Shorewall users - Aug 2004 - connections getting dropped

Hi Guys, I need some help.  I''ve been using shorewall for a while now 
and it''s been running beautifully, but I''m now experiencing
some
problems.  It seems that connections are getting dropped much like the 
behavior described by the NEWNOTSYN=no option in the shorewall.conf 
file, but I have NEWNOTSYN=Yes in my file.

The messages I see in my logs are things like:

Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=00:0e:7f:b5:8a:b7:00:30:71:f0:1e:53:08:00 SRC=67.100.211.50 
DST=64.62.249.19 LEN=40 TOS=0x00 PREC=0x00 TTL=44 ID=62711 PROTO=TCP 
SPT=33968 DPT=28526 WINDOW=2048 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=00:0e:7f:b5:8a:b7:00:30:71:f0:1e:53:08:00 SRC=67.100.211.50 
DST=64.62.249.19 LEN=40 TOS=0x00 PREC=0x00 TTL=38 ID=48274 PROTO=TCP 
SPT=33969 DPT=65057 WINDOW=4096 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=00:0e:7f:b5:8a:b7:00:30:71:f0:1e:53:08:00 SRC=67.100.211.50 
DST=64.62.249.19 LEN=40 TOS=0x00 PREC=0x00 TTL=40 ID=17029 PROTO=TCP 
SPT=33969 DPT=4731 WINDOW=2048 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=00:0e:7f:b5:8a:b7:00:30:71:f0:1e:53:08:00 SRC=67.100.211.50 
DST=64.62.249.19 LEN=40 TOS=0x00 PREC=0x00 TTL=43 ID=36802 PROTO=TCP 
SPT=33969 DPT=18860 WINDOW=1024 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=00:0e:7f:b5:8a:b7:00:30:71:f0:1e:53:08:00 SRC=67.100.211.50 
DST=64.62.249.19 LEN=40 TOS=0x00 PREC=0x00 TTL=40 ID=605 PROTO=TCP 
SPT=33971 DPT=15106 WINDOW=2048 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=00:0e:7f:b5:8a:b7:00:30:71:f0:1e:53:08:00 SRC=67.100.211.50 
DST=64.62.249.19 LEN=40 TOS=0x00 PREC=0x00 TTL=41 ID=26711 PROTO=TCP 
SPT=33971 DPT=27413 WINDOW=3072 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=00:0e:7f:b5:8a:b7:00:30:71:f0:1e:53:08:00 SRC=67.100.211.50 
DST=64.62.249.19 LEN=40 TOS=0x00 PREC=0x00 TTL=42 ID=21910 PROTO=TCP 
SPT=33971 DPT=15926 WINDOW=4096 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=00:0e:7f:b5:8a:b7:00:30:71:f0:1e:53:08:00 SRC=67.100.211.50 
DST=64.62.249.19 LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=24406 PROTO=TCP 
SPT=33971 DPT=64226 WINDOW=1024 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=00:0e:7f:b5:8a:b7:00:30:71:f0:1e:53:08:00 SRC=67.100.211.50 
DST=64.62.249.19 LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=11099 PROTO=TCP 
SPT=33979 DPT=1 WINDOW=4096 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=00:0e:7f:b5:8a:b7:00:30:71:f0:1e:53:08:00 SRC=67.100.211.50 
DST=64.62.249.19 LEN=328 TOS=0x00 PREC=0x00 TTL=47 ID=29979 PROTO=UDP 
SPT=33968 DPT=1 LEN=308
Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=00:0e:7f:b5:8a:b7:00:30:71:f0:1e:53:08:00 SRC=67.100.211.50 
DST=64.62.249.19 LEN=60 TOS=0x00 PREC=0x00 TTL=30 ID=43208 PROTO=TCP 
SPT=33979 DPT=1 WINDOW=4096 RES=0x00 SYN URGP=0
Shorewall:net2all:DROP:IN=eth0 OUT= 
MAC=00:0e:7f:b5:8a:b7:00:30:71:f0:1e:53:08:00 SRC=67.100.211.50 
DST=64.62.249.19 LEN=328 TOS=0x00 PREC=0x00 TTL=47 ID=29979 PROTO=UDP 
SPT=33968 DPT=1 LEN=308

And the weird part is that it doesn''t seem to drop ssh or http, but it 
is dropping webmin, pops, imaps, and others.

I configured the shorewall files like on other boxes that I''ve used 
shorewall on, so I''m not sure what is happening.  It could be something
not shorewall related, but I''m suspecting shorewall because when a 
connection to webmin gets dropped, I can log in over ssh and restart 
shorewall, then webmin works again.

Here are some relevent files:

/etc/shorewall/policy
###############################################################################
#SOURCE         DEST            POLICY          LOG          LIMIT:BURST
#                                               LEVEL
$FW     net     ACCEPT  -
#
# THE FOLLOWING POLICY MUST BE LAST
#
net             all             DROP            info
all             all             REJECT          info


/etc/shorewall/zones
#ZONE   DISPLAY         COMMENTS
net     Net             Internet


/etc/shorewall/interfaces
##############################################################################
#ZONE    INTERFACE      BROADCAST       OPTIONS
#
net     eth0            detect          rfc1918


/etc/shorewall/rules
####################################################################################################
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE 
ORIGINAL     RATE            USER/
#                                               PORT    PORT(S)    DEST 
         LIMIT           GROUP
ACCEPT  net             $FW             tcp     ssh     -       - 
-       -
ACCEPT  net             $FW             tcp     http,https      - 
-       -       -
ACCEPT  net             $FW             tcp     smtp    -       - 
-       -
ACCEPT  net             $FW             tcp     webmin  -       - 
-       -
ACCEPT  net             $FW             tcp     pop3,pop3s      - 
-       -       -
ACCEPT  net             $FW             tcp     imap,imaps      - 
-       -       -
ACCEPT  net             $FW             icmp            -       - 
-       -       -

Any thoughts, comments, help would be totally appreciated.  As you can 
see this box is single interface and not routing traffic for anything 
else -- just using shorewall for an extra layer of accountability on the 
box.

Thanks so much for your time,

Andrew

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

andrew t scott wrote:
| Hi Guys, I need some help.  I''ve been using shorewall for a while now
| and it''s been running beautifully, but I''m now experiencing
some
| problems.  It seems that connections are getting dropped much like the
| behavior described by the NEWNOTSYN=no option in the shorewall.conf
| file, but I have NEWNOTSYN=Yes in my file.
|
| The messages I see in my logs are things like:

None of the messages you posted are relevant to your problem.

| Shorewall:net2all:DROP:IN=eth0 OUT
|
| And the weird part is that it doesn''t seem to drop ssh or http, but
it
| is dropping webmin, pops, imaps, and others.

So exactly what does "drop" mean?

a) You can''t establish an initial connection?
b) You can establish an initial connection but at some point, the
connection stops working?
c) Your wife is complaining about there being connections scattered all
over the floor around your computer?
d) ???

|
| I configured the shorewall files like on other boxes that I''ve used
| shorewall on, so I''m not sure what is happening.  It could be
something
| not shorewall related, but I''m suspecting shorewall because when a
| connection to webmin gets dropped, I can log in over ssh and restart
| shorewall, then webmin works again.

Given that once "shorewall [re]start" is complete, there is absolutely
no Shorewall code running in your system, that analysis doesn''t hold a
lot of water.

What I suggest that you do is to compare the output of "shorewall
status" from before you restart Shorewall and after you have restarted it.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBGiPcO/MAbZfjDLIRAtH1AKCRE7AUjzASEtrJbi8ZAK/v+pQOHQCgicCH
GKz6ZIdjwLaCJJwcFoNwZAs=4fmS
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
| andrew t scott wrote:
| | Hi Guys, I need some help.  I''ve been using shorewall for a while
now
| | and it''s been running beautifully, but I''m now
experiencing some
| | problems.  It seems that connections are getting dropped much like the
| | behavior described by the NEWNOTSYN=no option in the shorewall.conf
| | file, but I have NEWNOTSYN=Yes in my file.
| |
| | The messages I see in my logs are things like:
|
| None of the messages you posted are relevant to your problem.
|

Although it is not always evident from my posts, I am capable of using
correct grammar; the above should have been:

	None of the messages you posted _is_ relevant to your problem.

- -Tom
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBGljMO/MAbZfjDLIRAi9EAKCXm1WGYjcW91eUef19ncRkO5qdogCgju+p
WgzOBmBJcftot4pe9QZeiFo=LiEP
-----END PGP SIGNATURE-----

Tom Eastep wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> andrew t scott wrote:
> | Hi Guys, I need some help.  I''ve been using shorewall for a
while now
> | and it''s been running beautifully, but I''m now
experiencing some
> | problems.  It seems that connections are getting dropped much like the
> | behavior described by the NEWNOTSYN=no option in the shorewall.conf
> | file, but I have NEWNOTSYN=Yes in my file.
> |
> | The messages I see in my logs are things like:
> 
> None of the messages you posted are relevant to your problem.
> 
> | Shorewall:net2all:DROP:IN=eth0 OUT> 
> |
> | And the weird part is that it doesn''t seem to drop ssh or http,
but it
> | is dropping webmin, pops, imaps, and others.
> 
> So exactly what does "drop" mean?
> 
> a) You can''t establish an initial connection?
> b) You can establish an initial connection but at some point, the
> connection stops working?
> c) Your wife is complaining about there being connections scattered all
> over the floor around your computer?
> d) ???
> 
> |
> | I configured the shorewall files like on other boxes that I''ve
used
> | shorewall on, so I''m not sure what is happening.  It could be
something
> | not shorewall related, but I''m suspecting shorewall because when
a
> | connection to webmin gets dropped, I can log in over ssh and restart
> | shorewall, then webmin works again.
> 
> Given that once "shorewall [re]start" is complete, there is
absolutely
> no Shorewall code running in your system, that analysis doesn''t
hold a
> lot of water.
> 
Hey Tom, thanks for your reply, time, and thoughts.

The computer is at a colocation facility.  I can login over ssh, and I 
have ports open rules set up for allowing various services such as pop, 
pop3s, imaps, webmin, http, https, ssh.  Here''s how to recreate the
problem:

Login over ssh - all good and fine
Login to webmin in a web browser - all good and fine
Login to IMAP with Mozilla mail - all good and fine
suddenly - IMAP starts getting hung, can''t check new messages
          - WebMin stops refreshing, just hangs in the browser, never 

            reloads
          - Shell still works
run: /etc/init.d/shorewall restart
and now webmin loads, and can check for new messges
five minutes later, suddenly, webmin is hanging and IMAP is hanging. 
repeat process.

I''ll look into your suggestions.  (Comparing "shorewall
status" before
and after restarting shorewall).

Any idea what can create this behavior, though?  I understand that 
shorewall isn''t "running" per se, but rather it configures
netfilter for
me, but I think it''s some configuration in shorewall that I have wrong 
and it sounds a lot like what is described in shorewall.conf file when 
you have  NEWNOTSYN set to "No" -- half established connection get 
"dropped".  I''m not an expert on TCP/IP so I''m doing
the best I can with
the terms and to describe what is happening.

Thanks again for your time and thoughts,

Andrew
> What I suggest that you do is to compare the output of "shorewall
> status" from before you restart Shorewall and after you have restarted
it.
> 
> - -Tom
> - --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFBGiPcO/MAbZfjDLIRAtH1AKCRE7AUjzASEtrJbi8ZAK/v+pQOHQCgicCH
> GKz6ZIdjwLaCJJwcFoNwZAs> =4fmS
> -----END PGP SIGNATURE-----
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

andrew t scott wrote:
| Tom Eastep wrote:
|
|> The computer is at a colocation facility.  I can login over ssh, and I
|> have ports open rules set up for allowing various services such as pop,
|> pop3s, imaps, webmin, http, https, ssh.  Here''s how to recreate
the
|> problem:
|
|> Login over ssh - all good and fine
|> Login to webmin in a web browser - all good and fine
|> Login to IMAP with Mozilla mail - all good and fine

Then the problem is *not* related to Shorewall rules.

|> suddenly - IMAP starts getting hung, can''t check new messages
|>          - WebMin stops refreshing, just hangs in the browser, never
|>            reloads
|>          - Shell still works

I take it that this is a server of some sort -- are you seeing any
problems associated with the server''s operation?

|> run: /etc/init.d/shorewall restart
|> and now webmin loads, and can check for new messges
|> five minutes later, suddenly, webmin is hanging and IMAP is hanging.
|> repeat process.
|
|> I''ll look into your suggestions.  (Comparing "shorewall
status" before
|> and after restarting shorewall).
|
|> Any idea what can create this behavior, though?

If you "shorewall clear" and leave it that way for a while, do you see
any problems?

~ I understand that
|> shorewall isn''t "running" per se, but rather it
configures netfilter for
|> me, but I think it''s some configuration in shorewall that I have
wrong
|> and it sounds a lot like what is described in shorewall.conf file when
|> you have  NEWNOTSYN set to "No" -- half established connection
get
|> "dropped".

But you have NEWNOTSYN=Yes so that''s irrelevant.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBGno1O/MAbZfjDLIRAkL7AKCxNauXFaP2MEIfBhy7d8j9Y0FmYwCfSsqb
vj090903ZOjp11sJekqOeiA=3IoE
-----END PGP SIGNATURE-----

Tom Eastep wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> andrew t scott wrote:
> | Tom Eastep wrote:
> |
> |> The computer is at a colocation facility.  I can login over ssh, and
I
> |> have ports open rules set up for allowing various services such as
pop,
> |> pop3s, imaps, webmin, http, https, ssh.  Here''s how to
recreate the
> |> problem:
> |
> |> Login over ssh - all good and fine
> |> Login to webmin in a web browser - all good and fine
> |> Login to IMAP with Mozilla mail - all good and fine
> 
> Then the problem is *not* related to Shorewall rules.
What makes you so sure?
> 
> |> suddenly - IMAP starts getting hung, can''t check new
messages
> |>          - WebMin stops refreshing, just hangs in the browser, never
> |>            reloads
> |>          - Shell still works
> 
> I take it that this is a server of some sort -- are you seeing any
> problems associated with the server''s operation?
Yes, it is a server.  Yes, after a couple minutes of activity, certain 
services stop working.  (webmin, imap, pop3, imaps, pop3s, but ssh and 
http continue to work).
> 
> |> run: /etc/init.d/shorewall restart
> |> and now webmin loads, and can check for new messges
> |> five minutes later, suddenly, webmin is hanging and IMAP is hanging.
> |> repeat process.
> |
> |> I''ll look into your suggestions.  (Comparing "shorewall
status" before
> |> and after restarting shorewall).
> |
> |> Any idea what can create this behavior, though?
> 
> If you "shorewall clear" and leave it that way for a while, do
you see
> any problems?
I don''t have that kind of time.  The server is at a colo and
I''m on the
clock.
> 
> ~ I understand that
> |> shorewall isn''t "running" per se, but rather it
configures netfilter for
> |> me, but I think it''s some configuration in shorewall that I
have wrong
> |> and it sounds a lot like what is described in shorewall.conf file
when
> |> you have  NEWNOTSYN set to "No" -- half established
connection get
> |> "dropped".
> 
> But you have NEWNOTSYN=Yes so that''s irrelevant.
I only pointed it out thinking that you guys, being more experienced, 
might recognize the symptom and be able to tell me if it related to 
something else.  Am I misunderstanding how to communicate here?

Anyway, I put a regular Iptables script in place and removed shorewall. 
  Unfortunately the management breathing down my neck could not afford 
another minute if it could be side-stepped.  If I bump into this problem 
on my servers I''ll do my best to lock it down and report to the list 
that it''s not a bug and just a dumb user (me) error.   ;)

Take care, and again, thank you very much for your time.

Sincerely,

Andrew
> 
> - -Tom
> - --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFBGno1O/MAbZfjDLIRAkL7AKCxNauXFaP2MEIfBhy7d8j9Y0FmYwCfSsqb
> vj090903ZOjp11sJekqOeiA> =3IoE
> -----END PGP SIGNATURE-----
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

On Wed, 11 Aug 2004, andrew t scott wrote:
> Tom Eastep wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > andrew t scott wrote:
> > | Tom Eastep wrote:
> > |
> > |> The computer is at a colocation facility.  I can login over ssh,
and I
> > |> have ports open rules set up for allowing various services such
as pop,
> > |> pop3s, imaps, webmin, http, https, ssh.  Here''s how to
recreate the
> > |> problem:
> > |
> > |> Login over ssh - all good and fine
> > |> Login to webmin in a web browser - all good and fine
> > |> Login to IMAP with Mozilla mail - all good and fine
> >
> > Then the problem is *not* related to Shorewall rules.
>
> What makes you so sure?
>
a) Shorewall rules only are relevant at connection time
b) You have just told us that you can connect fine.

> >
> > |> suddenly - IMAP starts getting hung, can''t check new
messages
> > |>          - WebMin stops refreshing, just hangs in the browser,
never
> > |>            reloads
> > |>          - Shell still works
> >
> > I take it that this is a server of some sort -- are you seeing any
> > problems associated with the server''s operation?
>
> Yes, it is a server.  Yes, after a couple minutes of activity, certain
> services stop working.  (webmin, imap, pop3, imaps, pop3s, but ssh and
> http continue to work).
>
> >
> > |> run: /etc/init.d/shorewall restart
> > |> and now webmin loads, and can check for new messges
> > |> five minutes later, suddenly, webmin is hanging and IMAP is
hanging.
> > |> repeat process.
> > |
> > |> I''ll look into your suggestions.  (Comparing
"shorewall status" before
> > |> and after restarting shorewall).
> > |
> > |> Any idea what can create this behavior, though?
> >
> > If you "shorewall clear" and leave it that way for a while,
do you see
> > any problems?
>
> I don''t have that kind of time.  The server is at a colo and
I''m on the
> clock.
>
Too bad -- if you had done that test first, you could have proved one way
or the other than Shorewall is at fault.
> >
> > ~ I understand that
> > |> shorewall isn''t "running" per se, but rather
it configures netfilter for
> > |> me, but I think it''s some configuration in shorewall
that I have wrong
> > |> and it sounds a lot like what is described in shorewall.conf
file when
> > |> you have  NEWNOTSYN set to "No" -- half established
connection get
> > |> "dropped".
> >
> > But you have NEWNOTSYN=Yes so that''s irrelevant.
>
> I only pointed it out thinking that you guys, being more experienced,
> might recognize the symptom and be able to tell me if it related to
> something else.  Am I misunderstanding how to communicate here?
>
> Anyway, I put a regular Iptables script in place and removed shorewall.
>   Unfortunately the management breathing down my neck could not afford
> another minute if it could be side-stepped.  If I bump into this problem
> on my servers I''ll do my best to lock it down and report to the
list
> that it''s not a bug and just a dumb user (me) error.   ;)
>
> Take care, and again, thank you very much for your time.
>
I''ll be interested to hear one way or the other whether the problem
appears again with your current "regular" script (as opposed to the
irregular Shorewall script :-) )

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net