Shorewall users - Jul 2004 - Continuing saga

Hi, Tom:

Well, whatever I have done, there seems to be ''little health in
me''. I
find that no mail is coming in, that there are 53,000+ lines of
repetitive stanzas in /var/log/syslog, and I have reviewed
the /etc/shorewall files as carefully as I could - but obviously not
carefully enough!

Anyway:

The log stanzas, continuous, and referring to all the lan (192.168) ips,
and not just those defined in params, look like this:

flagship kernel: Shorewall: all2all: REJECT: IN=eth2 OUT= MACSRC=192.168.3.2
DST=192.168.3.255 LEN=130 TOS=0x00 PREC=0x00 TTL=64
ID=7638 DF PROTO=UDP SPT=631 LEN=110

    .. the next stanza refers to SRC=192.168.2.1 DST=192.168.2.255
ID=7839 .... and so on.

I copied the active contents of the /etc/shorewall files into the
attachment.

In the meantime, in order to keep things clean, and let the mail in, I
ran the ''shorewall clear command and then removed the shorewall rpm and
all the /etc/shorewall files. That should ensure a clean start once
more.

Regards,

George

-- 
G. Walsh,
Managing Director,
DSC Directional Services Corp.,
Victoria, B.C., Canada

G. Walsh wrote:
> Hi, Tom:
> 
> Well, whatever I have done, there seems to be ''little health in
me''. I
> find that no mail is coming in, that there are 53,000+ lines of
> repetitive stanzas in /var/log/syslog, and I have reviewed
> the /etc/shorewall files as carefully as I could - but obviously not
> carefully enough!
> 
> Anyway:
> 
> The log stanzas, continuous, and referring to all the lan (192.168) ips,
> and not just those defined in params, look like this:
> 
> flagship kernel: Shorewall: all2all: REJECT: IN=eth2 OUT= MAC>
SRC=192.168.3.2 DST=192.168.3.255 LEN=130 TOS=0x00 PREC=0x00 TTL=64
> ID=7638 DF PROTO=UDP SPT=631 LEN=110
> 
>     .. the next stanza refers to SRC=192.168.2.1 DST=192.168.2.255
> ID=7839 .... and so on.
What is eth2 connected to? Is it connected to the same hub/switch as the 
other two interfaces?


-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Friday 09 July 2004 23:07, G. Walsh wrote:
> Well, whatever I have done, there seems to be ''little health in
me''. I
> find that no mail is coming in, that there are 53,000+ lines of
> repetitive stanzas in /var/log/syslog
>
> flagship kernel: Shorewall: all2all: REJECT: IN=eth2 OUT= SRC=192.168.3.2
> DST=192.168.3.255 PROTO=UDP SPT=631
What about the DPT? I guessed from your statement "192.168 lan" your
net is
a /16? So .3.255 is your firewall as well as .2.255? Why would mail be coming 
in fro your MTAs to the firewall?

You should be looking for logs relating to port 25 when speaking about email. 
Do your logs say anything about a SPT=25 or DPT=25?

Who is trying to send mail to whom when it doesnt work?


Alex

Nope .... the DSL modem feeds into a hub: the hub feeds eth0 (the
internet gateway/firewall) and eth1 (the second internet connction. Eth2
is actually the builtin modem on the dual-processor motherboard.

Geo

On Fri, 2004-07-09 at 15:10 -0700, Tom Eastep wrote:
> G. Walsh wrote:
> > Hi, Tom:
> > 
> > Well, whatever I have done, there seems to be ''little health
in me''. I
> > find that no mail is coming in, that there are 53,000+ lines of
> > repetitive stanzas in /var/log/syslog, and I have reviewed
> > the /etc/shorewall files as carefully as I could - but obviously not
> > carefully enough!
> > 
> > Anyway:
> > 
> > The log stanzas, continuous, and referring to all the lan (192.168)
ips,
> > and not just those defined in params, look like this:
> > 
> > flagship kernel: Shorewall: all2all: REJECT: IN=eth2 OUT= MAC> >
SRC=192.168.3.2 DST=192.168.3.255 LEN=130 TOS=0x00 PREC=0x00 TTL=64
> > ID=7638 DF PROTO=UDP SPT=631 LEN=110
> > 
> >     .. the next stanza refers to SRC=192.168.2.1 DST=192.168.2.255
> > ID=7839 .... and so on.
> 
> What is eth2 connected to? Is it connected to the same hub/switch as the 
> other two interfaces?
> 
> 
> -Tom
-- 
G. Walsh,
Managing Director,
DSC Directional Services Corp.,
Victoria, B.C., Canada

G. Walsh wrote:
> Nope .... the DSL modem feeds into a hub: the hub feeds eth0 (the
> internet gateway/firewall) and eth1 (the second internet connction. Eth2
> is actually the builtin modem on the dual-processor motherboard.
Then why is receving broadcasts from subnetworks that are configured on 
eth1? Or have you change that since your first post?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Hi:

The local lan networks, 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24
and 192.168.3.0/24 are all aliased on eth2. eth1 is ithe main internet
gateway/firewall - 142.179.101.34 mask 255.255.248.0. The second
internet connection is eth1, 10.14.122.252, netmask 255.255.192.0. 
The intnt is for eth1 to beconcerned only with ssl traffic.

In rules, Tom had me explicitly add "ACCEPT net $FW net tcp 25" and
"ACCEPT net $FW:$MTAS tcp 25" and "ACCEPT loc $FW:$MTAS tcp
25"

Mail failed from any local user to any address on the otherside of the
firewall and I received no external mail from any address. 

Geo.


On Sat, 2004-07-10 at 00:14 +0200, Alexander Gretencord
wrote:
> On Friday 09 July 2004 23:07, G. Walsh wrote:
> > Well, whatever I have done, there seems to be ''little health
in me''. I
> > find that no mail is coming in, that there are 53,000+ lines of
> > repetitive stanzas in /var/log/syslog
> >
> > flagship kernel: Shorewall: all2all: REJECT: IN=eth2 OUT=
SRC=192.168.3.2
> > DST=192.168.3.255 PROTO=UDP SPT=631
> 
> What about the DPT? I guessed from your statement "192.168 lan"
your net is
> a /16? So .3.255 is your firewall as well as .2.255? Why would mail be
coming
> in fro your MTAs to the firewall?
> 
> You should be looking for logs relating to port 25 when speaking about
email.
> Do your logs say anything about a SPT=25 or DPT=25?
> 
> Who is trying to send mail to whom when it doesnt work?
> 
> 
> Alex
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
-- 
G. Walsh,
Managing Director,
DSC Directional Services Corp.,
Victoria, B.C., Canada

G. Walsh wrote:
> Hi:
> 
> The local lan networks, 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24
> and 192.168.3.0/24 are all aliased on eth2. eth1 is ithe main internet
> gateway/firewall - 142.179.101.34 mask 255.255.248.0. The second
> internet connection is eth1, 10.14.122.252, netmask 255.255.192.0. 
> The intnt is for eth1 to beconcerned only with ssl traffic.
Please send us the output of "ip addr ls" -- what you''ve
described isn''t
making sense (for one thing, eth0 isn''t mentioned).

What Shorewall version are you running again?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

There is nothing on eth1 but the 10.14.122.252/255.255.192.0 connection.
Nothing has changed, the only divsions are on eth2.

George


On Fri, 2004-07-09 at 16:21 -0700, Tom Eastep wrote:
> G. Walsh wrote:
> 
> > Nope .... the DSL modem feeds into a hub: the hub feeds eth0 (the
> > internet gateway/firewall) and eth1 (the second internet connction.
Eth2
> > is actually the builtin modem on the dual-processor motherboard.
> 
> Then why is receving broadcasts from subnetworks that are configured on 
> eth1? Or have you change that since your first post?
> 
> -Tom
-- 
G. Walsh,
Managing Director,
DSC Directional Services Corp.,
Victoria, B.C., Canada

Tom Eastep wrote:
> G. Walsh wrote:
> 
>> Hi:
>>
>> The local lan networks, 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24
>> and 192.168.3.0/24 are all aliased on eth2. eth1 is ithe main internet
>> gateway/firewall - 142.179.101.34 mask 255.255.248.0. The second
>> internet connection is eth1, 10.14.122.252, netmask 255.255.192.0. The 
>> intnt is for eth1 to beconcerned only with ssl traffic.
> 
> 
> Please send us the output of "ip addr ls" -- what you''ve
described isn''t
> making sense (for one thing, eth0 isn''t mentioned).
> 
> What Shorewall version are you running again?
I''ve done some testing here and apparently Shorewall is only detecting 
the first broadcast address on an interface when "detect" is placed in
the BROADCAST column. So you can solve the immedate problem of filling 
log by placing 192.168.1.255, 192.168.255,192.168.3.255 in the BROADCAST 
column for eth2.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

G. Walsh wrote:
> There is nothing on eth1 but the 10.14.122.252/255.255.192.0 connection.
> Nothing has changed, the only divsions are on eth2.
Sorry -- my bad.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Huh?

eth0 has always been the gateway/firewall.

The shorewall version was 2.0.3 (Mandrake 2.0.3a-1mdk), although I have
always been ready to download a tarball and compile it myself.

The results of "ip addr ls" are attached for you.

George





On Fri, 2004-07-09 at 16:28 -0700, Tom Eastep wrote:
> G. Walsh wrote:
> 
> > Hi:
> > 
> > The local lan networks, 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24
> > and 192.168.3.0/24 are all aliased on eth2. eth1 is ithe main internet
> > gateway/firewall - 142.179.101.34 mask 255.255.248.0. The second
> > internet connection is eth1, 10.14.122.252, netmask 255.255.192.0. 
> > The intnt is for eth1 to beconcerned only with ssl traffic.
> 
> Please send us the output of "ip addr ls" -- what you''ve
described isn''t
> making sense (for one thing, eth0 isn''t mentioned).
> 
> What Shorewall version are you running again?
> 
> -Tom
-- 
G. Walsh,
Managing Director,
DSC Directional Services Corp.,
Victoria, B.C., Canada

In the earlier message, I said "eth1 is the main internet
gateway/firewall", which should have read eth0, of course.

I''m willing to add the broadcast data for eth2 to kill the massive
logging, but I will have to do this later because firewalling is off
completely, as I mentioned earlier, so we can clean up a heavy load of
graphic documents involved in the web site developments.

I admire your tenacity, I must say!

Geo.


On Fri, 2004-07-09 at 16:39 -0700, Tom Eastep wrote:
> Tom Eastep wrote:
> 
> > G. Walsh wrote:
> > 
> >> Hi:
> >>
> >> The local lan networks, 192.168.0.0/24, 192.168.1.0/24,
192.168.2.0/24
> >> and 192.168.3.0/24 are all aliased on eth2. eth1 is ithe main
internet
> >> gateway/firewall - 142.179.101.34 mask 255.255.248.0. The second
> >> internet connection is eth1, 10.14.122.252, netmask 255.255.192.0.
The
> >> intnt is for eth1 to beconcerned only with ssl traffic.
> > 
> > 
> > Please send us the output of "ip addr ls" -- what
you''ve described isn''t
> > making sense (for one thing, eth0 isn''t mentioned).
> > 
> > What Shorewall version are you running again?
> 
> I''ve done some testing here and apparently Shorewall is only
detecting
> the first broadcast address on an interface when "detect" is
placed in
> the BROADCAST column. So you can solve the immedate problem of filling 
> log by placing 192.168.1.255, 192.168.255,192.168.3.255 in the BROADCAST 
> column for eth2.
> 
> -Tom
-- 
G. Walsh,
Managing Director,
DSC Directional Services Corp.,
Victoria, B.C., Canada

.255 is a broadcast address.



-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Alexander
Gretencord
Sent: Saturday, July 10, 2004 6:15 AM
To: Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] Continuing saga

On Friday 09 July 2004 23:07, G. Walsh wrote:
> Well, whatever I have done, there seems to be ''little health in
me''. I
> find that no mail is coming in, that there are 53,000+ lines of
> repetitive stanzas in /var/log/syslog
>
> flagship kernel: Shorewall: all2all: REJECT: IN=eth2 OUT= SRC=192.168.3.2
> DST=192.168.3.255 PROTO=UDP SPT=631
What about the DPT? I guessed from your statement "192.168 lan" your
net is
a /16? So .3.255 is your firewall as well as .2.255? Why would mail be
coming 
in fro your MTAs to the firewall?

You should be looking for logs relating to port 25 when speaking about
email. 
Do your logs say anything about a SPT=25 or DPT=25?

Who is trying to send mail to whom when it doesnt work?


Alex
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

G. Walsh wrote:
> In the earlier message, I said "eth1 is the main internet
> gateway/firewall", which should have read eth0, of course.
> 
> I''m willing to add the broadcast data for eth2 to kill the massive
> logging, but I will have to do this later because firewalling is off
> completely, as I mentioned earlier, so we can clean up a heavy load of
> graphic documents involved in the web site developments.
> 
> I admire your tenacity, I must say!
I tested again and the current Shorewall version (2.0.4) works correctly 
with ''detect'' and multiple subnets. It clearly isn''t
working with the
version you are using and I recall fixing that recently.

Once we stop the message flood, we can see why email isn''t working.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Well, its good to hear I''m not entirely inept, even though I am getting
a mite crabby. So later this evening or tomorrow morning, I''ll download
2.04 from your site and compile it in.

Are there any other changes (aside from the BROADCAST fix) you want me
to make in the /etc/shorewall file set which differs from the last
listing I gave you?

George


On Fri, 2004-07-09 at 16:57 -0700, Tom Eastep wrote:
> G. Walsh wrote:
> 
> > In the earlier message, I said "eth1 is the main internet
> > gateway/firewall", which should have read eth0, of course.
> > 
> > I''m willing to add the broadcast data for eth2 to kill the
massive
> > logging, but I will have to do this later because firewalling is off
> > completely, as I mentioned earlier, so we can clean up a heavy load of
> > graphic documents involved in the web site developments.
> > 
> > I admire your tenacity, I must say!
> 
> I tested again and the current Shorewall version (2.0.4) works correctly 
> with ''detect'' and multiple subnets. It clearly
isn''t working with the
> version you are using and I recall fixing that recently.
> 
> Once we stop the message flood, we can see why email isn''t
working.
> 
> -Tom
-- 
G. Walsh,
Managing Director,
DSC Directional Services Corp.,
Victoria, B.C., Canada

G. Walsh wrote:
> Well, its good to hear I''m not entirely inept, even though I am
getting
> a mite crabby. So later this evening or tomorrow morning, I''ll
download
> 2.04 from your site and compile it in.
Shorewall is written entirely in Bourne shell -- no build required.
> 
> Are there any other changes (aside from the BROADCAST fix) you want me
> to make in the /etc/shorewall file set which differs from the last
> listing I gave you?
Nope.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Nifty!

I''ll try to leave this be for the night.

I''m sure you could use some ''down'' time too, man!

George



On Fri, 2004-07-09 at 17:19 -0700, Tom Eastep wrote:
> G. Walsh wrote:
> 
> > Well, its good to hear I''m not entirely inept, even though I
am getting
> > a mite crabby. So later this evening or tomorrow morning,
I''ll download
> > 2.04 from your site and compile it in.
> 
> Shorewall is written entirely in Bourne shell -- no build required.
> 
> > 
> > Are there any other changes (aside from the BROADCAST fix) you want me
> > to make in the /etc/shorewall file set which differs from the last
> > listing I gave you?
> 
> Nope.
> 
> -Tom
-- 
G. Walsh,
Managing Director,
DSC Directional Services Corp.,
Victoria, B.C., Canada

G. Walsh wrote:
> Nifty!
> 
> I''ll try to leave this be for the night.
> 
> I''m sure you could use some ''down'' time too,
man!
> 
When you install the RPM, you''ll need to use the "--nodeps"
option:

	rpm -ivh shorewall-2.0.4-1.noarch.rpm

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> G. Walsh wrote:
> 
>> Nifty!
>>
>> I''ll try to leave this be for the night.
>>
>> I''m sure you could use some ''down'' time too,
man!
>>
> 
> When you install the RPM, you''ll need to use the
"--nodeps" option:
> 
>     rpm -ivh shorewall-2.0.4-1.noarch.rpm
Er -- make that:


	rpm -ivh --nodeps shorewall-2.0.4-1.noarch.rpm

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net