Shorewall users - Aug 2002 - bugs in shorewall hits with shorewall 1.3.7a ??

hi all,

i have two identical boxes setup, same hardware. except for the one was still
setup with shorewall 1.3.6 and the other one was setup some days later (some
days ago) when 1.3.7a came out..

now this is the output of a shorewall hits:

Shorewall-1.3.7a Hits at hades-vt - Mon Aug 26 21:17:47 CEST 2002

   HITS IP                DATE
   ---- --------------- ------
      1 Binary file /var/log/messages matches

   HITS IP                PORT
   ---- --------------- -----
      1 Binary file /var/log/messages matches

   HITS DATE
   ---- ------
      1 Binary

   HITS  PORT SERVICE(S)
   ---- ----- ----------
/sbin/shorewall: printf: Binary: invalid number

-------

whats wrong ehre ? the box with shorewall 1.3.6 was working just fine..=20

they are really the same setup. only the IP addresses differ, other than that,
everything same xcept of shorewall. 3 nics, 1net, 2loc, 3dmz, dmz/net with proxy
arp for .248 subnet of 8/6 official ip addresses...


i also found one more detail.. when i traceroute to a proxy arped host on the
dmz card of the shorewall 1.3.6 box, i get traceroute replies from the
firewall/net card and from the dmz host.

in shorewall 1.3.7a i only get a traceroute reply from the dmz host. the fw/net
nic itselfs displays timeout/* only...

so what changed from 1.3.6 to 1.3.7a ?? what are these bugs about?

like i said, everything (all config files) are exactly the same, only the ip
addresses are set according to the locations of the boxes on the inet....

even the inet provider is the same, only the physical location differs of those
boxes/sites...

the linux is suse 8.0 for both boxes. same update level/same packages... 

Thanks,
Andy

On Monday 26 August 2002 12:24 pm, Andreas Bittner
wrote:
> hi all,
>
> i have two identical boxes setup, same hardware. except for the one was
> still setup with shorewall 1.3.6 and the other one was setup some days
> later (some days ago) when 1.3.7a came out..
>
> now this is the output of a shorewall hits:
>
> Shorewall-1.3.7a Hits at hades-vt - Mon Aug 26 21:17:47 CEST 2002
>
>    HITS IP                DATE
>    ---- --------------- ------
>       1 Binary file /var/log/messages matches
>
>    HITS IP                PORT
>    ---- --------------- -----
>       1 Binary file /var/log/messages matches
>
>    HITS DATE
>    ---- ------
>       1 Binary
>
>    HITS  PORT SERVICE(S)
>    ---- ----- ----------
> /sbin/shorewall: printf: Binary: invalid number
>
> -------
>
> whats wrong ehre ? the box with shorewall 1.3.6 was working just fine..
What does "grep Shorewall /var/log/messages" return?
>
> they are really the same setup. only the IP addresses differ, other than
> that, everything same xcept of shorewall. 3 nics, 1net, 2loc, 3dmz, dmz/net
> with proxy arp for .248 subnet of 8/6 official ip addresses...
>
>
> i also found one more detail.. when i traceroute to a proxy arped host on
> the dmz card of the shorewall 1.3.6 box, i get traceroute replies from the
> firewall/net card and from the dmz host.
>
> in shorewall 1.3.7a i only get a traceroute reply from the dmz host. the
> fw/net nic itselfs displays timeout/* only...
>
Does your traceroute use ICMP or does it use UDP?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

hi there,

the grep on messages retunrs the very same error:
hades-vt:/var/log # grep Shorewall /var/log/messages
Binary file /var/log/messages matches

but this is crazy cos when i do less /var/log/messages everything looks just
normale like any other linux message log.. or when i do cat.. its the normale
log file.. whats wrong here on my box??

how can i determine if that file is really a binary file? any other linux binary
file gives me that fancy binary output.. so messages is definitely NOT a binary
file..

i did a grep -a Shorewall /var/log/messages and that works fine...=20

the other stuff with the traceroute ... i meant traceroute from the outside... i
do a tracert from a win32 box on the inet to both of my locations where i use
1.3.6 on the one and 1.3.7a on the other. i have in both DMZs a mailserver with
public ips with proxy arp.

now the one way works with replies from the firewall eth0 interface, the other
site doesnt reply from eth0 ip to the traceroute but both traceroutes reply at
the target dmz mailserver host just fine.. only that 1.3.7a doesnt reply to the
traceroute from win32, the 1.3.6 replies fine.. same config. same setup, same
everything.. except the ips...=20

dunno why....

thanks,
andy



----- Original Message -----=20
From: "Tom Eastep" <teastep@shorewall.net>
To: "Andreas Bittner" <bittner@rz.fh-heilbronn.de>;
<shorewall-users@shorewall.net>
Sent: Monday, August 26, 2002 10:22 PM
Subject: Re: [Shorewall-users] bugs in shorewall hits with shorewall 1.3.7a ??

> On Monday 26 August 2002 12:24 pm, Andreas Bittner wrote:
> > hi all,
> >
> > i have two identical boxes setup, same hardware. except for the one
was
> > still setup with shorewall 1.3.6 and the other one was setup some days
> > later (some days ago) when 1.3.7a came out..
> >
> > now this is the output of a shorewall hits:
> >
> > Shorewall-1.3.7a Hits at hades-vt - Mon Aug 26 21:17:47 CEST 2002
> >
> >    HITS IP                DATE
> >    ---- --------------- ------
> >       1 Binary file /var/log/messages matches
> >
> >    HITS IP                PORT
> >    ---- --------------- -----
> >       1 Binary file /var/log/messages matches
> >
> >    HITS DATE
> >    ---- ------
> >       1 Binary
> >
> >    HITS  PORT SERVICE(S)
> >    ---- ----- ----------
> > /sbin/shorewall: printf: Binary: invalid number
> >
> > -------
> >
> > whats wrong ehre ? the box with shorewall 1.3.6 was working just
fine..
>=20
> What does "grep Shorewall /var/log/messages" return?
>=20
> >
> > they are really the same setup. only the IP addresses differ, other
than
> > that, everything same xcept of shorewall. 3 nics, 1net, 2loc, 3dmz,
dmz/net
> > with proxy arp for .248 subnet of 8/6 official ip addresses...
> >
> >
> > i also found one more detail.. when i traceroute to a proxy arped host
on
> > the dmz card of the shorewall 1.3.6 box, i get traceroute replies from
the
> > firewall/net card and from the dmz host.
> >
> > in shorewall 1.3.7a i only get a traceroute reply from the dmz host.
the
> > fw/net nic itselfs displays timeout/* only...
> >
>=20
> Does your traceroute use ICMP or does it use UDP?
>=20
> -Tom
> --=20
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
>=20
>=20

On Monday 26 August 2002 01:39 pm, Andreas Bittner
wrote:
> hi there,
>
> the grep on messages retunrs the very same error:
> hades-vt:/var/log # grep Shorewall /var/log/messages
> Binary file /var/log/messages matches
>
> but this is crazy cos when i do less /var/log/messages everything looks
> just normale like any other linux message log.. or when i do cat.. its the
> normale log file.. whats wrong here on my box??
There are non-printable characters in your log.
>
> how can i determine if that file is really a binary file? any other linux
> binary file gives me that fancy binary output.. so messages is definitely
> NOT a binary file..
>
> i did a grep -a Shorewall /var/log/messages and that works fine...
>
> the other stuff with the traceroute ... i meant traceroute from the
> outside... i do a tracert from a win32 box on the inet to both of my
> locations where i use 1.3.6 on the one and 1.3.7a on the other. i have in
> both DMZs a mailserver with public ips with proxy arp.
>
> now the one way works with replies from the firewall eth0 interface, the
> other site doesnt reply from eth0 ip to the traceroute but both traceroutes
> reply at the target dmz mailserver host just fine.. only that 1.3.7a doesnt
> reply to the traceroute from win32, the 1.3.6 replies fine.. same config.
> same setup, same everything.. except the ips...
>
> dunno why....
Did you read the Upgrade Considerations??? Treatment of ICMP in general has 
changed in 1.3.7. I suspect that you may need to specify FORWARDPING=Yes in 
your shorewall.conf file. Just a guess...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

my shorewall.conf has FORWARDPING=3DYes=20

i didnt upgrade to 1.3.7

the one box was a clean 1.3.6 install the second was a clean 1.3.7a install,
since i installed the second box after you rleeased your 1.3.7a rpm package...

andy


----- Original Message -----=20
From: "Tom Eastep" <teastep@shorewall.net>
To: "Andreas Bittner" <bittner@rz.fh-heilbronn.de>;
<shorewall-users@shorewall.net>
Sent: Monday, August 26, 2002 10:44 PM
Subject: Re: [Shorewall-users] bugs in shorewall hits with shorewall 1.3.7a ??

> On Monday 26 August 2002 01:39 pm, Andreas Bittner wrote:
> > hi there,
> >
> > the grep on messages retunrs the very same error:
> > hades-vt:/var/log # grep Shorewall /var/log/messages
> > Binary file /var/log/messages matches
> >
> > but this is crazy cos when i do less /var/log/messages everything
looks
> > just normale like any other linux message log.. or when i do cat.. its
the
> > normale log file.. whats wrong here on my box??
>=20
> There are non-printable characters in your log.
>=20
> >
> > how can i determine if that file is really a binary file? any other
linux
> > binary file gives me that fancy binary output.. so messages is
definitely
> > NOT a binary file..
> >
> > i did a grep -a Shorewall /var/log/messages and that works fine...
> >
> > the other stuff with the traceroute ... i meant traceroute from the
> > outside... i do a tracert from a win32 box on the inet to both of my
> > locations where i use 1.3.6 on the one and 1.3.7a on the other. i have
in
> > both DMZs a mailserver with public ips with proxy arp.
> >
> > now the one way works with replies from the firewall eth0 interface,
the
> > other site doesnt reply from eth0 ip to the traceroute but both
traceroutes
> > reply at the target dmz mailserver host just fine.. only that 1.3.7a
doesnt
> > reply to the traceroute from win32, the 1.3.6 replies fine.. same
config.
> > same setup, same everything.. except the ips...
> >
> > dunno why....
>=20
> Did you read the Upgrade Considerations??? Treatment of ICMP in general
has=20
> changed in 1.3.7. I suspect that you may need to specify FORWARDPING=3DYes
in=20
> your shorewall.conf file. Just a guess...
>=20
> -Tom
> --=20
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
>=20
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>=20