Mbit/s Testing upload speed.................................................. Upload: 23.26 Mbit/s [root <at> NethServer ~]# shorewall start > /dev/null [root <at> NethServer ~]# ./speedtest_cli.py Retrieving speedtest.net configuration... Retrieving speedtest.net server list... Testing from Time Warner Cable (76.91.205.244)... Selecting best server based on latency... Hosted by Time Warner Cable (Los Angeles, CA) [17.74 km]: 9.778 ms Testing download speed........................................ Download: 80.58 Mbit/s Testing upload speed.................................................. Upload: 23.16 Mbit/s [root <at> NethServer ~]#
Any ideas ??

Cheers.
Attachment (shorewall.txt.tgz): application/octet-stream, 17 KiB
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Nigel Quinn | 29 Feb 13:11 2016

Recall: Shorewall SFILTER issue with CoovaChilli configuration

Nigel Quinn would like to recall the message, "[Shorewall-users] Shorewall SFILTER issue with CoovaChilli	configuration".
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Tom Eastep | 26 Feb 18:13 2016
Picon

Shorewall 5.0.5.1

Shorewall 5.0.5.1 is now available for download.

Problems Corrected:

1)  Two defects have been discovered in the implementation of new
    TRACK_RULES=File feature. Both manifest themselves as a compiler
    assertion failure and occur regardless of the setting of
    TRACK_RULES. Conditions which expose the defects are:

    a) Entries in the ecn file.
    b) The allowBcast action is invoked with a log level specified.

    Both are now corrected.

Thank you for using Shorewall.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
kAja Ziegler | 25 Feb 09:23 2016
Picon

Support for SYN proxy (SYNPROXY)

Hi Tom and all users,

  Any news about the SYN proxy (SYNPROXY) support in Shorewall?

Thank you and best regards,
--
Karel Ziegler

 e-mail:    ziegleka <at> gmail.com

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Brian J. Murrell | 24 Feb 22:59 2016
Picon

"policing" bandwidth of inbound streaming video connections

As we all know, one cannot really shape/limit inbound traffic other
than to "police" it.  Or at least that was the state of things the last
time I was in this neighborhood.  Maybe things have changed since then.

Ultimately, what I want to do is basically what T-mobile is doing with
their "Binge On" service and that's to limit the amount of bandwidth
that Netflix streams are allowed to use and thus forcing the video
quality down to a limited amount of bandwidth.

I wonder if anyone has cooked this one up yet.

Assuming I had a list of IP addresses that Netflix streams could come
from, any hints or suggestions of configuration that I would want to
apply to them?

Cheers,
b.
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Gravatar

Please help with the configuration of Debian 8 and Xen and networking with only one network card and multiple external IP addresses.

Hi!
 
I have a rootserver with only one network card and 4 official (external IPs). The server runs under Debian 8. I installed the Xen of the distribution. I added the 4 IPs to the network card (like it is described in the official Debian documentation). And if I do a checkup and a test, everything seems to work fine.
 
The idea now is to create a couple of virtual servers under Xen which uses internal IP addresses (e.g. 10.0.0.1 - 10.0.0.5). All of the servers should be able to connect to the internet (would be cool, if I could decide which server uses which external IP address to appeare on the Internet), but only a couple of them should accept incoming request. Depending on the external IP and the used port I need to forward the request to an internal IP address of on of my virtual servers.
 
I tried to find the solution myself, but I got stucked. After reading a lot of manuals I don't know what would be the right way. I am completely confused about all of the possible options. I found nowhere a documentation or an Howto for this situation.
 
I thought that maybe Shorewall could make my life easier, but I am still stuck with a working solution.
 
Can someone help me or give me a hint in the right direction please?
 
Thanks,
Christian.
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
johnny bowen | 23 Feb 23:30 2016
Picon

RPM in EPEL... Where did it go

I either need a sanity check or the EPEL repo no longer has any rpms for shorewall. 



Does anyone know what is going on?
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
Norman Henderson | 23 Feb 11:48 2016
Picon

shorewall-init not reacting to tunnel interface change

Hi, I'm running shorewall 4.5.21.6 on Ubuntu 14.04.1 on one system and on 14.04.3 on another system. Working on some failover scenarios I installed shorewall-init first using aptitude, then by hand (also 4.5.21.6). Either way appeared to work fine. I configured /etc/default/shorewall-init with PRODUCTS="shorewall" and IFUPDOWN=1.

I have some openvpn tunnels that are providers i.e. have their own routing tables and corresponding ip rules (route_rules). The problem is, that if I run (e.g.) service openvpn stop tun5 - shorewall does not reconfigure accordingly. That is to say, ifconfig tun5 reports Device not found - however, ip rule still shows the rule corresponding to that tunnel and ip route still shows the corresponding table.

If I manually run shorewall restart, then the rule disappears and the routing table is cleared.  Also, /var/lib/shorewall/tun5.status toggles from 0 to 1 only after the manual shorewall restart. Behavior is analogous when I restart the tunnel - a manual "shorewall restart" is needed before anything appears to change.

What is interesting, is that if I do an ifdown eth0 or ifup eth0, shorewall-init DOES reconfigure appropriately (a different provider and different route_rules of course). But I can't use ifup or ifdown on an openvpn tunnel, they don't appear in /etc/network/interfaces.

What am I missing? Or is this simply unsupported, in which case I guess I can put an explicit shorewall restart into the openvpn configs...

Thanks in advance!
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
c.monty | 22 Feb 17:17 2016
Picon

Configuration - appropriate configuration with 2 default gateways

Hello!
 
I need your support to define an appropriate configuration for the network architecture I have documented in the attachment.
 
There are some things that make this network architecture "special":
1. 2 default gateways according to this howto https://www.thomas-krenn.com/en/wiki/Two_Default_Gateways_on_One_System
2. Routed configuration on Proxmox VE server according to this howto https://pve.proxmox.com/wiki/Network_Model#Routed_Configuration
3. Masquerading (NAT) on 2 NICS according to this howto https://pve.proxmox.com/wiki/Network_Model#Masquerading_.28NAT.29
 
The definition of 2 default gateways ensures that any traffic on LAN 192.168.178.0/24 will communicate via gateway 192.168.178.1, and any other traffic on LAN 10.0.0.0/24 and DMZ 10.1.0.0/24 will communicate via gateway 10.0.0.1 and 10.1.0.1 respectively.
 
This configuration is working based on the howto guides w/o firewall.
The challenge is to add firewall functionality, but I don't know if I need to revert back the modifications in/etc/network/interfaces or /etc/iproute2/rt_tables.
 
The main question is:
Who can support with the configuration of shorewall?
How should /etc/shorewall/interfaces be defined?
How many zones should be in /etc/shorewall/zones?
Do I need to define multiple providers in /etc/shorewall/provides to enable 2 default gateways?
 
 
THX
Attachment (network.pdf): application/pdf, 140 KiB
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140

Gmane