Shorewall users - Aug 2002 - Satellite Connection..

Our inbound traffic comes via a linux box with a DVB card and an ethernet card.
I have setup shorewall 1.3.6(all be it very loosely) solely at this stage for
the purpose of traffic shaping. I have no rules set and a default policy of
"all all"
the interfaces are defined, So is the traffic shaping. Shorewall starts up ok
but I then get no traffic coming in through the satellite interface.
The problem may be because the satellite interface is a one way connection and
has never initiated a connection. I dunno ! Does anybody have any ideas.


Regards
Pete

On Fri, 9 Aug 2002, Peter Wickham wrote:
> Our inbound traffic comes via a linux box with a DVB card and an ethernet
card.
> I have setup shorewall 1.3.6(all be it very loosely) solely at this stage
for the purpose of traffic shaping. I have no rules set and a default policy of
"all all"
> the interfaces are defined, So is the traffic shaping. Shorewall starts up
ok but I then get no traffic coming in through the satellite interface.
> The problem may be because the satellite interface is a one way connection
and has never initiated a connection. I dunno ! Does anybody have any ideas.
> 
If you''ll send me the output of "shorewall status" (as an
attachment),
I''ll try to hazard a guess...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Your suggestion of configuring as per failover does indeed now allow traffic
to flow through the firewall.
As far as a backdoor route goes, Not really. However traffic flowing in
through the satallite card does originate from another computer (linux
router). The other computer is the def G/W and is on the same subnet as the
satellite receiver. I understand that it works like this because of some
"magic" routing at the satellite uplink facility..
Don''t flame me for the next bit i know its not a shorewall issue..
There was an email a couple of weeks ago about a user complaining that his
linux box would cease to pass any traffic after some time of operating
correctly. This was resolved by a reboot of the box. The situation did not
arise if iptables had NOT been started or at least not used (by shorewall).
I have the same problem. Its not a shorewall issue but could be something to
do with iptables, The info I have about this is your doco''s which state
an
issue with RH 7.2 (Yes I read your wonderful doco''s). To your
knowledge,
Have you seen any other''s with this problem, or seen any resolution.


Regards
Pete



----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Peter Wickham" <peter.wickham@starday.com.au>
Sent: Saturday, August 10, 2002 12:23 AM
Subject: Re: [Shorewall-users] Satellite Connection..

> On Fri, 9 Aug 2002, Tom Eastep wrote:
>
> >
> > Are there cases where traffic bypasses your firewall? In other words,
> > traffic in one direction flows through the firewall but traffic in the
> > other direction doesn''t?
> >
>
> The reason that I ask is that you are getting a log of UNREPLIED
> connections which usually means that there is a routing problem or there
> is a backdoor route around the firewall so the firewall is only seeing
> part of the traffic.
>
> If this is indeed the case, then you DON''T want a statefull
firewall like
> Shorewall; statefull firewalls work badly when they are only seeing half
> of each conversation.
>
> If you think that the firewall IS seeing all of the traffic in both
> directions then you might try following the advice given in the first
> Upgrade Issue on the errata page (for a pair of firewall''s with
failover)
> and let me know if that makes any difference.
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
>
>

On Mon, 12 Aug 2002, Peter Wickham wrote:
> Your suggestion of configuring as per failover does indeed now allow
traffic
> to flow through the firewall.
> As far as a backdoor route goes, Not really. However traffic flowing in
> through the satallite card does originate from another computer (linux
> router). The other computer is the def G/W and is on the same subnet as the
> satellite receiver. I understand that it works like this because of some
> "magic" routing at the satellite uplink facility..
Can you draw me a diagram? The bottom line is that if routing is 
asymetric, then 1.3.6 and later will have problems passing traffic. 
Previous versions of Shorewall could have security holes in this case so 
the new approach is probably better.
> Don''t flame me for the next bit i know its not a shorewall issue..
> There was an email a couple of weeks ago about a user complaining that his
> linux box would cease to pass any traffic after some time of operating
> correctly.
Was that on the Leaf list?
> This was resolved by a reboot of the box. The situation did not
> arise if iptables had NOT been started or at least not used (by shorewall).
> I have the same problem. Its not a shorewall issue but could be something
to
> do with iptables, The info I have about this is your doco''s which
state an
> issue with RH 7.2 (Yes I read your wonderful doco''s).
..... 
> To your knowledge, Have you seen any other''s with this problem, or
seen
> any resolution.
> 
I have heard reports like this (all with people who get their external IP
via DHCP) but nothing that I can do anything with. If you are having this
problem, I would love to see:

a) "shorewall show log" output when the problem occurs.
b) "shorewall status" output when the problem occurs.
c) tcpdump results (on the firewall''s external interface) when the
problem
occurs.

I''m not sure what RH 7.2 thing you''re referring to.

Since Shorewall doesn''t have any running components (Shorewall code
ceases
to run when the "shorewall start" command completes), I think that
this is
a problem in some other part of the system -- I''m certainly interested
in
solving it though since many folks seem to be seeing it.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Apologies for not getting back sooner.

Tom,
I originally wanted shorewall for its scripting capabilities in regards to
CBQ. As stated below the interface locks up with even the simplest of rules.
I have however managed to successfuly implement CBQ by means of another
script. This has been running for 10 days now without lockups and it is of
course iptables based.
I therefore assume that the additional modules that shorewall calls in
regards to actual firewalling and not traffic shaping are the ones that
cause some machines interfaces to stop passing traffic. Here is a list of
modules loaded using the cbq-init script. and perhaps you might be able to
compare with the list called by shorewall.
Module                  Size  Used by
cls_u32                 5280   1
sch_prio                2720   0  (unused)
sch_sfq                 4064   0  (unused)
sch_tbf                 2784   2
sch_cbq                12592   1
iptable_filter          2048   0  (autoclean) (unused)
ip_tables              11488   1  [iptable_filter]
sm200d_lnx             20560   1
af_packet              12560   0  (autoclean)
eepro100               17120   1  (autoclean)
rtc                     5600   0  (autoclean)

I cannot unfortunately run shorewall at this stage because this is a live
system and our users "don''t understand" the concept of
downtime. I will If
you like run up a duplicate system and let you have ssh access to it should
you wish to investigate the interface lockup issues. I personally would
prefer to use shorewall but unfortunately do not have the skills to debug
these sorts of problems.
Tom, I did make "shorewall show log" and "shorewall status"
log files the
last time the interface refused to play. If you want I can email them to you
only as they contain real ip addresses etc...


Regards
Pete Wickham


----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Peter Wickham" <peter.wickham@starday.com.au>
Cc: <shorewall-users@shorewall.net>
Sent: Monday, August 12, 2002 11:47 AM
Subject: Re: [Shorewall-users] Satellite Connection..

> On Mon, 12 Aug 2002, Peter Wickham wrote:
>
> > Your suggestion of configuring as per failover does indeed now allow
traffic
> > to flow through the firewall.
> > As far as a backdoor route goes, Not really. However traffic flowing
in
> > through the satallite card does originate from another computer (linux
> > router). The other computer is the def G/W and is on the same subnet
as
the
> > satellite receiver. I understand that it works like this because of
some
> > "magic" routing at the satellite uplink facility..
>
> Can you draw me a diagram? The bottom line is that if routing is
> asymetric, then 1.3.6 and later will have problems passing traffic.
> Previous versions of Shorewall could have security holes in this case so
> the new approach is probably better.
>
> > Don''t flame me for the next bit i know its not a shorewall
issue..
> > There was an email a couple of weeks ago about a user complaining that
his
> > linux box would cease to pass any traffic after some time of operating
> > correctly.
>
> Was that on the Leaf list?
>
> > This was resolved by a reboot of the box. The situation did not
> > arise if iptables had NOT been started or at least not used (by
shorewall).
> > I have the same problem. Its not a shorewall issue but could be
something to
> > do with iptables, The info I have about this is your doco''s
which state
an
> > issue with RH 7.2 (Yes I read your wonderful doco''s).
>
> .....
>
> > To your knowledge, Have you seen any other''s with this
problem, or seen
> > any resolution.
> >
>
> I have heard reports like this (all with people who get their external IP
> via DHCP) but nothing that I can do anything with. If you are having this
> problem, I would love to see:
>
> a) "shorewall show log" output when the problem occurs.
> b) "shorewall status" output when the problem occurs.
> c) tcpdump results (on the firewall''s external interface) when the
problem
> occurs.
>
> I''m not sure what RH 7.2 thing you''re referring to.
>
> Since Shorewall doesn''t have any running components (Shorewall
code ceases
> to run when the "shorewall start" command completes), I think
that this is
> a problem in some other part of the system -- I''m certainly
interested in
> solving it though since many folks seem to be seeing it.
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
>
>

Peter,

On Thursday 22 August 2002 08:49 pm, Peter Wickham wrote:
> I originally wanted shorewall for its scripting capabilities in regards to
> CBQ. As stated below the interface locks up with even the simplest of
> rules. I have however managed to successfully implement CBQ by means of
> another script. This has been running for 10 days now without lockups and
> it is of course iptables based.
Shorewall seems to be a bad fit for you since as I pointed out in a previous 
post, your routing appears to be asymmetric. Asymmetric routing plays very 
poorly with stateful firewalls. Furthermore, I don''t believe that
Shorewall''s
CBQ support gains you much WRT to the learning curve for CBQ (as you''ve
probably found out by now) and if all you want is CBQ, your current solution 
seems like the best one.
> I therefore assume that the additional modules that shorewall calls in
> regards to actual firewalling and not traffic shaping are the ones that
> cause some machines interfaces to stop passing traffic.
In YOUR PARTICULAR CASE, since connection tracking is neither needed nor 
appropriate, I suspect that its presence has something to do with the problem 
YOU were seeing (I suspect that the connection table was filling up but 
that''s complete speculation on my part). To suggest that all cases of 
firewalls suddenly refusing to pass traffic are caused by the presence of a 
kernel module is quite a stretch however -- in one case that I''m 
investigating, when the firewall stops passing traffic it because ALL 
firewall rules have been deleted!!! 
> Here is a list of
> modules loaded using the cbq-init script. and perhaps you might be able to
> compare with the list called by shorewall.
Your setup isn''t loading the connection tracking module (which is
good).
> I will If you like run up a duplicate system and let you have ssh access to
> it should you wish to investigate the interface lockup issues. I personally
> would prefer to use shorewall but unfortunately do not have the skills to 
> debug these sorts of problems.
I have a general policy of NOT logging into people''s systems.
> Tom, I did make "shorewall show log" and "shorewall
status" log files the
> last time the interface refused to play. If you want I can email them to
you
> only as they contain real ip addresses etc...
If you''ll send them along, I can try to confirm my diagnosis...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Tom Eastep wrote:
> Shorewall seems to be a bad fit for you since as I pointed out in a
previous
> post, your routing appears to be asymmetric. Asymmetric routing plays very 
> poorly with stateful firewalls. Furthermore, I don''t believe that
Shorewall''s
> CBQ support gains you much WRT to the learning curve for CBQ (as
you''ve
> probably found out by now) and if all you want is CBQ, your current
solution
> seems like the best one.
NEWNOTSYN feature makes shorewall not useable on asymmetric route. I 
have customer which nees asummetric routing as temporary solution when 
network changes are done.

I had to disable NEWNOTSYN to get everything running.

I think newnotsyn should allways be logged by default. I had hard time 
finding out which was wrong. Happily I had read releasenotes. Without 
that I would not have guessed that default not to I tlog newnotsyn was 
reason not to find out what was wrong...

I think there should be ALLOWNEWNOTSYN in shorewall.conf just like 
ALLOWRELATED with explanation that ALLOWNEWNOTSYN is needed if:

a) You need asymmetric routing
b) You are running HA firewall setup

Currently shorewall 1.3.6 runs great with asymmetric routing with 
instructions for HA setup.

--
Tuomo Soini <tis@foobar.fi>
http://tis.foobar.fi/

On Friday 23 August 2002 11:30 am, Tuomo Soini wrote:
> Tom Eastep wrote:
> > Shorewall seems to be a bad fit for you since as I pointed out in a
> > previous post, your routing appears to be asymmetric. Asymmetric
routing
> > plays very poorly with stateful firewalls. Furthermore, I
don''t believe
> > that Shorewall''s CBQ support gains you much WRT to the
learning curve for
> > CBQ (as you''ve probably found out by now) and if all you want
is CBQ,
> > your current solution seems like the best one.
>
> NEWNOTSYN feature makes shorewall not useable on asymmetric route. I
> have customer which nees asummetric routing as temporary solution when
> network changes are done.
I had already instructed Peter to use the HA setup -- he had to do that to get 
the firewall to pass anything.
>
> I had to disable NEWNOTSYN to get everything running.
Yep.
>
> I think newnotsyn should allways be logged by default. I had hard time
> finding out which was wrong. Happily I had read releasenotes. Without
> that I would not have guessed that default not to I tlog newnotsyn was
> reason not to find out what was wrong...
You may be right...
>
> I think there should be ALLOWNEWNOTSYN in shorewall.conf just like
> ALLOWRELATED with explanation that ALLOWNEWNOTSYN is needed if:
>
> a) You need asymmetric routing
> b) You are running HA firewall setup
I considered doing that but couldn''t quite convince myself that it was 
necessary. Since you and Peter have run into the problem, there may be others 
as well.
>
> Currently shorewall 1.3.6 runs great with asymmetric routing with
> instructions for HA setup.
I suspect that it depends on the nature of the routing. I''ll look at
Peter''s
"shorwall status" and see if that shows me anything.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

> On Friday 23 August 2002 04:45 pm, Peter Wickham wrote:
> > Tom,
> > Thanks for taking the time to look into this. Just to confirm the
setup.
> >
> > Dialup users dial into a tigris access server and are given a
satellite
> > routed IP address.
> > The tigris has a couple of IP addresses, one of which is satellite,
The
> > tigris has a def/gateway to another box running squid (transparent
proxy).
> > The proxy server then has a default gateway set back to the tigris
(not
> > satellite IP''s) This is because the tigris uses a perm ISDN
connection
> > outbound as a back haul.
> > Because all originating traffic has a satellite routed IP address, the
> > return path is then inbound through the sm200d interface and back out
to
> > the to the tigris (or the proxy) through eth0(203.109.x.x) and
ultimately
> > the dialup users. Clear as mud !!


> Er -- yes, about that clear. For example, I would have expected at least
some
> mention of where Shorewall fits into this spagetti (minor detail I realize
> but it''s amazing how many times people describe their network and
fail to
> mention which box is running Shorewall). I''m assuming that it is
running
on
> tigris box?
Nope

> > Just draw a line from the tigris to the proxy etc.. following the flow
of
> > traffic in the order described to get a simple schematic. The
satellite
> > routed IP''s (two ranges) are all 203.109.x.x the ones used
for the
> > backchannel are 203.18.252.xxx. the 192.168.0.xxx assigned to the
satellite
> > card is neither here nor there because it is only an inbound
connection
and
> > can never
Never !! spend all this time trying to fix something when its your daughters
13 birthday today "sorry"
Daughter and Tom...

> Never ..... ????? (glad to see that I''m not the only one that
stops typing
in
> mid sentence :-)
A.D.D. :)
> > Hope this helps, But as you said its just a feature of stateful
firewalls
> > thats the downfall.
> >
>
> I''ve looked at the output that you sent and while there are signs
of
problems
> (large percentage of the entries in the connection tracking table are
> UNREPLIED), I see no reason from the point of view of Netfilter why this
box
> shouldn''t be passing traffic. Possibly when I get a clearer
picture of the
> network topology is less fuzzy to me. I''ve posted a drawing of
what I
think
> this setup looks like at http://www.shorewall.net/images/Tigris.png -- let
me
> know what I''ve gotten wrong.
If I can get a hold the software you used to do the schematic, I will give
you an ammended version ?

Regards
Pete


> Thanks,
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
>