Hi,
I''ve been successfully using shorewall in our K12 school since the 2.x
days initially on Mandrake and now on Debian. Because of that my config
has got quite complicated. The firewall has a working MultiISP setup
with four interfaces (I''ve renamed them with udev to easy their
identification): lan-if, dmz-if, snt-if and dnt-if (one of the providers
(the one on dnt-if) is a DSL provider, and thus there is a ppp0 too)
and five zones: loc, dmz, okt, kag and net (okt and kag are for special
organizations at our site, connected to dmz-if).
Until now I''ve used blacklisting to control the students Internet
access
(there was a simple application through which the teacher could
ad/remove the IPs in the classroom to the blacklist file, and then
reload shorewall). Then there was a proposal to allow teachers to block
students access to some parts of the Internet (Facebook). I''ve decided
to modernize the firewall setup with removing blacklisting, and adding
dynamic zones instead.
The firewall host is a Debian Wheezy up to date install, with the
xtables-addons installed.
Capabilities:
Shorewall has detected the following iptables/netfilter capabilities:
NAT (NAT_ENABLED): Available
Packet Mangling (MANGLE_ENABLED): Available
Multi-port Match (MULTIPORT): Available
Extended Multi-port Match (XMULIPORT): Available
Connection Tracking Match (CONNTRACK_MATCH): Available
Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH):
Available
Packet Type Match (USEPKTTYPE): Available
Policy Match (POLICY_MATCH): Available
Physdev Match (PHYSDEV_MATCH): Available
Physdev-is-bridged Support (PHYSDEV_BRIDGE): Available
Packet length Match (LENGTH_MATCH): Available
IP range Match(IPRANGE_MATCH): Available
Recent Match (RECENT_MATCH): Available
Owner Match (OWNER_MATCH): Available
Owner Name Match (OWNER_NAME_MATCH): Available
Ipset Match (IPSET_MATCH): Available
CONNMARK Target (CONNMARK): Available
Extended CONNMARK Target (XCONNMARK): Available
Connmark Match (CONNMARK_MATCH): Available
Extended Connmark Match (XCONNMARK_MATCH): Available
Raw Table (RAW_TABLE): Available
Rawpost Table (RAWPOST_TABLE): Available
IPP2P Match (IPP2P_MATCH): Available
CLASSIFY Target (CLASSIFY_TARGET): Available
Extended REJECT (ENHANCED_REJECT): Available
Repeat match (KLUDGEFREE): Available
MARK Target (MARK): Available
Extended MARK Target (XMARK): Available
Extended MARK Target 2 (EXMARK): Available
Mangle FORWARD Chain (MANGLE_FORWARD): Available
Comments (COMMENTS): Available
Address Type Match (ADDRTYPE): Available
TCPMSS Match (TCPMSS_MATCH): Available
Hashlimit Match (HASHLIMIT_MATCH): Available
NFQUEUE Target (NFQUEUE_TARGET): Available
Realm Match (REALM_MATCH): Available
Helper Match (HELPER_MATCH): Available
Connlimit Match (CONNLIMIT_MATCH): Available
Time Match (TIME_MATCH): Available
Goto Support (GOTO_TARGET): Available
LOGMARK Target (LOGMARK_TARGET): Available
IPMARK Target (IPMARK_TARGET): Available
LOG Target (LOG_TARGET): Available
ULOG Target (ULOG_TARGET): Available
NFLOG Target (NFLOG_TARGET): Available
Persistent SNAT (PERSISTENT_SNAT): Available
TPROXY Target (TPROXY_TARGET): Available
FLOW Classifier (FLOW_FILTER): Available
fwmark route mask (FWMARK_RT_MASK): Available
Mark in any table (MARK_ANYWHERE): Available
Header Match (HEADER_MATCH): Not available
ACCOUNT Target (ACCOUNT_TARGET): Available
AUDIT Target (AUDIT_TARGET): Available
ipset V5 (IPSET_V5): Available
Condition Match (CONDITION_MATCH): Available
Statistic Match (STATISTIC_MATCH): Available
IMQ Target (IMQ_TARGET): Not available
DSCP Match (DSCP_MATCH): Available
DSCP Target (DSCP_TARGET): Available
Geo IP match: Not available
iptables -S (IPTABLES_S): Available
Basic Filter (BASIC_FILTER): Available
CT Target (CT_TARGET): Available
The zones file has:
fw firewall
net ipv4
loc ipv4
dmz ipv4
okt ipv4
kag ipv4
nonet:loc ipv4
nocom:loc ipv4
(nocom and nonet are the two new dynamic zones I try to introduce)
The corresponding lines from hosts are:
nonet lan-if:dynamic
nocom lan-if:dynamic
And on interfaces the interesting line has:
loc lan-if detect
routeback,bridge,tcpflags,dhcp,nosmurfs,blacklist
I know it differs from the documentation by specifying non-default
options, but I would like to keep at least blacklist for now until the
dynamic zones get fully tested. The ipsets are generated as:
Name: nocom_lanif_3
Type: hash:ip
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16504
References: 24
Members:
Name: nonet_lanif_3
Type: hash:ip
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16504
References: 12
Members:
I''ve observed two strange/misunderstood behaviors/errors:
1. shorewall show dynamic nonet
returns nothing and trying to add an IP address to any of the dynamic
pools fails:
shorewall add lan-if:10.255.255.136 nonet
ERROR: Zone nonet, interface lan-if is does not have a dynamic host
list
2. In the rules files I couldn''t specify the name of the dynamic zone,
only the name of the generated ipset (this could be related to the
previous or by design)
Thanks for any idea!
Cheers
Geza Gemes
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://ad.doubleclick.net/clk;258768047;13503038;j?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/29/2012 11:47 PM, Gémes Géza wrote:> The zones file has:> fw firewall > net ipv4 > loc ipv4 > dmz ipv4 > okt ipv4 > kag ipv4 > nonet:loc ipv4 > nocom:loc ipv4> (nocom and nonet are the two new dynamic zones I try to introduce)> The corresponding lines from hosts are:> nonet lan-if:dynamic > nocom lan-if:dynamic> And on interfaces the interesting line has:> loc lan-if detect > routeback,bridge,tcpflags,dhcp,nosmurfs,blacklist> I know it differs from the documentation by specifying non-default > options, but I would like to keep at least blacklist for now until the > dynamic zones get fully tested. The ipsets are generated as: > Name: nocom_lanif_3Why the ''_3'' at the end of the name? The name of the ipset that Shorewall will generate in this case is simply ''nocom_lanif'':> Type: hash:ip > Header: family inet hashsize 1024 maxelem 65536 > Size in memory: 16504 > References: 24 > Members: > Name: nonet_lanif_3 > Type: hash:ip > Header: family inet hashsize 1024 maxelem 65536 > Size in memory: 16504 > References: 12 > Members:> I''ve observed two strange/misunderstood behaviors/errors:> 1. shorewall show dynamic nonet > returns nothingDo you really mean ''nothing'', or do you mean that it returns: lan-if: followed by a blank line? Here''s an example: root@gateway:/etc/shorewall# shorewall show dynamic direct eth2: root@gateway: and trying to add an IP address to any of the dynamic> pools fails: > shorewall add lan-if:10.255.255.136 nonet> ERROR: Zone nonet, interface lan-if is does not have a dynamic host > listThat message is returned when the ipset nonet_lanif does not exist. When it does exist, this results: root@gateway:/etc/shorewall# shorewall add eth2:172.20.1.99 direct Host eth2:172.20.1.99 added to zone direct root@gateway:/etc/shorewall#> 2. In the rules files I couldn''t specify the name of the dynamic zone, > only the name of the generated ipset (this could be related to the > previous or by design)That means that the zone isn''t being recognized for some reason. Something is very wrong with your setup, but given that we''re seeing only a tiny part of it, it''s difficult to understand what the problem is. What does ''shorewall show zones'' return? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/30/2012 08:00 AM, Tom Eastep wrote:> On 09/29/2012 11:47 PM, Gémes Géza wrote:>> I''ve observed two strange/misunderstood behaviors/errors: > >> 1. shorewall show dynamic nonet >> returns nothing > > Do you really mean ''nothing'', or do you mean that it returns: > > lan-if: > > followed by a blank line? > > Here''s an example: > > root@gateway:/etc/shorewall# shorewall show dynamic direct > eth2: > > root@gateway:I did some more testing on a Fedora 17 system and discovered that newer versions of ipset produce no output in this case. I''ve attached a patch for /usr/share/shorewall/lib.cli. patch /usr/share/shorewall/lib.cli < DYNAMIC.patch -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 9/30/12 8:51 AM, "Tom Eastep" <teastep@shorewall.net> wrote:> >I did some more testing on a Fedora 17 system and discovered that newer >versions of ipset produce no output in this case. I''ve attached a patch >for /usr/share/shorewall/lib.cli. > > patch /usr/share/shorewall/lib.cli < DYNAMIC.patchHere''s the second part of this fix. Apply similarly. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
Hi Tom,> On 9/30/12 8:51 AM, "Tom Eastep" <teastep@shorewall.net> wrote: >> I did some more testing on a Fedora 17 system and discovered that newer >> versions of ipset produce no output in this case. I''ve attached a patch >> for /usr/share/shorewall/lib.cli. >> >> patch /usr/share/shorewall/lib.cli < DYNAMIC.patch > Here''s the second part of this fix. Apply similarly. > > -Tom > You do not need a parachute to skydive. You only need a parachute to > skydive twice. > > > > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://ad.doubleclick.net/clk;258768047;13503038;j? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-usersSorry for late answer, I was away. Answering previous questions: Before patches were applied: shorewall show dynamic nonet returns literally nothing nor even an interface name Have absolutely no idea why the _3 prefix on ipset names. With both patches applied: shorewall show dynamic nonet returns lanif_3: however I can still not ad any ip with shorewall add to the ipset: shorewall add lan-if:10.255.255.136 nonet ERROR: Zone nonet, interface lan-if is does not have a dynamic host list but shorewall add lanif_3:10.255.255.136 nonet succeeds Shall I change interface names to do not contain dashes? Cheers Geza ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 9/30/12 12:15 PM, "Gémes Géza" <geza@kzsdabas.hu> wrote:> Sorry missed your question about shorewall show zones > It returns: > Shorewall 4.5.5.3 Zones at gw0 - 2012. szept. 30., vasárnap, 21.13.24 CEST > > fw (firewall) > net (ipv4) > dnt-if:0.0.0.0/0 > ppp0:0.0.0.0/0 > snt-if:0.0.0.0/0 > dmz (ipv4) > dmz-if:192.168.0.0/24 > okt (ipv4) > dmz-if:192.168.255.0/24 > kag (ipv4) > dmz-if:192.168.13.0/24 > nonet (ipv4) > lan-if:+nonet_lanif_3 > nocom (ipv4) > lan-if:+nocom_lanif_3 > loc (ipv4) > lan-if:0.0.0.0/0That certainly looks like the name of the interface is lan-if.3 rather than lan-if. Does ''Shorewall add lan-if_3:<address> nonet'' work? -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 9/30/12 12:59 PM, "Gémes Géza" <geza@kzsdabas.hu> wrote:> > > 2012-09-30 21:45 keltezéssel, Tom Eastep írta: > > >> >> >> On 9/30/12 12:15 PM, "Gémes Géza" <geza@kzsdabas.hu> wrote: >> >> >>> >>> >>> Sorry missed your question about shorewall show zones >>> It returns: >>> Shorewall 4.5.5.3 Zones at gw0 - 2012. szept. 30., vasárnap, 21.13.24 CEST >>> >>> fw (firewall) >>> net (ipv4) >>> dnt-if:0.0.0.0/0 >>> ppp0:0.0.0.0/0 >>> snt-if:0.0.0.0/0 >>> dmz (ipv4) >>> dmz-if:192.168.0.0/24 >>> okt (ipv4) >>> dmz-if:192.168.255.0/24 >>> kag (ipv4) >>> dmz-if:192.168.13.0/24 >>> nonet (ipv4) >>> lan-if:+nonet_lanif_3 >>> nocom (ipv4) >>> lan-if:+nocom_lanif_3 >>> loc (ipv4) >>> lan-if:0.0.0.0/0 >>> >>> >>> >> >> >> >> >> >> That certainly looks like the name of the interface is lan-if.3 rather than >> lan-if. Does ''Shorewall add lan-if_3:<address> nonet'' work? >> >> > I''ve checked after applying the patches you''ve sent and yes it works, what is > strange that the interface is called lan-if (in interfaces file too) and not > lanif_3Please send me a tarball of your configuration; also please include a capabilities file. You can send it to me personally. Thanks, -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 9/30/12 1:09 PM, Tom Eastep wrote:> On 9/30/12 12:59 PM, "Gémes Géza" <geza@kzsdabas.hu > <mailto:geza@kzsdabas.hu>> wrote: > > 2012-09-30 21:45 keltezéssel, Tom Eastep írta: >> On 9/30/12 12:15 PM, "Gémes Géza" <geza@kzsdabas.hu >> <mailto:geza@kzsdabas.hu>> wrote: >> >> Sorry missed your question about shorewall show zones >> It returns: >> Shorewall 4.5.5.3 Zones at gw0 - 2012. szept. 30., vasárnap, >> 21.13.24 CEST >> >> fw (firewall) >> net (ipv4) >> dnt-if:0.0.0.0/0 >> ppp0:0.0.0.0/0 >> snt-if:0.0.0.0/0 >> dmz (ipv4) >> dmz-if:192.168.0.0/24 >> okt (ipv4) >> dmz-if:192.168.255.0/24 >> kag (ipv4) >> dmz-if:192.168.13.0/24 >> nonet (ipv4) >> lan-if:+nonet_lanif_3 >> nocom (ipv4) >> lan-if:+nocom_lanif_3 >> loc (ipv4) >> lan-if:0.0.0.0/0 >> >> >> That certainly looks like the name of the interface is lan-if.3 >> rather than lan-if. Does ''Shorewall add lan-if_3:<address> nonet'' >> work? > I''ve checked after applying the patches you''ve sent and yes it > works, what is strange that the interface is called lan-if (in > interfaces file too) and not lanif_3 > > > Please send me a tarball of your configuration; also please include a > capabilities file. You can send it to me personally. >Okay -- the reason that the _3 is appended is because ''lan-if; is the third interface name with a dash ("-") in it''s name. The compiler forms the name of the ipset as follows: 1) Replaces ''.'' with ''_'' in the interface name. 2) Compresses out any non ''word'' characters (''word'' characters in Perl are letters, digits or ''_''). If any characters were removed, a unique suffix of the form ''_<digit>'' is added to the resulting name. 3) The result is then joined to the zone name with an underscore ("_"). That algorithm ensures that all ipset names are unique, but means that interface names with characters such as ''-'' work oddly with dynamic zones. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
Hi Tom,> On 9/30/12 1:09 PM, Tom Eastep wrote: >> On 9/30/12 12:59 PM, "Gémes Géza" <geza@kzsdabas.hu >> <mailto:geza@kzsdabas.hu>> wrote: >> >> 2012-09-30 21:45 keltezéssel, Tom Eastep írta: >>> On 9/30/12 12:15 PM, "Gémes Géza" <geza@kzsdabas.hu >>> <mailto:geza@kzsdabas.hu>> wrote: >>> >>> Sorry missed your question about shorewall show zones >>> It returns: >>> Shorewall 4.5.5.3 Zones at gw0 - 2012. szept. 30., vasárnap, >>> 21.13.24 CEST >>> >>> fw (firewall) >>> net (ipv4) >>> dnt-if:0.0.0.0/0 >>> ppp0:0.0.0.0/0 >>> snt-if:0.0.0.0/0 >>> dmz (ipv4) >>> dmz-if:192.168.0.0/24 >>> okt (ipv4) >>> dmz-if:192.168.255.0/24 >>> kag (ipv4) >>> dmz-if:192.168.13.0/24 >>> nonet (ipv4) >>> lan-if:+nonet_lanif_3 >>> nocom (ipv4) >>> lan-if:+nocom_lanif_3 >>> loc (ipv4) >>> lan-if:0.0.0.0/0 >>> >>> >>> That certainly looks like the name of the interface is lan-if.3 >>> rather than lan-if. Does ''Shorewall add lan-if_3:<address> nonet'' >>> work? >> I''ve checked after applying the patches you''ve sent and yes it >> works, what is strange that the interface is called lan-if (in >> interfaces file too) and not lanif_3 >> >> >> Please send me a tarball of your configuration; also please include a >> capabilities file. You can send it to me personally. >> > Okay -- the reason that the _3 is appended is because ''lan-if; is the > third interface name with a dash ("-") in it''s name. The compiler forms > the name of the ipset as follows: > > 1) Replaces ''.'' with ''_'' in the interface name. > 2) Compresses out any non ''word'' characters (''word'' characters in Perl > are letters, digits or ''_''). If any characters were removed, a > unique suffix of the form ''_<digit>'' is added to the resulting name. > 3) The result is then joined to the zone name with an underscore ("_"). > > That algorithm ensures that all ipset names are unique, but means that > interface names with characters such as ''-'' work oddly with dynamic zones. > > -TomThanks for sorting this out, one question remains: Are the patches still needed for correct operation, if yes will they be included in a next release? Thank you! Geza ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 9/30/12 3:36 PM, Gémes Géza wrote:> Hi Tom, >> On 9/30/12 1:09 PM, Tom Eastep wrote: >>> On 9/30/12 12:59 PM, "Gémes Géza" <geza@kzsdabas.hu >>> <mailto:geza@kzsdabas.hu>> wrote: >>> >>> 2012-09-30 21:45 keltezéssel, Tom Eastep írta: >>>> On 9/30/12 12:15 PM, "Gémes Géza" <geza@kzsdabas.hu >>>> <mailto:geza@kzsdabas.hu>> wrote: >>>> >>>> Sorry missed your question about shorewall show zones >>>> It returns: >>>> Shorewall 4.5.5.3 Zones at gw0 - 2012. szept. 30., vasárnap, >>>> 21.13.24 CEST >>>> >>>> fw (firewall) >>>> net (ipv4) >>>> dnt-if:0.0.0.0/0 >>>> ppp0:0.0.0.0/0 >>>> snt-if:0.0.0.0/0 >>>> dmz (ipv4) >>>> dmz-if:192.168.0.0/24 >>>> okt (ipv4) >>>> dmz-if:192.168.255.0/24 >>>> kag (ipv4) >>>> dmz-if:192.168.13.0/24 >>>> nonet (ipv4) >>>> lan-if:+nonet_lanif_3 >>>> nocom (ipv4) >>>> lan-if:+nocom_lanif_3 >>>> loc (ipv4) >>>> lan-if:0.0.0.0/0 >>>> >>>> >>>> That certainly looks like the name of the interface is lan-if.3 >>>> rather than lan-if. Does ''Shorewall add lan-if_3:<address> nonet'' >>>> work? >>> I''ve checked after applying the patches you''ve sent and yes it >>> works, what is strange that the interface is called lan-if (in >>> interfaces file too) and not lanif_3 >>> >>> >>> Please send me a tarball of your configuration; also please include a >>> capabilities file. You can send it to me personally. >>> >> Okay -- the reason that the _3 is appended is because ''lan-if; is the >> third interface name with a dash ("-") in it''s name. The compiler forms >> the name of the ipset as follows: >> >> 1) Replaces ''.'' with ''_'' in the interface name. >> 2) Compresses out any non ''word'' characters (''word'' characters in Perl >> are letters, digits or ''_''). If any characters were removed, a >> unique suffix of the form ''_<digit>'' is added to the resulting name. >> 3) The result is then joined to the zone name with an underscore ("_"). >> >> That algorithm ensures that all ipset names are unique, but means that >> interface names with characters such as ''-'' work oddly with dynamic zones. >> >> -Tom > Thanks for sorting this out, one question remains: > Are the patches still needed for correct operation, if yes will they be > included in a next release?Yes and Yes. But it''s unclear whether they will be available in Wheezy or not. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html