Hello, I''m a Shorewall novice. I have a problem and I''m not quite sure how to troubleshoot it. I''m using a Mandrake 9.0 (Security Level "4") system, which came with Shorewall. (I live in Lynnwood, not far from Shoreline, btw.) Long lived but idle connections are dying. Examples are SSH terminals where I don''t type anything, and IMAP connections (over SSL) that are just hanging open waiting for a new message notification, and LDAP connections from localhost to localhost (used for AUTH by NIS and other services). I''ve gone grepping in my logs but I don''t see anything that seems relevant when I type "shorewall show log". And I don''t see anything with the right I.P. addresses in my /var/log/syslog. To be honest, I''m not even sure this is a Shorewall problem (but I figure it''s the most likely candidate). I''ve seen this in the mail list archives: -------------------------------------- [Shorewall-users] IPSec Client-to-Gateway Connections Behind Shorewall "Dying" dgilleece@optimumnetworks.com dgilleece@optimumnetworks.com Mon, 18 Feb 2002 19:36:43 -0600 (CST) Well, that just makes perfect sense, when you put it that way :) Thanks again, Dan Quoting Tom Eastep <teastep@shorewall.net>:> > You need UDP port 500 and protocols 51 and 51 open to this user''s > system. After a period of inactivity, either end of a VPN tunnel can > suddenly become active; if iptables connection tracking has timed out > the connection and the remote end is the first to speak, you will see > problems like you describe. > > -Tom > -- > Tom Eastep \ Shorewall -- iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net[...] -------------------------------------- But I''m not using VPN. These are SSH, IMAP over SSL, and LDAP (with no SSL on the LDAP, and connecting only from localhost to localhost). I''ve read that UDP on Port 500 is used for some kind of key exchange by IPSec, so I don''t think the above necessarily applies to me. I don''t know what "protocols 51 and 51" are. And advice would be greatly appreciated. I''ve gone through the Shorewall docs but haven''t found anything about "timeout" or "keepalive". Thank You, Derek Simkowiak dereks@realloc.net
--On Saturday, January 25, 2003 11:38 AM -0800 Derek Simkowiak <dereks@realloc.net> wrote:> > I''ve gone grepping in my logs but I don''t see anything that > seems relevant when I type "shorewall show log". And I don''t see > anything with the right I.P. addresses in my /var/log/syslog. To be > honest, I''m not even sure this is a Shorewall problem (but I figure it''s > the most likely candidate).Pretty unlikely, I''m afraid. Netfilter provides NO way to vary the timeout on connection tracking and NO Shorewall code runs once you have completed "shorewall start" (unless you run /sbin/shorewall to monitor your firewall). So there are no "knobs" in Shorewall to adjust timeouts and there is no Shorewall code running that can dump active connections. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Hello! I had a similar problem once. Since I use putty to log in to the firewall system from windows clients, I simply used it''s connection setting "Sending of null packets to keep session active". It wasn''t shorewall though that terminated my connections, but the dsl-router I connected through. Felix ----- Original Message ----- From: "Derek Simkowiak" <dereks@realloc.net> To: <shorewall-users@shorewall.net> Sent: Saturday, January 25, 2003 8:38 PM Subject: [Shorewall-users] Idle connections timing out> > Hello, > I''m a Shorewall novice. I have a problem and I''m not quite sure > how to troubleshoot it. > > I''m using a Mandrake 9.0 (Security Level "4") system, which came > with Shorewall. (I live in Lynnwood, not far from Shoreline, btw.) > > Long lived but idle connections are dying. Examples are SSH > terminals where I don''t type anything, and IMAP connections (over SSL) > that are just hanging open waiting for a new message notification, and > LDAP connections from localhost to localhost (used for AUTH by NIS and > other services). > > I''ve gone grepping in my logs but I don''t see anything that > seems relevant when I type "shorewall show log". And I don''t see > anything with the right I.P. addresses in my /var/log/syslog. To be > honest, I''m not even sure this is a Shorewall problem (but I figure it''s > the most likely candidate). > > I''ve seen this in the mail list archives: > > -------------------------------------- > [Shorewall-users] IPSec Client-to-Gateway Connections Behind Shorewall > "Dying" > dgilleece@optimumnetworks.com dgilleece@optimumnetworks.com > Mon, 18 Feb 2002 19:36:43 -0600 (CST) > > Well, that just makes perfect sense, when you put it that way :) > > Thanks again, > > Dan > > Quoting Tom Eastep <teastep@shorewall.net>: > > > > > You need UDP port 500 and protocols 51 and 51 open to this user''s > > system. After a period of inactivity, either end of a VPN tunnel can > > suddenly become active; if iptables connection tracking has timed out > > the connection and the remote end is the first to speak, you will see > > problems like you describe. > > > > -Tom > > -- > > Tom Eastep \ Shorewall -- iptables made easy > > AIM: tmeastep \ http://www.shorewall.net > > ICQ: #60745924 \ teastep@shorewall.net > [...] > -------------------------------------- > > But I''m not using VPN. These are SSH, IMAP over SSL, and LDAP > (with no SSL on the LDAP, and connecting only from localhost to > localhost). I''ve read that UDP on Port 500 is used for some kind of key > exchange by IPSec, so I don''t think the above necessarily applies to me. > I don''t know what "protocols 51 and 51" are. > > And advice would be greatly appreciated. I''ve gone through the > Shorewall docs but haven''t found anything about "timeout" or > "keepalive". > > > Thank You, > Derek Simkowiak > dereks@realloc.net > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.shorewall.net > http://lists.shorewall.net/mailman/listinfo/shorewall-users