I have had a web server listining sql-1433, www 80,
ftp-21 using proxy arp with sub-netting in a three interface DMZ.
All these ports are in the rules file as ACCEPT.
With one exeception that 1433 allows a few host from
the net. 21 and 80 allow all net to dmz connections.
The policy is DMZ to net ACCEPT
This has been working great for about a month or more until I rebooted
the shorewall
box last night, since then reboot vendors cannot ftp through
the firewall, also shorewall blocking some port ftp attempts.
I read the shorewall ftp page and did not see anything
about trouble with proxy arp and ftp.
Here are some of the shorewall DROPS.
I can assume that the dynamic open port in ftp is some
how broken after the firewall reboot.
I made the ftp attempts myself in the logs below
using a Chrome Data Application.
Any Ideas on what to try next.
Thanks
Mike
[root@ns1 root]# shorewall version
2.0.2d
-- redhat 8
[root@ns1 root]# uname -r
2.4.18-14
net2all:DROP:IN=eth0 OUT=eth2 SRC=64.42.53.202 DST=66.224.62.103 LEN=48
TOS=0x00 PREC=0x00 TTL=123 ID=4989 DF PROTO=TCP SPT=2011 DPT=1350
WINDOW=65535 RES=0x00 SYN URGP=0
Jan 24 21:56:59 ns1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT=eth2
SRC=64.42.53.202 DST=66.224.62.103 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=5005
DF PROTO=TCP SPT=2011 DPT=1350 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 24 21:57:06 ns1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT=eth2
SRC=64.42.53.202 DST=66.224.62.103 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=5013
DF PROTO=TCP SPT=2011 DPT=1350 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 24 21:57:08 ns1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT=eth2
SRC=64.42.53.202 DST=66.224.62.103 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=5546
DF PROTO=TCP SPT=2015 DPT=1351 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 24 21:57:12 ns1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT=eth2
SRC=64.42.53.202 DST=66.224.62.103 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=5556
DF PROTO=TCP SPT=2015 DPT=1351 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 24 21:57:18 ns1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT=eth2
SRC=64.42.53.202 DST=66.224.62.103 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=5632
DF PROTO=TCP SPT=2015 DPT=1351 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 24 21:57:21 ns1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT=eth2
SRC=64.42.53.202 DST=66.224.62.103 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=5643
DF PROTO=TCP SPT=2017 DPT=1352 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 24 21:57:24 ns1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT=eth2
SRC=64.42.53.202 DST=66.224.62.103 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=5656
DF PROTO=TCP SPT=2017 DPT=1352 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 24 21:57:30 ns1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT=eth2
SRC=64.42.53.202 DST=66.224.62.103 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=5668
DF PROTO=TCP SPT=2017 DPT=1352 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 24 21:57:33 ns1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT=eth2
SRC=64.42.53.202 DST=66.224.62.103 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=5697
DF PROTO=TCP SPT=2019 DPT=1353 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 24 21:57:36 ns1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT=eth2
SRC=64.42.53.202 DST=66.224.62.103 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=5720
DF PROTO=TCP SPT=2019 DPT=1353 WINDOW=65535 RES=0x00 SYN URGP=0
Jan 24 21:57:43 ns1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT=eth2
SRC=64.42.53.202 DST=66.224.62.103 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=5724
DF PROTO=TCP SPT=2019 DPT=1353 WINDOW=65535 RES=0x00 SYN URGP=0
Mike Lander wrote:> I have had a web server listining sql-1433, www 80, > ftp-21 using proxy arp with sub-netting in a three interface DMZ. > All these ports are in the rules file as ACCEPT. > With one exeception that 1433 allows a few host from > the net. 21 and 80 allow all net to dmz connections. > The policy is DMZ to net ACCEPT > > This has been working great for about a month or more until I > rebooted the shorewall > box last night, since then reboot vendors cannot ftp through > the firewall, also shorewall blocking some port ftp attempts. > > I read the shorewall ftp page and did not see anything > about trouble with proxy arp and ftp. >I''ve used it for two+ years.> Here are some of the shorewall DROPS. > I can assume that the dynamic open port in ftp is some > how broken after the firewall reboot. > I made the ftp attempts myself in the logs below > using a Chrome Data Application. >Almost has to be missing/broken ftp helper module in your kernel. Did you install a new kernel? Given the fact that you prefer running ancient versions of Shorewall, did you perhaps install a new kernel that uses the .ko suffix on modules and you are still running a version of Shorewall that doesn''t recognize that suffix? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> Mike Lander wrote: >> I have had a web server listining sql-1433, www 80, >> ftp-21 using proxy arp with sub-netting in a three interface DMZ. >> All these ports are in the rules file as ACCEPT. >> With one exeception that 1433 allows a few host from >> the net. 21 and 80 allow all net to dmz connections. >> The policy is DMZ to net ACCEPT >> >> This has been working great for about a month or more until I >> rebooted the shorewall >> box last night, since then reboot vendors cannot ftp through >> the firewall, also shorewall blocking some port ftp attempts. >> >> I read the shorewall ftp page and did not see anything >> about trouble with proxy arp and ftp. >> > > I''ve used it for two+ years. > >> Here are some of the shorewall DROPS. >> I can assume that the dynamic open port in ftp is some >> how broken after the firewall reboot. >> I made the ftp attempts myself in the logs below >> using a Chrome Data Application. >> > > Almost has to be missing/broken ftp helper module in your kernel. Did > you install a new kernel? Given the fact that you prefer running ancient > versions of Shorewall, did you perhaps install a new kernel that uses > the .ko suffix on modules and you are still running a version of > Shorewall that doesn''t recognize that suffix? > > -TomThe firewall was working great for a month or two, all I did was reboot it. Then the ftp trouble started, I don''t mind upgrading shorewall. Is 2.0.2d to old? Mike
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Tuesday, January 25, 2005 8:11 AM Subject: Re: [Shorewall-users] Ftp Broken in Dmz> Mike Lander wrote: >> I have had a web server listining sql-1433, www 80, >> ftp-21 using proxy arp with sub-netting in a three interface DMZ. >> All these ports are in the rules file as ACCEPT. >> With one exeception that 1433 allows a few host from >> the net. 21 and 80 allow all net to dmz connections. >> The policy is DMZ to net ACCEPT >> >> This has been working great for about a month or more until I >> rebooted the shorewall >> box last night, since then reboot vendors cannot ftp through >> the firewall, also shorewall blocking some port ftp attempts. >> >> I read the shorewall ftp page and did not see anything >> about trouble with proxy arp and ftp. >> > > I''ve used it for two+ years. > >> Here are some of the shorewall DROPS. >> I can assume that the dynamic open port in ftp is some >> how broken after the firewall reboot. >> I made the ftp attempts myself in the logs below >> using a Chrome Data Application. >> > > Almost has to be missing/broken ftp helper module in your kernel. Did > you install a new kernel? Given the fact that you prefer running ancient > versions of Shorewall, did you perhaps install a new kernel that uses > the .ko suffix on modules and you are still running a version of > Shorewall that doesn''t recognize that suffix? > > -TomHere is the kernel modules [root@ns1 root]# lsmod Module Size Used by Not tainted ipt_TCPMSS 3032 1 (autoclean) autofs 13348 0 (autoclean) (unused) ipt_TOS 1656 12 (autoclean) ipt_MASQUERADE 2200 1 (autoclean) ipt_REDIRECT 1368 1 (autoclean) ipt_REJECT 3736 4 (autoclean) ipt_LOG 4184 12 (autoclean) ipt_state 1048 26 (autoclean) ipt_multiport 1176 1 (autoclean) iptable_mangle 2776 1 (autoclean) iptable_nat 19928 1 (autoclean) [ipt_MASQUERADE ipt_REDIRECT] ip_conntrack 21212 2 (autoclean) [ipt_MASQUERADE ipt_REDIRECT ipt_state iptable_nat] 8139too 17704 3 mii 2156 0 [8139too] iptable_filter 2412 1 (autoclean) ip_tables 14840 13 [ipt_TCPMSS ipt_TOS ipt_MASQUERADE ipt_REDIRECT ipt_REJECT ipt_LOG ipt_state ipt_multiport iptable_mangle iptable_nat iptable_filter] mousedev 5524 0 (unused) keybdev 2976 0 (unused) hid 22244 0 (unused) input 5888 0 [mousedev keybdev hid] usb-uhci 26188 0 (unused) usbcore 77056 1 [hid usb-uhci] ext3 70400 5 jbd 52212 5 [ext3] [root@ns1 root]#
Mike Lander wrote:> > The firewall was working great for a month or two, all I did was reboot it.Right! Your system just decided to reconfigure itself, is that it?> Then the ftp trouble started, I don''t mind upgrading shorewall. > Is 2.0.2d to old?No, it is not too old. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Mike Lander wrote:> > ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> > To: "Mailing List for Shorewall Users" > <shorewall-users@lists.shorewall.net> > Sent: Tuesday, January 25, 2005 8:11 AM > Subject: Re: [Shorewall-users] Ftp Broken in Dmz > > >> Mike Lander wrote: >> >>> I have had a web server listining sql-1433, www 80, >>> ftp-21 using proxy arp with sub-netting in a three interface DMZ. >>> All these ports are in the rules file as ACCEPT. >>> With one exeception that 1433 allows a few host from >>> the net. 21 and 80 allow all net to dmz connections. >>> The policy is DMZ to net ACCEPT >>> >>> This has been working great for about a month or more until I >>> rebooted the shorewall >>> box last night, since then reboot vendors cannot ftp through >>> the firewall, also shorewall blocking some port ftp attempts. >>> >>> I read the shorewall ftp page and did not see anything >>> about trouble with proxy arp and ftp. >>> >> >> I''ve used it for two+ years. >> >>> Here are some of the shorewall DROPS. >>> I can assume that the dynamic open port in ftp is some >>> how broken after the firewall reboot. >>> I made the ftp attempts myself in the logs below >>> using a Chrome Data Application. >>> >> >> Almost has to be missing/broken ftp helper module in your kernel. Did >> you install a new kernel? Given the fact that you prefer running ancient >> versions of Shorewall, did you perhaps install a new kernel that uses >> the .ko suffix on modules and you are still running a version of >> Shorewall that doesn''t recognize that suffix? >> >> -Tom > > Here is the kernel modules > > [root@ns1 root]# lsmod > Module Size Used by Not tainted > ipt_TCPMSS 3032 1 (autoclean) > autofs 13348 0 (autoclean) (unused) > ipt_TOS 1656 12 (autoclean) > ipt_MASQUERADE 2200 1 (autoclean) > ipt_REDIRECT 1368 1 (autoclean) > ipt_REJECT 3736 4 (autoclean) > ipt_LOG 4184 12 (autoclean) > ipt_state 1048 26 (autoclean) > ipt_multiport 1176 1 (autoclean) > iptable_mangle 2776 1 (autoclean) > iptable_nat 19928 1 (autoclean) [ipt_MASQUERADE ipt_REDIRECT] > ip_conntrack 21212 2 (autoclean) [ipt_MASQUERADE > ipt_REDIRECT ipt_state iptable_nat] > 8139too 17704 3 > mii 2156 0 [8139too] > iptable_filter 2412 1 (autoclean) > ip_tables 14840 13 [ipt_TCPMSS ipt_TOS ipt_MASQUERADE > ipt_REDIRECT ipt_REJECT ipt_LOG ipt_state ipt_multiport iptable_mangle > iptable_nat iptable_filter] > mousedev 5524 0 (unused) > keybdev 2976 0 (unused) > hid 22244 0 (unused) > input 5888 0 [mousedev keybdev hid] > usb-uhci 26188 0 (unused) > usbcore 77056 1 [hid usb-uhci] > ext3 70400 5 > jbd 52212 5 [ext3] > [root@ns1 root]# >I don''t see ip_conntrack_ftp -- do you????? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Mike Lander wrote: > > >>The firewall was working great for a month or two, all I did was reboot it. > > > Right! Your system just decided to reconfigure itself, is that it? > > >>Then the ftp trouble started, I don''t mind upgrading shorewall. >>Is 2.0.2d to old? > > > No, it is not too old. >Nevertheless --- save/restore doesn''t work completely in that version; if you "shorewall save" then "shorewall restore" and "shorewall -f start" (which is what the Shorewall init script does) do not restore the kernel modules that were loaded at the time of the save. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Tuesday, January 25, 2005 9:17 AM Subject: Re: [Shorewall-users] Ftp Broken in Dmz> Tom Eastep wrote: >> Mike Lander wrote: >> >> >>>The firewall was working great for a month or two, all I did was reboot >>>it. >> >> >> Right! Your system just decided to reconfigure itself, is that it? >> >> >>>Then the ftp trouble started, I don''t mind upgrading shorewall. >>>Is 2.0.2d to old? >> >> >> No, it is not too old. >> > > Nevertheless --- save/restore doesn''t work completely in that version; > if you "shorewall save" then "shorewall restore" and "shorewall -f > start" (which is what the Shorewall init script does) do not restore the > kernel modules that were loaded at the time of the save.That was the problem ip_conntrack_ftp did not load It is however in /etc/shorewall/modules. For some reason on the reboot ip_conntrack_ftp did not reload. Thank you, Mike ############################################################################## # Shorewall 2.0 /etc/shorewall/modules # # This file loads the modules needed by the firewall. # # THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in # dependency order. i.e., if M2 depends on M1 then you must load M1 before # you load M2. # loadmodule ip_tables loadmodule iptable_filter loadmodule ip_conntrack loadmodule ip_conntrack_ftp loadmodule ip_conntrack_tftp loadmodule ip_conntrack_irc loadmodule iptable_nat loadmodule ip_nat_ftp loadmodule ip_nat_tftp loadmodule ip_nat_irc
This box is high demand 24/7. It has been up for two years; (Just recently added proxy arp) I need to upgrade to later operating system. Just such a hassle when you can''t take them down for very long. Thanks for your time Tom Mike
Mike Lander wrote:> > ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> > To: "Mailing List for Shorewall Users" > <shorewall-users@lists.shorewall.net> > Sent: Tuesday, January 25, 2005 9:17 AM > Subject: Re: [Shorewall-users] Ftp Broken in Dmz > > >> Tom Eastep wrote: >> >>> Mike Lander wrote: >>> >>> >>>> The firewall was working great for a month or two, all I did was >>>> reboot it. >>> >>> >>> >>> Right! Your system just decided to reconfigure itself, is that it? >>> >>> >>>> Then the ftp trouble started, I don''t mind upgrading shorewall. >>>> Is 2.0.2d to old? >>> >>> >>> >>> No, it is not too old. >>> >> >> Nevertheless --- save/restore doesn''t work completely in that version; >> if you "shorewall save" then "shorewall restore" and "shorewall -f >> start" (which is what the Shorewall init script does) do not restore the >> kernel modules that were loaded at the time of the save. > > > That was the problem ip_conntrack_ftp did not load > It is however in /etc/shorewall/modules. For some reason on the reboot > ip_conntrack_ftp did not reload. >I just told you why, I thought. If you "shorewall forget" then the next reboot should work. Or you could upgrade to a version of Shorewall that doesn''t have this bug... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key