Dear List, i am not sure how to encircle my problem. As follows: My policy is intranet > dmz allow in an enviroment like intranet - gateway/shorewall - dmz but i get still some packets rejected by all2all, the last policy. I can''t reproduce it manually - but my monitoring daemon looking for webservers in my dmz. Gets rejects from shorewall that are logged. The corresponding request comes from highport to 80 and again doing it with, lets say # netcat webserver 80 works and i get an response from my webserver, that are forwarded by shorewall. Looking deeper into my logfiles i noticed that also an allowed rule gets rejected. Its an issue where primarily all connections works but sporadically some packets gets rejected. How can i track this down ? Is there a connection count that gets exceeded ? Thanks in advance. Regards C. Moire Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Moire wrote:> > Its an issue where primarily all connections works > but sporadically some packets gets rejected. > > How can i track this down ? Is there a connection > count that gets exceeded ? >Look carefully at the log messages -- are the packets entering your firewall via the wrong interface? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Moire wrote:> Dear List, i am not sure how to encircle my problem. > > As follows: My policy is > > intranet > dmz allow > > in an enviroment like > > intranet - gateway/shorewall - dmz > > but i get still some packets rejected by all2all, the last policy.Change your policies as suggested in the section "Logging tips" at http://linuxman.wikispaces.com/PPPPPPS Then try again and see which one gets rejected. Paul Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Am 06.07.2006 um 15:38 schrieb Tom Eastep:> Moire wrote: > >> Its an issue where primarily all connections works >> but sporadically some packets gets rejected. >> >> How can i track this down ? Is there a connection >> count that gets exceeded ? > > Look carefully at the log messages -- are the packets entering your > firewall via > the wrong interface?Hello, after invest a weekend now some details. Well, my setup is as follows: Outgoing traffic goes over a bridge either to my dmz or into the internet. These sporadically rejected packets are those that try to leave my bridge over the wrong interface of the bridge (br0:eth1 instead br0:eth2) The involved daemon try to access every 8 minutes - but over a day at least 5 packets gets rejected. These happens more in the time window where no one is at the office. REJECT:IN=eth0 OUT=br0 PHYSOUT=eth1 SRC="$RFC1918IP" DST="$PUBLICIP "LEN=60 \ TOS=0x08 PREC=0x00 TTL=63 ID=18613 DF PROTO=TCP SPT=1400 DPT=80 Normal access into the DMZ works. My arp table shows my webserver on interface br0 and brctl shows bridge name STP enabled interfaces br0 no eth1 eth2 brctl showmacs br0 (macs are Xed) port no mac addr is local? ageing timer 1 00:xxxxxxxxxxxx yes 0.00 2 00:xxxxxxxxxxxx no 45.22 <<<< Webserver 2 00:xxxxxxxxxxxx yes 0.00 1 00:xxxxxxxxxxxx no 0.19 it looks like an ageing time out, where the macs gets deleted. ?! Normal arp reply should work cause the webserver is up and running, Is my problem exactly here ? And there is another warning that i got today my first time. Not sure if it has something to do with this issue. 1 Time(s): Dead loop on virtual device br0, fix it urgently! It scares me a bit - how to interpret this warning ? Some Info about my setup: Don''t masq for dmz but for all others shorewall/masq #INTERFACE SUBNET ADDRESS br0:!$PUBLICWEBSERVERINDMZ $MYRFC1918 $PUBLICMYGATEWAYSIP shorewall/hosts #ZONE HOST(S) OPTIONS net br0:eth1 dmz br0:eth2 routeback shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS GATEWAY intra eth0 RFC1918Range tcpflags,nobogons,norfc1918,blacklist,nosmurfs,routefilter - br0 PUBLICRANGE tcpflags,nobogons,norfc1918,blacklist,nosmurfs,routefilter I use a modified rfc1918 file where my privat net isnt listed. I think my problem gets more and more into the ethernet layer. I appreciate any help. Thanks in advance C. Moire ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Am 06.07.2006 um 15:38 schrieb Tom Eastep:> Moire wrote: > >> Its an issue where primarily all connections works >> but sporadically some packets gets rejected. >> >> How can i track this down ? Is there a connection >> count that gets exceeded ? > > Look carefully at the log messages -- are the packets entering your > firewall via > the wrong interface?Hello, after invest a weekend now some details. Well, my setup is as follows: Outgoing traffic goes over a bridge either to my dmz or into the internet. These sporadically rejected packets are those that try to leave my bridge over the wrong interface of the bridge (br0:eth1 instead br0:eth2) The involved daemon try to access every 8 minutes - but over a day at least 5 packets gets rejected. These happens more in the time window where no one is at the office. REJECT:IN=eth0 OUT=br0 PHYSOUT=eth1 SRC="$RFC1918IP" DST="$PUBLICIP "LEN=60 \ TOS=0x08 PREC=0x00 TTL=63 ID=18613 DF PROTO=TCP SPT=1400 DPT=80 Normal access into the DMZ works. My arp table shows my webserver on interface br0 and brctl shows bridge name STP enabled interfaces br0 no eth1 eth2 brctl showmacs br0 (macs are Xed) port no mac addr is local? ageing timer 1 00:xxxxxxxxxxxx yes 0.00 2 00:xxxxxxxxxxxx no 45.22 <<<< Webserver 2 00:xxxxxxxxxxxx yes 0.00 1 00:xxxxxxxxxxxx no 0.19 it looks like an ageing time out, where the macs gets deleted. ?! Normal arp reply should work cause the webserver is up and running, Is my problem exactly here ? And there is another warning that i got today my first time. Not sure if it has something to do with this issue. 1 Time(s): Dead loop on virtual device br0, fix it urgently! It scares me a bit - how to interpret this warning ? Some Info about my setup: Don''t masq for dmz but for all others shorewall/masq #INTERFACE SUBNET ADDRESS br0:!$PUBLICWEBSERVERINDMZ $MYRFC1918 $PUBLICMYGATEWAYSIP shorewall/hosts #ZONE HOST(S) OPTIONS net br0:eth1 dmz br0:eth2 routeback shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS GATEWAY intra eth0 RFC1918Range tcpflags,nobogons,norfc1918,blacklist,nosmurfs,routefilter - br0 PUBLICRANGE tcpflags,nobogons,norfc1918,blacklist,nosmurfs,routefilter I use a modified rfc1918 file where my privat net isnt listed. I think my problem gets more and more into the ethernet layer. I appreciate any help. Thanks in advance C. Moire ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Moire wrote:> > I think my problem gets more and more into the ethernet layer. >Yes -- I have recently learned that Shorewall bridge support as you are using it will be discontinued in the not too distant future because the underlying Netfilter support is going away (current plans call for the support to be removed from Netfilter around January 2007). The --physdev-out match will no longer be available in the OUTPUT and FORWARD chains and that match is what Shorewall is using to direct packets to the correct filtering chain (well, it''s correct most of the time). So I suspect that you are just going to have to live with the problem; as the Netfilter team make their plans clearer, I will let people know what, if anything, I will be able to do to continue Shorewall bridge/firewall support. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642