Shorewall users - Mar 2003 - [Fwd: shorewall: firewall cannot be tracerouted.]

G''day,

Just forwarding this rather detailed Debian bug report I submitted.

-- 
----------------------------------------------------------------------
ABO: finger abo@minkirri.apana.org.au for more info, including pgp key
----------------------------------------------------------------------
-------------- next part --------------
An embedded message was scrubbed...
From: Donovan Baarda <abo@minkirri.apana.org.au>
Subject: shorewall: firewall cannot be tracerouted.
Date: Sun, 30 Mar 2003 00:17:52 +1100
Size: 8813
Url:
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030330/6f25e903/attachment.eml

On 30 Mar 2003, Donovan Baarda wrote:
> G''day,
> 
> Just forwarding this rather detailed Debian bug report I submitted.
> 
> 
Quick workaround is to put the following in /etc/shorewall/start:

run_iptables -I OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Sun, 2003-03-30 at 01:21, Tom Eastep wrote:
> On 30 Mar 2003, Donovan Baarda wrote:
> 
> > G''day,
> > 
> > Just forwarding this rather detailed Debian bug report I submitted.
> > 
> > 
> 
> Quick workaround is to put the following in /etc/shorewall/start:
> 
> run_iptables -I OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT
Thanks for the workaround. I''d forgotten you could do this kind of
thing. It works nicely and integrates cleanly with the existing
shorewall rules.

In my searches, I was kind of amazed that there didn''t seem to be many
people who had noticed this, and those who had didn''t seem to firmly
identify the problem, let alone offer a solution. There was nothing in
the shorewall FAQ about it.

Is this an iptables or kernel bug, is it a shorewall bug, or is it just
a feature? Is anyone working on a fix?


-- 
----------------------------------------------------------------------
ABO: finger abo@minkirri.apana.org.au for more info, including pgp key
----------------------------------------------------------------------

On 30 Mar 2003, Donovan Baarda wrote:
> 
> Is this an iptables or kernel bug, is it a shorewall bug, or is it just
> a feature? Is anyone working on a fix?
> 
I frankly don''t care what the root cause is -- I''ll include a
fix in
1.4.2.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 2003-04-01 at 10:25, Tom Eastep wrote:
> On 30 Mar 2003, Donovan Baarda wrote:
> > 
> > Is this an iptables or kernel bug, is it a shorewall bug, or is it
just
> > a feature? Is anyone working on a fix?
> > 
> 
> I frankly don''t care what the root cause is -- I''ll
include a fix in
> 1.4.2.
Thanks :-)


-- 
----------------------------------------------------------------
Donovan Baarda                http://minkirri.apana.org.au/~abo/
----------------------------------------------------------------

Tom Eastep wrote:
> On 30 Mar 2003, Donovan Baarda wrote:
> 
>>Is this an iptables or kernel bug, is it a shorewall bug, or is it just
>>a feature? Is anyone working on a fix?
>>
> 
> 
> I frankly don''t care what the root cause is -- I''ll
include a fix in
> 1.4.2.
> 
> -Tom
It needs a lot more fixing.

There are plenty of icmp-stuff firewall system should accept by default.

Currently shorewall won''t accept any by default. I think good thing was
to accept icmp-stuff which needs to be allways accepted and add them in 
icmp.def or common.def so that rules could still be used to define 
exceptions.

Currently shorewall 1.4.1a is unable to do PMTU because of all icmp is 
turned off by default. With not accepting any icmp shorewall has dropped 
to category "borken firewalls" :-(.

-- 
Tuomo Soini <tis@foobar.fi>
http://tis.foobar.fi/

On Tue, 2003-04-01 at 18:01, Tuomo Soini wrote:
> Tom Eastep wrote:
> > On 30 Mar 2003, Donovan Baarda wrote:
> > 
> >>Is this an iptables or kernel bug, is it a shorewall bug, or is it
just
> >>a feature? Is anyone working on a fix?
> >>
> > 
> > 
> > I frankly don''t care what the root cause is -- I''ll
include a fix in
> > 1.4.2.
> > 
> > -Tom
> 
> It needs a lot more fixing.
> 
> There are plenty of icmp-stuff firewall system should accept by default.
> 
> Currently shorewall won''t accept any by default. I think good
thing was
> to accept icmp-stuff which needs to be allways accepted and add them in 
> icmp.def or common.def so that rules could still be used to define 
> exceptions.
Is it really that bad? The particular problem I was reporting only
affected the firewall sending icmp time-exceeded packets.
> Currently shorewall 1.4.1a is unable to do PMTU because of all icmp is 
> turned off by default. With not accepting any icmp shorewall has dropped 
> to category "borken firewalls" :-(.
Is this really the case? If so, this is serious enough for me to roll
back to 1.3.

-- 
----------------------------------------------------------------
Donovan Baarda                http://minkirri.apana.org.au/~abo/
----------------------------------------------------------------

On Tue, 1 Apr 2003, Tuomo Soini wrote:
> Tom Eastep wrote:
> > On 30 Mar 2003, Donovan Baarda wrote:
> > 
> >>Is this an iptables or kernel bug, is it a shorewall bug, or is it
just
> >>a feature? Is anyone working on a fix?
> >>
> > 
> > 
> > I frankly don''t care what the root cause is -- I''ll
include a fix in
> > 1.4.2.
> > 
> > -Tom
> 
> It needs a lot more fixing.
> 
> There are plenty of icmp-stuff firewall system should accept by default.
> 
> Currently shorewall won''t accept any by default. I think good
thing was
> to accept icmp-stuff which needs to be allways accepted and add them in 
> icmp.def or common.def so that rules could still be used to define 
> exceptions.
> 
> Currently shorewall 1.4.1a is unable to do PMTU because of all icmp is 
> turned off by default. With not accepting any icmp shorewall has dropped 
> to category "borken firewalls" :-(.
> 
This is 100% FUD -- you should at least learn how Netfilter handles 
RELATED ICMP packets before you go spreading such crap.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On 1 Apr 2003, Donovan Baarda wrote:
> 
> Is it really that bad? The particular problem I was reporting only
> affected the firewall sending icmp time-exceeded packets.
> 
> > Currently shorewall 1.4.1a is unable to do PMTU because of all icmp is
> > turned off by default. With not accepting any icmp shorewall has
dropped
> > to category "borken firewalls" :-(.
> 
> Is this really the case? If so, this is serious enough for me to roll
> back to 1.3.
> 
It is not the case -- If you want to pick up a version of the code that 
has the 1.4.2 fix in it, get:

	ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.1/firewall

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> This is 100% FUD -- you should at least learn how Netfilter handles 
> RELATED ICMP packets before you go spreading such crap.
You are right. Just that problem connecting to one www-server behind 
ipsec appeared after upgrade to 1.4.1a (that server was installed at 
same time).

It seems that those are really problems with squid. Without proxy I can 
access www-site behind ipsec tunnel but with squid I can''t.

And problem only happens when www-server is win2k IIS, not when it''s
NT4
IIS which is another server in same lan. Have to investigate it more. 
Symptons are exactly like with PMTU problem, but problem seems to be 
different, squid.

-- 
Tuomo Soini <tis@foobar.fi>
http://tis.foobar.fi/