Shorewall users - Feb 2006 - problem with shorewall reset (I think).

Hi all,

I''m having a bit of an issue on my firewall and I hope one of you guys
can
point me in the right direction, I''m not sure if it''s an issue
with
shorewall or my firewall.

I''m running version 2.4.2 of shorewall on a bering-uclibc machine.

I have a script run each night that just emails me my shorewall accounting
output.

firewall# cat /usr/bin/sendstats
acctlog=/usr/bin/accounting.stats
curdate=`date`
shorewall show accounting > $acctlog
if [ -f $acctlog ]; then
        echo | mail -s "Hosting Shorewall stats $curdate" -a $acctlog
aaa@xxx.ccc
fi
shorewall reset
rm $acctlog

This has ran fine for sometime, but all of a sudden it no longer resets the
accounting each time it runs. (so I''m now getting an accumulated stats
email
each night, which isn''t what I want)

If I manually run 
shorewall show accounting
shorewall reset
shorewall show accounting
The line at the top of the shorewall show accounting shows that the stats
are being reset but when run via the script it doesn''t reset the
accouting
info.

Could any of you point me in a direction to try and find out why it''s
not
reseting when called via the script.

Cheers
Ad




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Did you try to debug the script? Put some echo $...  commadns and try to
run it manualy. I can see no shall statment #! /bin/"someshell"   at
the
biggining of script. Maybe your default system shell has changed? I`m
not good in bash shell, but I think, that curdate=$(date) is bether than
curdate=`date` . Or maybe your shell exit before shorewall reset
command.
  Dexter




On Thu, 2006-02-02 at 09:57 +1100, AdStar wrote:
> Hi all,
> 
> I''m having a bit of an issue on my firewall and I hope one of you
guys can
> point me in the right direction, I''m not sure if it''s an
issue with
> shorewall or my firewall.
> 
> I''m running version 2.4.2 of shorewall on a bering-uclibc machine.
> 
> I have a script run each night that just emails me my shorewall accounting
> output.
> 
> firewall# cat /usr/bin/sendstats
> acctlog=/usr/bin/accounting.stats
> curdate=`date`
> shorewall show accounting > $acctlog
> if [ -f $acctlog ]; then
>         echo | mail -s "Hosting Shorewall stats $curdate" -a
$acctlog
> aaa@xxx.ccc
> fi
> shorewall reset
> rm $acctlog
> 
> This has ran fine for sometime, but all of a sudden it no longer resets the
> accounting each time it runs. (so I''m now getting an accumulated
stats email
> each night, which isn''t what I want)
> 
> If I manually run 
> shorewall show accounting
> shorewall reset
> shorewall show accounting
> The line at the top of the shorewall show accounting shows that the stats
> are being reset but when run via the script it doesn''t reset the
accouting
> info.
> 
> Could any of you point me in a direction to try and find out why
it''s not
> reseting when called via the script.
> 
> Cheers
> Ad
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

AdStar,

It seems that Shorewall worked fine in this environment for some days, weeks, 
months then suddenly stopped working? Did you upgrade Shorewall to cause it 
to stop working? If not, what did you upgrade? What did you change?

If you didn''t change Shorewall then this has to be environmental -- the
environment in which your cron job runs has changed in some way. You need to 
understand how it changed. This environmental angle is my guess -- after all, 
you say that ''shorewall reset'' works fine from a shell prompt.

In any event, I would replace "shorewall reset" with "/bin/sh 
-x /sbin/shorewall reset 2> /tmp/crontrace" in your cron job and when
that
job does something wrong, look at the /tmp/crontrace file. And if the cron 
job never does anything weird after that change then you have your answer 
(and you get to puzzle out what the right question was).

/sbin/shorewall is a very simple shell program -- and understanding a trace of 
a simple shell program is something that anyone who runs Shorewall should be 
able to do. That''s my stand, anyway...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Hi Tom,

Thanks Tom for getting back to me, I had no idea where to start to try and
track down the problem. I''ve ran the command as you stated (with the
output
below). It does "look" fine to me, but the issue I have is still
there.

firewall# shorewall show accounting
Shorewall-2.4.2 Chain accounting at firewall - Mon Feb  6 09:18:32 EDST 2006

Counters reset Mon Feb  6 09:16:32 EDST 2006

Chain accounting (3 references)
<snip>

If I run the script from a prompt the Counters reset Mon Feb  6 09:16:32
EDST 2006 resets itself to when I run the script, and clears the counters.

When the script is called from crontab (even though I get the debug output).
The actual counters in shorewall aren''t resetting.

I don''t show any errors in my cron.log and it has me totally stumped,
when I
run the script manually it works, via cron it doesn''t.

This is the crontrace when run from cron. It''s the same output when run
manually.
firewall# cat crontrace
+ debugging+ [ 1 -gt 0 ]
+ [ reset = debug -o reset = trace ]
+ nolock+ [ 1 -gt 0 ]
+ [ reset = nolock ]
+ SHOREWALL_DIR+ QUIET+ IPT_OPTIONS=-nv
+ FAST+ VERBOSE+ done=0
+ [ 0 -eq 0 ]
+ [ 1 -eq 0 ]
+ option=reset
+ done=1
+ [ 1 -eq 0 ]
+ [ 1 -eq 0 ]
+ [ -n  ]
+ [ -n  ]
+ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+ MUTEX_TIMEOUT+ SHARED_DIR=/usr/share/shorewall
+ FIREWALL=/usr/share/shorewall/firewall
+ FUNCTIONS=/usr/share/shorewall/functions
+ VERSION_FILE=/usr/share/shorewall/version
+ HELP=/usr/share/shorewall/help
+ [ -f /usr/share/shorewall/functions ]
+ . /usr/share/shorewall/functions
+ LEFTSHIFT=<<
+ ensure_config_path
+ local F=/usr/share/shorewall/configpath
+ [ -z  ]
+ [ -f /usr/share/shorewall/configpath ]
+ . /usr/share/shorewall/configpath
+ CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+ find_file shorewall.conf
+ local saveifs= directory
+ [ -n  -a -f /shorewall.conf ]
+ saveifs
+ IFS=:
+ [ -f /etc/shorewall/shorewall.conf ]
+ echo /etc/shorewall/shorewall.conf
+ IFS
+ return
+ config=/etc/shorewall/shorewall.conf
+ [ -f /etc/shorewall/shorewall.conf ]
+ [ -r /etc/shorewall/shorewall.conf ]
+ . /etc/shorewall/shorewall.conf
+ STARTUP_ENABLED=Yes
+ LOGFILE=/var/log/shorewall.log
+ LOGFORMAT=Shorewall:%s:%s:
+ LOGTAGONLY=No
+ LOGRATE+ LOGBURST+ LOGALLNEW+ BLACKLIST_LOGLEVEL+ LOGNEWNOTSYN=ULOG
+ MACLIST_LOG_LEVEL=ULOG
+ TCP_FLAGS_LOG_LEVEL=ULOG
+ RFC1918_LOG_LEVEL=ULOG
+ SMURF_LOG_LEVEL=ULOG
+ BOGON_LOG_LEVEL=ULOG
+ LOG_MARTIANS=No
+ IPTABLES+ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+ SHOREWALL_SHELL=/bin/sh
+ SUBSYSLOCK=/var/run/shorewall
+ STATEDIR=/var/state/shorewall
+ MODULESDIR+ CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+ RESTOREFILE+ FW=fw
+ IP_FORWARDING=On
+ ADD_IP_ALIASES=Yes
+ ADD_SNAT_ALIASES=No
+ RETAIN_ALIASES=No
+ TC_ENABLED=No
+ CLEAR_TC=Yes
+ MARK_IN_FORWARD_CHAIN=No
+ CLAMPMSS=No
+ ROUTE_FILTER=No
+ DETECT_DNAT_IPADDRS=No
+ MUTEX_TIMEOUT=60
+ NEWNOTSYN=Yes
+ ADMINISABSENTMINDED=Yes
+ BLACKLISTNEWONLY=Yes
+ DELAYBLACKLISTLOAD=No
+ MODULE_SUFFIX+ DISABLE_IPV6=No
+ BRIDGING=No
+ DYNAMIC_ZONES=No
+ PKTTYPE=Yes
+ DROPINVALID=No
+ RFC1918_STRICT=No
+ MACLIST_TTL+ SAVE_IPSETS=No
+ BLACKLIST_DISPOSITION=DROP
+ MACLIST_DISPOSITION=REJECT
+ TCP_FLAGS_DISPOSITION=DROP
+ ensure_config_path
+ local F=/usr/share/shorewall/configpath
+ [ -z /etc/shorewall:/usr/share/shorewall ]
+ export CONFIG_PATH
+ get_config
+ [ -z /var/log/shorewall.log ]
+ [ ! -f /var/log/shorewall.log ]
+ tail -n5 /var/log/shorewall.log
+ realtail=Yes
+ [ -n fw ]
+ [ -n LOGFORMAT ]
+ LOGFORMAT=Shorewall:
+ [ -n Shorewall: ]
+ [ -n  ]
+ which iptables
+ IPTABLES=/sbin/iptables
+ [ -z /sbin/iptables ]
+ [ -n /bin/sh ]
+ [ ! -e /bin/sh ]
+ [ -n  ]
+ RESTOREFILE=restore
+ validate_restorefile RESTOREFILE
+ export RESTOREFILE
+ [ -z /var/state/shorewall ]
+ [ ! -f /usr/share/shorewall/firewall ]
+ [ -f /usr/share/shorewall/version ]
+ cat /usr/share/shorewall/version
+ version=2.4.2
+ banner=Shorewall-2.4.2 Status at  -
+ echo -e
+ RING_BELL=echo -e \a
+ echo -n Testing
+ ECHO_N=-n
+ [ 1 -ne 1 ]
+ exec /bin/sh /usr/share/shorewall/firewall reset


-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep
Sent: Saturday, 4 February 2006 16:20
To: Shorewall Users
Subject: [Shorewall-users] RE: problem with shorewall reset (I think).

AdStar,

It seems that Shorewall worked fine in this environment for some days,
weeks, 
months then suddenly stopped working? Did you upgrade Shorewall to cause it 
to stop working? If not, what did you upgrade? What did you change?

If you didn''t change Shorewall then this has to be environmental -- the
environment in which your cron job runs has changed in some way. You need to

understand how it changed. This environmental angle is my guess -- after
all, 
you say that ''shorewall reset'' works fine from a shell prompt.

In any event, I would replace "shorewall reset" with "/bin/sh 
-x /sbin/shorewall reset 2> /tmp/crontrace" in your cron job and when
that
job does something wrong, look at the /tmp/crontrace file. And if the cron 
job never does anything weird after that change then you have your answer 
(and you get to puzzle out what the right question was).

/sbin/shorewall is a very simple shell program -- and understanding a trace
of 
a simple shell program is something that anyone who runs Shorewall should be

able to do. That''s my stand, anyway...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

> + exec /bin/sh /usr/share/shorewall/firewall reset
Ok -- this time, let''s put this command in your crontab:

/sbin/shorewall trace reset 2> /tmp/crontrace

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

This is the output when running /sbin/shorewall trace reset 2>
/tmp/crontrace

firewall# cat crontrace
+ shift
+ nolock+ [ 1 -gt 1 ]
+ trap my_mutex_off; exit 2 1 2 3 4 5 6 9
+ COMMAND=reset
+ [ 1 -ne 1 ]
+ do_initialize
+ export LC_ALL=C
+ umask 177
+ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+ terminator=startup_error
+ version+ IPTABLES+ FW+ SUBSYSLOCK+ STATEDIR+ ALLOWRELATED=Yes
+ LOGRATE+ LOGBURST+ LOGPARMS+ LOGLIMIT+ ADD_IP_ALIASES+ ADD_SNAT_ALIASES+
TC_ENABLED+ BLACKLIST_DISPOSITION+ BLACKLIST_LOGLEVEL+ CLAMPMSS+ ROUTE_FILTER+
LOG_MARTIANS+ DETECT_DNAT_IPADDRS+ MUTEX_TIMEOUT+ NEWNOTSYN+ LOGNEWNOTSYN+
FORWARDPING+ MACLIST_DISPOSITION+ MACLIST_LOG_LEVEL+ TCP_FLAGS_DISPOSITION+
TCP_FLAGS_LOG_LEVEL+ RFC1918_LOG_LEVEL+ BOGON_LOG_LEVEL+ MARK_IN_FORWARD_CHAIN+
SHARED_DIR=/usr/share/shorewall
+ FUNCTIONS+ VERSION_FILE+ LOGFORMAT+ LOGRULENUMBERS+ ADMINISABSENTMINDED+
BLACKLISTNEWONLY+ MODULE_SUFFIX+ ACTIONS+ USEDACTIONS+ SMURF_LOG_LEVEL+
DISABLE_IPV6+ BRIDGING+ DYNAMIC_ZONES+ PKTTYPE+ RETAIN_ALIASES+
DELAYBLACKLISTLOAD+ LOGTAGONLY+ LOGALLNEW+ DROPINVALID+ RFC1918_STRICT+
MACLIST_TTL+ SAVE_IPSETS+ RESTOREFILE+ RESTOREBASE+ TMP_DIR+ ALL_INTERFACES+
ROUTEMARK_INTERFACES+ ROUTEMARK=256
+ PROVIDERS+ stopping+ have_mutex+ masq_seq=1
+ nonat_seq=1
+ aliases_to_add+ FUNCTIONS=/usr/share/shorewall/functions
+ [ -f /usr/share/shorewall/functions ]
+ [ -n  ]
+ echo Loading /usr/share/shorewall/functions...
+ . /usr/share/shorewall/functions
+ LEFTSHIFT=<<
+ mktempdir
+ [ -z  ]
+ find_mktemp
+ which mktemp
+ local mktemp+ [ -n  ]
+ MKTEMP=None
+ mkdir /tmp/shorewall-17342
+ chmod 700 /tmp/shorewall-17342
+ echo /tmp/shorewall-17342
+ TMP_DIR=/tmp/shorewall-17342
+ [ -n /tmp/shorewall-17342 ]
+ chmod 700 /tmp/shorewall-17342
+ trap rm -rf /tmp/shorewall-17342; my_mutex_off; exit 2 1 2 3 4 5 6 9
+ ensure_config_path
+ local F=/usr/share/shorewall/configpath
+ [ -z /etc/shorewall:/usr/share/shorewall ]
+ VERSION_FILE=/usr/share/shorewall/version
+ [ -f /usr/share/shorewall/version ]
+ cat /usr/share/shorewall/version
+ version=2.4.2
+ run_user_exit params
+ find_file params
+ local saveifs= directory
+ [ -n  -a -f /params ]
+ saveifs
+ IFS=:
+ [ -f /etc/shorewall/params ]
+ echo /etc/shorewall/params
+ IFS
+ return
+ local user_exit=/etc/shorewall/params
+ [ -f /etc/shorewall/params ]
+ progress_message Processing /etc/shorewall/params ...
+ [ -n  ]
+ echo Processing /etc/shorewall/params ...

-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep
Sent: Monday, 6 February 2006 09:32
To: shorewall-users@lists.sourceforge.net
Cc: AdStar
Subject: Re: [Shorewall-users] RE: problem with shorewall reset (I think).

> + exec /bin/sh /usr/share/shorewall/firewall reset
Ok -- this time, let''s put this command in your crontab:

/sbin/shorewall trace reset 2> /tmp/crontrace

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

On Sunday 05 February 2006 15:05, AdStar wrote:
> This is the output when running /sbin/shorewall trace reset 2>
> + echo Processing /etc/shorewall/params ...
So what''s in your /etc/shorewall/params file?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

Ahh ok I see where we are going (I''m used to seeing an error on the
last
line, I didn''t realise that is the "last" thing to
look/at/run).

My params file is empty (apart from the default text)

#
# Shorewall 2.4 /etc/shorewall/params
#
# Assign any variables that you need here.
#
# It is suggested that variable names begin with an upper case letter
# to distinguish them from variables used internally within the
# Shorewall programs
#
# Example:
#
#       NET_IF=eth0
#       NET_BCAST=130.252.100.255
#       NET_OPTIONS=routefilter,norfc1918
#
# Example (/etc/shorewall/interfaces record):
#
#       net     $NET_IF         $NET_BCAST      $NET_OPTIONS
#
# The result will be the same as if the record had been written
#
#       net     eth0            130.252.100.255 routefilter,norfc1918
#
############################################################################
##
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep
Sent: Monday, 6 February 2006 10:17
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] RE: problem with shorewall reset (I think).

On Sunday 05 February 2006 15:05, AdStar wrote:
> This is the output when running /sbin/shorewall trace reset 2>
> + echo Processing /etc/shorewall/params ...
So what''s in your /etc/shorewall/params file?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642

On Sunday 05 February 2006 15:29, AdStar wrote:
> Ahh ok I see where we are going (I''m used to seeing an error on
the last
> line, I didn''t realise that is the "last" thing to
look/at/run).
>
> My params file is empty (apart from the default text)
>
Are you running Leaf/Bering? -- it looks like your RAM disk may have become 
full at that point.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key