Shorewall users - Feb 2012 - Continuous pings going through a full DROP policy

For a same configuration in which the default policy is drop and only
one connection is accepted in rules, continuous pinging to devices
will stop squarely in 4.0.15 as soon as a very basic firewall is
enabled whereas in 4.4.26.1, pinging will still continue after the
firewall is enabled.

All tests are done with proper reboot of the unit3 where the firewall
is applied:

 unit1  <---> eth4  unit3  eth1   <--->    unit2
 192.168.3.2  192.168.3.1  172.30.159.103  172.30.159.102
 lan zone                  net zone

In this case, continuous pings from unit1 to unit2 will stop when the
4.0.15 firewall is applied.  Rebooting unit3 with 4.4.26.1 (easily
made since unit3 is booting from a different compact flash) and
copying the files from 4.0.15 to it, and executing ''shorewall
start''
will not stop the pings from unit1 to unit2 even though the policy is
DROP.

Other traffic is effectively stopped, but not so with icmp packets.

I''ve looked at the changelog an release notes for 4.4.26.1 but did not
find anything about this.

firewall is very basic, and shorewall.conf is the same:

zones
fw      firewall
net     ipv4
lan     ipv4

interfaces
net     eth1
lan     eth4

policy
all     all     DROP

rules
(none)

Using the same shorewall.conf might not be appropriate so I also tried
with the shorewall.conf provided in the 4.4.26.1 version, while
keeping the same zones, interfaces and policy files.





------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

On Feb 26, 2012, at 2:09 PM, jonetsu wrote:
> For a same configuration in which the default policy is drop and only
> one connection is accepted in rules, continuous pinging to devices
> will stop squarely in 4.0.15 as soon as a very basic firewall is
> enabled whereas in 4.4.26.1, pinging will still continue after the
> firewall is enabled.
> 
> All tests are done with proper reboot of the unit3 where the firewall
> is applied:
> 
> unit1  <---> eth4  unit3  eth1   <--->    unit2
> 192.168.3.2  192.168.3.1  172.30.159.103  172.30.159.102
> lan zone                  net zone
> 
> In this case, continuous pings from unit1 to unit2 will stop when the
> 4.0.15 firewall is applied.  Rebooting unit3 with 4.4.26.1 (easily
> made since unit3 is booting from a different compact flash) and
> copying the files from 4.0.15 to it, and executing ''shorewall
start''
> will not stop the pings from unit1 to unit2 even though the policy is
> DROP.
> 
> Other traffic is effectively stopped, but not so with icmp packets.
> 
> I''ve looked at the changelog an release notes for 4.4.26.1 but did
not
> find anything about this.
> 
> firewall is very basic, and shorewall.conf is the same:
> 
> zones
> fw      firewall
> net     ipv4
> lan     ipv4
> 
> interfaces
> net     eth1
> lan     eth4
> 
> policy
> all     all     DROP
> 
> rules
> (none)
> 
> Using the same shorewall.conf might not be appropriate so I also tried
> with the shorewall.conf provided in the 4.4.26.1 version, while
> keeping the same zones, interfaces and policy files.

Output of ''shorewall dump'' as an attachment, please.

-Tom

Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________




------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

On Sun, 26 Feb 2012 14:33:16 -0800,
Tom Eastep <teastep@shorewall.net> wrote :
 
> On Feb 26, 2012, at 2:09 PM, jonetsu wrote:
> 
> > For a same configuration in which the default policy is drop and
> > only one connection is accepted in rules, continuous pinging to
> > devices will stop squarely in 4.0.15 as soon as a very basic
> > firewall is enabled whereas in 4.4.26.1, pinging will still
> > continue after the firewall is enabled.
> > 
> > All tests are done with proper reboot of the unit3 where the
> > firewall is applied:
> > 
> > unit1  <---> eth4  unit3  eth1   <--->    unit2
> > 192.168.3.2  192.168.3.1  172.30.159.103  172.30.159.102
> > lan zone                  net zone
> > 
> > In this case, continuous pings from unit1 to unit2 will stop when
> > the 4.0.15 firewall is applied.  Rebooting unit3 with 4.4.26.1
> > (easily made since unit3 is booting from a different compact flash)
> > and copying the files from 4.0.15 to it, and executing
''shorewall
> > start'' will not stop the pings from unit1 to unit2 even
though the
> > policy is DROP.
> > 
> > Other traffic is effectively stopped, but not so with icmp packets.
> > 
> > I''ve looked at the changelog an release notes for 4.4.26.1
but did
> > not find anything about this.
> > 
> > firewall is very basic, and shorewall.conf is the same:
> > 
> > zones
> > fw      firewall
> > net     ipv4
> > lan     ipv4
> > 
> > interfaces
> > net     eth1
> > lan     eth4
> > 
> > policy
> > all     all     DROP
> > 
> > rules
> > (none)
> > 
> > Using the same shorewall.conf might not be appropriate so I also
> > tried with the shorewall.conf provided in the 4.4.26.1 version,
> > while keeping the same zones, interfaces and policy files.
> 
> 
> Output of ''shorewall dump'' as an attachment, please.
Hmmm.. Not sure if the other one got to you, so here it is.  Sorry for
any duplicate.

Here is the dump.  It was done in the following way:

 - unit3: reboot w/o any iptable commands applied
 - start continuous pings from unit1
 - unit3: shorewall start
 - (continuous pingings still going on)
 - unit3: shorewall dump

 192.168.3.2 = unit1 = pinging unit
 172.30.159.103 = unit3 = shorewall unit
 172.30.159.102 = unit2 = pinging target

 unit eth1 <--> fe-4-2 unit3 fe-3-1 <--> fe-3-1 eth2

In a parallel iptables-only test it is possible to immediately stop
the pingings when iptables rules are applied by flushing the whole
thing before applying any new rules.

Thanks !




------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

On 2/28/12 5:23 PM, jonetsu wrote:
> Hmmm.. Not sure if the other one got to you, so here it is. Sorry for
> any duplicate. Here is the dump. It was done in the following way: -
> unit3: reboot w/o any iptable commands applied - start continuous
> pings from unit1 - unit3: shorewall start - (continuous pingings
> still going on) - unit3: shorewall dump 192.168.3.2 = unit1 = pinging
> unit 172.30.159.103 = unit3 = shorewall unit 172.30.159.102 = unit2 >
pinging target unit eth1 <--> fe-4-2 unit3 fe-3-1 <--> fe-3-1 eth2
In
> a parallel iptables-only test it is possible to immediately stop the
> pingings when iptables rules are applied by flushing the whole thing
> before applying any new rules. Thanks !
So everything else, other than the Shorewall version was the same in
these two tests? Kernel, iptables, iproute2, ...?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________


------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

On 02/28/2012 07:42 PM, Tom Eastep wrote:
> On 2/28/12 5:23 PM, jonetsu wrote:
>> Hmmm.. Not sure if the other one got to you, so here it is. Sorry for
>> any duplicate. Here is the dump. It was done in the following way: -
>> unit3: reboot w/o any iptable commands applied - start continuous
>> pings from unit1 - unit3: shorewall start - (continuous pingings
>> still going on) - unit3: shorewall dump 192.168.3.2 = unit1 = pinging
>> unit 172.30.159.103 = unit3 = shorewall unit 172.30.159.102 = unit2
>> pinging target unit eth1 <--> fe-4-2 unit3 fe-3-1 <-->
fe-3-1 eth2 In
>> a parallel iptables-only test it is possible to immediately stop the
>> pingings when iptables rules are applied by flushing the whole thing
>> before applying any new rules. Thanks !
> 
> So everything else, other than the Shorewall version was the same in
> these two tests? Kernel, iptables, iproute2, ...?
I suspect that you were previously running on a different kernel version.

On the system that I am writing this on (Ubuntu 11.10, Kernel 3.0.0) ,
the /proc/sys/net/ipv4/netfilter/ip_conntrack_icmp_timeout setting has
value 30 (seconds). Experimentation has shown that the conntrack table
entry for ping stays around for 30 seconds after I stop pinging.

In contrast, on Centos-5 with kernel 2.6.18-274, the
ip_conntrack_icmp_timeout setting is the same but the conntrack table
entry is destroyed when the ping reply is returned.

So to stop an existing ping at with shorewall start/restart, you need to
flush the conntrack table (''shorewall restart -p''). That
requires that
you install the conntrack utility program (usually, the package is
called simply ''conntrack'').

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

On Wed, 29 Feb 2012 10:33:28 -0800,
Tom Eastep <teastep@shorewall.net> wrote :
> So to stop an existing ping at with shorewall start/restart, you need
> to flush the conntrack table (''shorewall restart -p'').
That requires
> that you install the conntrack utility program (usually, the package
> is called simply ''conntrack'').
It was indeed a difference of kernels.

Setting the conntrack ICMP timeout value to 1 for instance, for all
practical purposes, stops the pings just about immediately, which is
fine.  This approach would be less encompassing that having a
shorewall -p which I suspect resets much more than only the ICMP
timeout.  For instance, if an admin is logged in using ssh for setting
up a firewall, using shorewall -p would flush his connection tracking
table which could by detriemental when doing an error such as not
opening a hole for the ssh connection once the firewall is up.  Is it
possible to only flush certain tables ?  A value of 1 as the ICMP
timeout could perhaps have an effect on normal pings when the network
is slow, do you think so ?

Those were the components:

System that does not stop the pings:

shorewall: 4.5.0.1-4.5.1-Beta2
kernel: 3.0.0
iptables: 1.4.8-3
iproute: 20100519-3

System that does stop the pings:

shorewall: 4.0.15
kernel: 2.6.26
iptables: 1.3.6.0
iproute: 20061002-3

Thanks so much for your help.



------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/

On 2/29/12 6:36 PM, "jonetsu" <jonetsu@teksavvy.com> wrote:
>A value of 1 as the ICMP
>timeout could perhaps have an effect on normal pings when the network
>is slow, do you think so ?
It could cause timeouts. So you have to decide which is the lesser of the
two evils.
>
>Thanks so much for your help.
You are welcome,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
www.shorewall.net    \________________________________________________







------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/