Shorewall users - Jul 2003 - Perplexing problem with Linux/Shorewall & PPTP

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,

I am having a very perplexing problem with my Linux/Shorewall
firewall, and I''m hoping that either someone has already seen this
and solved it, or someone can point me in the right direction.

Senario:

I have a workstation on my interior LAN that I use to PPTP into
various LinuxV9/Shorewall/PoPTop firewalls, via the Internet. I have
a LinuxV9/Shorewall/PoPTop firewall between my LAN and the Internet
also, and it is the main gateway out. I am using the built-in PPTP
client that Windows XP comes with, btw.

Not always, but often when I go to initiate a connection to a remote
firewall, the PPTP session fails. I SSH''ed into my local firewall and
setup two "Ethereal" sessions, one on eth0 (Internet) and one on eth1
(Internal LAN) to run simultaneously. Below are the captures from
both sessions.

If you notice on the "eth1" side (packet 11), the pptp client sends a
"PPP LCP" (IP 47, or GRE) request to the remote firewall, but does
not get a reply. Now look at the eth0 side, and you will see that
that request never made it out of the firewall, and the "PPP LCP"
request (packet 11 again)from the remote firewall gets sent back as
an ICMP unreachable packet, which then initiates a closing of the
session. This dropped packet does not show up in the firewall log,
and the policy file does have "info" on the all-to-all and net-to-all
statements.

I am allowing "loc to net" as unrestricted.

If I take my Shorewall firewall out, and replace it with a Linksys
Brouter, everything works just fine. Again, this only happens
sometimes, mostly in the morning it seems, and at other times it
works just fine, hence my confusion. I have spent a lot of time
trying to figure this out, but have just come to a brick wall.

Ok, what information should I gather from Shorewall and/or Linux when
this is occurring to help troubleshoot this?

						Joe

PS
Linux V9 with 2.4.20-13.9 kernel and Shorewall 1.4.4b


*************************

***eth1***
No.  RTC                Delta       Source             Destination   
   Protocol Size   Info-HomeLAN-FW1
 1   07:43:15.670954    4.962568    pptp.client        isp.dns.server
   DNS      78     Standard query A cjsifw1.dyndns.org
 
2   07:43:15.812301    0.141347    isp.dns.server     pptp.client    
  DNS      200    Standard query response A 68.82.115.49

 3   07:43:15.815295    0.002994    pptp.client        poptop.server 
   TCP      62     4944 > 1723 [SYN]

 4   07:43:15.853551    0.038256    poptop.server      pptp.client   
   TCP      62     1723 > 4944 [SYN, ACK]

 5   07:43:15.853848    0.000297    pptp.client        poptop.server 
   PPTP     210    START-CONTROL-REQUEST

 6   07:43:15.904034    0.050186    poptop.server      pptp.client   
   TCP      54     1723 > 4944 [ACK]

 7   07:43:15.909034    0.005000    poptop.server      pptp.client   
   PPTP     210    START-CONTROL-REPLY

 8   07:43:15.909363    0.000329    pptp.client        poptop.server 
   PPTP     222    OUTGOING-CALL-REQUEST

 9   07:43:15.956282    0.046919    poptop.server      pptp.client   
   PPTP     86     OUTGOING-CALL-REPLY

 10  07:43:15.961899    0.005617    pptp.client        poptop.server 
   PPTP     78     SET-LINK

 11  07:43:15.965266    0.003367    pptp.client        poptop.server 
   PPP LCP  71     PPP LCP Configuration Request

 12  07:43:16.034993    0.069727    poptop.server      pptp.client   
   TCP      54     1723 > 4944 [ACK]

 13  07:43:16.055177    0.020184    poptop.server      pptp.client   
   TCP      54     1723 > 4944 [FIN, ACK]

 14  07:43:16.055396    0.000219    pptp.client        poptop.server 
   TCP      60     4944 > 1723 [FIN, ACK]

 15  07:43:16.087412    0.032016    poptop.server      pptp.client   
   TCP      54     1723 > 4944 [ACK]


***eht0***

No.  RTC                Delta       Source             Destination   
   Protocol Size   Info-HomeLAN-FW1

 1   07:43:15.671041    0.000000    my.firewall        isp.dns.server
   DNS      78     Standard query A cjsifw1.dyndns.org

 2   07:43:15.812263    0.141222    isp.dns.server     my.firewall   
   DNS      200    Standard query response A 68.82.115.49

 3   07:43:15.815344    0.003081    my.firewall        poptop.server 
   TCP      62     4944 > 1723 [SYN]

 4   07:43:15.853522    0.038178    poptop.server      my.firewall   
   TCP      62     1723 > 4944 [SYN, ACK]

 5   07:43:15.853874    0.000352    my.firewall        poptop.server 
   PPTP     210    START-CONTROL-REQUEST

 6   07:43:15.904008    0.050134    poptop.server      my.firewall   
   TCP      60     1723 > 4944 [ACK]

 7   07:43:15.909008    0.005000    poptop.server      my.firewall   
   PPTP     210    START-CONTROL-REPLY

 8   07:43:15.909389    0.000381    my.firewall        poptop.server 
   PPTP     222    OUTGOING-CALL-REQUEST

 9   07:43:15.956257    0.046868    poptop.server      my.firewall   
   PPTP     86     OUTGOING-CALL-REPLY

 10  07:43:15.961924    0.005667    my.firewall        poptop.server 
   PPTP     78     SET-LINK

 11  07:43:16.018658    0.056734    poptop.server      my.firewall   
   PPP LCP  75     PPP LCP Configuration Request

 12  07:43:16.018743    0.000085    my.firewall        poptop.server 
   ICMP     103    Destination unreachable

 13  07:43:16.034939    0.016196    poptop.server      my.firewall   
   TCP      60     1723 > 4944 [ACK]

 14  07:43:16.055128    0.020189    poptop.server      my.firewall   
   TCP      60     1723 > 4944 [FIN, ACK]

 15  07:43:16.055432    0.000304    my.firewall        poptop.server 
   TCP      54     4944 > 1723 [FIN, ACK]

 16  07:43:16.087384    0.031952    poptop.server      my.firewall   
   TCP      60     1723 > 4944 [ACK]

 



-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBPw7i+i/qPRZR5h9wEQJOggCfU1mKmmKdW5U+e+WPvqRzlAjQBkQAoMOR
3kN0JdWzmYO9u9mcHs/aNLMS
=Q5NS
-----END PGP SIGNATURE-----

On Fri, 11 Jul 2003 12:16:58 -0400, H&K4ME <jwwhite@ptd.net> wrote:
>
>
> Ok, what information should I gather from Shorewall and/or Linux when
> this is occurring to help troubleshoot this?
If you want my help, start by showing us unedited traces with raw IP 
addresses (and tell us which IP address corresponds to which host) -- I 
refuse to spend any time looking at edited packet traces.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Sun, 13 Jul 2003 16:30:57 -0700, Tom Eastep <teastep@shorewall.net> 
wrote:

>
> If you want my help, start by showing us unedited traces with raw IP 
> addresses (and tell us which IP address corresponds to which host) -- I 
> refuse to spend any time looking at edited packet traces.
>
And no one should enable DNS lookup when optaining a trace to try to 
understand a connection problem. That way you eliminate DNS as a 
contributing problem.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Sun, 13 Jul 2003 17:35:47 -0700, Tom Eastep <teastep@shorewall.net> 
wrote:

>
> ... when optaining a trace ...
Should be "obtaining"...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net