Hello all, Yesterday I noticed that my system was "leaking" traffic towards the 10/8 network, I have shorewall installed on multiple machines ranging from single interface devices to ones with 10+ interfaces. I tested all the boxes and they are showing the same behavior. All systems are CentOS 3.4, 2.4.21-27.0.2.ELsmp. Shorewall version: 2.2.1 For the host mentioned is a single interface setup, if i ping 10.10.10.1 it''s dropped on the all2all chain. But a "telnet 10.10.10.1 80" is happely forwarded towards the def gateway (which is also running shorewall) and then onto the net. Is somebody else seeing this as well, or can tell me where what I''m missing with this issue? Below is some information, and status.txt includes the info as requested in the support.htm page. FYI: I''m running this server with a bond0 interface in active-backup mode, which is an interface that consists of 2 physical interfaces (eth0 & eth1) , it''s used for redundancy, if the one fails the other takes over. Even on a system with a single eth0 interface the rfc1918 aren''t blocked/dropped. tcpdump output, when running "telnet 10.10.10.1 80" in an other session: =======================================================================usr/sbin/tcpdump -i eth0 -nn host 10.10.10.1 tcpdump: listening on eth0 06:48:33.508556 192.168.253.1.37445 > 10.10.10.1.80: S 1570662154:1570662154(0) win 5840 <mss 1460,sackOK,timestamp 150878578 0,nop,wscale 0> (DF) [tos 0x10] /etc/shorewall/interfaces ======================================================[root@hn00dmz01 maint]# grep -v "^#" /etc/shorewall/interfaces net bond0 detect routefilter,norfc1918 /etc/shorewall/custom/rfc1918 ======================================================[root@hn00dmz01 maint]# grep -v "^#" /etc/shorewall/custom/rfc1918 172.31.60.0/24 RETURN 172.20.173.0/24 RETURN 172.16.127.0/24 RETURN 192.168.175.0/24 RETURN 192.168.253.0/24 RETURN 192.168.254.252/30 RETURN 10.0.0.0/8 logdrop # RFC 1918 172.16.0.0/12 logdrop # RFC 1918 192.168.0.0/16 logdrop # RFC 1918 /etc/shorewall/shorewall.conf ======================================================[root@hn00dmz01 maint]# grep -v -e "^#" -e "^$" /etc/shorewall/shorewall.conf LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGRATELOGBURSTBLACKLIST_LOGLEVELLOGNEWNOTSYN=info MACLIST_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info RFC1918_LOG_LEVEL=info SMURF_LOG_LEVEL=info BOGON_LOG_LEVEL=info PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/lib/shorewall MODULESDIRCONFIG_PATH=/etc/shorewall/action:/etc/shorewall/custom:/etc/shorewall:/usr/share/shorewall FW=fw IP_FORWARDING=Off ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No TC_ENABLED=Yes CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 NEWNOTSYN=Yes ADMINISABSENTMINDED=No BLACKLISTNEWONLY=No MODULE_SUFFIXDISABLE_IPV6=No BRIDGING=No DYNAMIC_ZONES=No BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP [root@hn00dmz01 root]# ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 5: bond0: <BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc noqueue link/ether 00:30:48:73:16:88 brd ff:ff:ff:ff:ff:ff inet 192.168.253.1/24 brd 192.168.253.255 scope global bond0 6: eth0: <BROADCAST,MULTICAST,SLAVE,UP> mtu 1500 qdisc pfifo_fast master bond0 qlen 1000 link/ether 00:30:48:73:16:88 brd ff:ff:ff:ff:ff:ff inet 192.168.253.1/24 brd 192.168.253.255 scope global eth0 7: eth1: <BROADCAST,MULTICAST,NOARP,SLAVE,UP> mtu 1500 qdisc pfifo_fast master bond0 qlen 1000 link/ether 00:30:48:73:16:88 brd ff:ff:ff:ff:ff:ff inet 192.168.253.1/24 brd 192.168.253.255 scope global eth1 [root@hn00dmz01 root]# ip route show 192.168.253.0/24 dev bond0 proto kernel scope link src 192.168.253.1 192.168.253.0/24 dev eth0 proto kernel scope link src 192.168.253.1 192.168.253.0/24 dev eth1 proto kernel scope link src 192.168.253.1 default via 192.168.253.254 dev bond0 -- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl>
Stijn Jonker wrote:> > For the host mentioned is a single interface setup, if i ping 10.10.10.1 > it''s dropped on the all2all chain. But a "telnet 10.10.10.1 80" is > happely forwarded towards the def gateway (which is also running > shorewall) and then onto the net. > > Is somebody else seeing this as well, or can tell me where what I''m > missing with this issue? >You are missing that the ''norfc1918'' option does ingress filtering, not egress filtering. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom, Tom Eastep said the following on 10-Mar-05 16:25:> Stijn Jonker wrote: > >>For the host mentioned is a single interface setup, if i ping 10.10.10.1 >>it''s dropped on the all2all chain. But a "telnet 10.10.10.1 80" is >>happely forwarded towards the def gateway (which is also running >>shorewall) and then onto the net. >> >>Is somebody else seeing this as well, or can tell me where what I''m >>missing with this issue? >> > You are missing that the ''norfc1918'' option does ingress filtering, not > egress filtering.Thanks for the response, on the single interface host this might be the issue, but I also have an other machine with multiple interface, assuming that when forwarding the ingress filters are applied as well: Ping send from a machine behind the FW (a windows machine actually...) --------------------------------------------------------- TCPDump on Firewall all interfaces 192.168.175.0/24 is behind bond0 213.84.91.21 is on ppp0 after masq --------------------------------------------------------- [root@hn00sia01 shorewall]# /usr/sbin/tcpdump -p -i any -nn host 10.123.17.158 tcpdump: listening on any 19:29:20.849991 192.168.175.11 > 10.123.17.158: icmp: echo request 19:29:20.850005 213.84.91.21 > 10.123.17.158: icmp: echo request --------------------------------------------------------- Check for the IP range --------------------------------------------------------- [root@hn00sia01 shorewall]# grep -r 10.123 * [root@hn00sia01 shorewall]# grep -r 10\. custom/rfc1918:10.64.111.0/24 RETURN custom/rfc1918:10.0.0.0/8 logdrop # RFC 1918 custom/bogons:10.0.0.0/8 logdrop # Reserved --------------------------------------------------------- IP Addr show --------------------------------------------------------- [root@hn00sia01 shorewall]# ip addr show 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 5: bond0: <BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc noqueue link/ether 00:30:48:73:20:60 brd ff:ff:ff:ff:ff:ff inet 192.168.175.254/24 brd 192.168.175.255 scope global bond0 6: eth0: <BROADCAST,MULTICAST,SLAVE,UP> mtu 1500 qdisc pfifo_fast master bond0 qlen 1000 link/ether 00:30:48:73:20:60 brd ff:ff:ff:ff:ff:ff inet 192.168.175.254/24 brd 192.168.175.255 scope global eth0 7: eth1: <BROADCAST,MULTICAST,NOARP,SLAVE,UP> mtu 1500 qdisc pfifo_fast master bond0 qlen 1000 link/ether 00:30:48:73:20:60 brd ff:ff:ff:ff:ff:ff inet 192.168.175.254/24 brd 192.168.175.255 scope global eth1 8: bond0.253: <BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc noqueue link/ether 00:30:48:73:20:60 brd ff:ff:ff:ff:ff:ff inet 192.168.253.254/24 brd 192.168.253.255 scope global bond0.253 9: bond0.254: <BROADCAST,MULTICAST,MASTER,UP> mtu 1500 qdisc noqueue link/ether 00:30:48:73:20:60 brd ff:ff:ff:ff:ff:ff inet 192.168.254.254/30 brd 192.168.254.255 scope global bond0.254 25: ppp0: <POINTOPOINT,MULTICAST,NOARP,ALLMULTI,UP> mtu 1500 qdisc pfifo_fast qlen 3 link/ppp inet 213.84.91.21 peer 195.190.249.65/32 scope global ppp0 58: tun5: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1256 qdisc pfifo_fast qlen 10 link/ppp inet 192.168.254.13 peer 192.168.254.14/32 scope global tun5 59: tun1: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1258 qdisc pfifo_fast qlen 10 link/ppp inet 192.168.254.1 peer 192.168.254.2/32 scope global tun1 60: tun2: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1258 qdisc pfifo_fast qlen 10 link/ppp inet 192.168.254.5 peer 192.168.254.6/32 scope global tun2 61: tun4: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen 10 link/ppp inet 192.168.254.21 peer 192.168.254.22/32 scope global tun4 62: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noqueue link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff --------------------------------------------------------- IP route show --------------------------------------------------------- [root@hn00sia01 shorewall]# ip route show 192.168.254.6 dev tun2 proto kernel scope link src 192.168.254.5 192.168.254.22 dev tun4 proto kernel scope link src 192.168.254.21 195.190.249.65 dev ppp0 proto kernel scope link src 213.84.91.21 212.142.33.216 via 192.168.254.14 dev tun5 advmss 1186 192.168.254.2 dev tun1 proto kernel scope link src 192.168.254.1 172.16.127.100 via 192.168.254.14 dev tun5 advmss 1186 213.46.232.141 via 192.168.254.14 dev tun5 advmss 1186 62.108.1.251 via 192.168.254.14 dev tun5 advmss 1186 192.168.254.14 dev tun5 proto kernel scope link src 192.168.254.13 213.46.242.132 via 192.168.254.14 dev tun5 advmss 1186 213.46.243.9 via 192.168.254.14 dev tun5 advmss 1186 62.108.1.245 via 192.168.254.14 dev tun5 advmss 1186 212.142.22.86 via 192.168.254.14 dev tun5 advmss 1186 80.109.252.70 via 192.168.254.14 dev tun5 advmss 1186 213.46.242.242 via 192.168.254.14 dev tun5 advmss 1186 192.168.254.244/30 via 192.168.254.6 dev tun2 proto zebra equalize 192.168.254.248/30 via 192.168.254.2 dev tun1 proto zebra equalize 192.168.254.252/30 dev bond0.254 proto kernel scope link src 192.168.254.254 192.168.254.8/30 via 192.168.254.2 dev tun1 proto zebra equalize 172.31.60.0/24 via 192.168.254.14 dev tun5 advmss 1186 213.46.235.0/24 via 192.168.254.14 dev tun5 advmss 1186 213.46.233.0/24 via 192.168.254.14 dev tun5 advmss 1186 213.46.62.0/24 via 192.168.254.14 dev tun5 advmss 1186 192.168.2.0/24 via 192.168.254.6 dev tun2 proto zebra equalize 192.168.1.0/24 via 192.168.254.2 dev tun1 proto zebra equalize 212.186.169.0/24 via 192.168.254.14 dev tun5 advmss 1186 10.64.111.0/24 via 192.168.254.14 dev tun5 advmss 1186 192.168.175.0/24 dev bond0 proto kernel scope link src 192.168.175.254 192.168.253.0/24 dev bond0.253 proto kernel scope link src 192.168.253.254 172.20.173.0/24 via 192.168.254.14 dev tun5 advmss 1186 default via 195.190.249.65 dev ppp0 /etc/shorewall/interfaces ======================================================[root@hn00sia01 shorewall]# grep -v "^#" /etc/shorewall/interfaces adsl bond0.254 detect routefilter,norfc1918,nosmurfs dmz bond0.253 detect routefilter,norfc1918,nosmurfs sjc bond0 detect routefilter,norfc1918,nosmurfs net ppp0 - nobogons,norfc1918,nosmurfs vpnSJ tun1 - routefilter,norfc1918,nosmurfs vpnSJ tun2 - routefilter,norfc1918,nosmurfs vpnSJ tun4 - routefilter,norfc1918,nosmurfs vpnUE tun5 - routefilter,norfc1918,nosmurfs rfc1918 =========================================================[root@hn00sia01 shorewall]# grep -v "^#" /etc/shorewall/custom/rfc1918 172.16.127.0/24 RETURN 172.20.173.0/24 RETURN 172.31.60.0/24 RETURN 10.64.111.0/24 RETURN 192.168.1.0/24 RETURN 192.168.2.0/24 RETURN 192.168.175.0/24 RETURN 192.168.253.0/24 RETURN 192.168.254.0/24 RETURN 10.0.0.0/8 logdrop # RFC 1918 172.16.0.0/12 logdrop # RFC 1918 192.168.0.0/16 logdrop # RFC 1918 Bogons ===============================================[root@hn00sia01 shorewall]# grep -v -e "^#" -e "^$" /etc/shorewall/custom/bogons 0.0.0.0 RETURN 255.255.255.255 RETURN # We need to allow limited broadcast 169.254.0.0/16 DROP # DHCP autoconfig 192.0.2.0/24 logdrop # Example addresses (RFC 3330) 0.0.0.0/7 logdrop # Reserved 2.0.0.0/8 logdrop # Reserved 5.0.0.0/8 logdrop # Reserved 7.0.0.0/8 logdrop # Reserved 10.0.0.0/8 logdrop # Reserved 23.0.0.0/8 logdrop # Reserved 27.0.0.0/8 logdrop # Reserved 31.0.0.0/8 logdrop # Reserved 36.0.0.0/7 logdrop # Reserved 39.0.0.0/8 logdrop # Reserved 41.0.0.0/8 logdrop # Reserved 42.0.0.0/8 logdrop # Reserved 73.0.0.0/8 logdrop # Reserved 74.0.0.0/7 logdrop # Reserved 76.0.0.0/6 logdrop # Reserved 89.0.0.0/8 logdrop # Reserved 90.0.0.0/7 logdrop # Reserved 92.0.0.0/6 logdrop # Reserved 96.0.0.0/3 logdrop # Reserved 173.0.0.0/8 logdrop # Reserved 174.0.0.0/7 logdrop # Reserved 176.0.0.0/5 logdrop # Reserved 184.0.0.0/6 logdrop # Reserved 189.0.0.0/8 logdrop # Reserved 190.0.0.0/8 logdrop # Reserved 197.0.0.0/8 logdrop # Reserved 223.0.0.0/8 logdrop # Reserved 240.0.0.0/4 logdrop # Reserved shorewall.conf ================================[root@hn00sia01 shorewall]# grep -v -e "^#" -e "^$" /etc/shorewall/shorewall.conf STARTUP_ENABLED=Yes LOGFILE=/var/log/messages LOGFORMAT="SW:%s:%s:" LOGTAGONLY=No LOGRATELOGBURSTLOGALLNEWBLACKLIST_LOGLEVEL=info LOGNEWNOTSYN=info MACLIST_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info RFC1918_LOG_LEVEL=info SMURF_LOG_LEVEL=info BOGON_LOG_LEVEL=info LOG_MARTIANS=Yes IPTABLESPATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall STATEDIR=/var/lib/shorewall MODULESDIRCONFIG_PATH=/etc/shorewall/action:/etc/shorewall/custom:/etc/shorewall:/usr/share/shorewall RESTOREFILEFW=fw IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No RETAIN_ALIASES=No TC_ENABLED=No CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=Yes DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 NEWNOTSYN=Yes ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIXDISABLE_IPV6=Yes BRIDGING=No DYNAMIC_ZONES=Yes PKTTYPE=Yes DROPINVALID=No BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP> > -Tom-- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl>
Stijn Jonker wrote:> --------------------------------------------------------- > [root@hn00sia01 shorewall]# /usr/sbin/tcpdump -p -i any -nn host > 10.123.17.158 > tcpdump: listening on any > 19:29:20.849991 192.168.175.11 > 10.123.17.158: icmp: echo request > 19:29:20.850005 213.84.91.21 > 10.123.17.158: icmp: echo request >> [root@hn00sia01 shorewall]# grep -v "^#" /etc/shorewall/custom/rfc1918 > 172.16.127.0/24 RETURN > 172.20.173.0/24 RETURN > 172.31.60.0/24 RETURN > 10.64.111.0/24 RETURN > > 192.168.1.0/24 RETURN > 192.168.2.0/24 RETURN > 192.168.175.0/24 RETURNYou have whitelisted the source so any traffic that it sends is allowed through the RFC 1918 filtering.> 192.168.253.0/24 RETURN > 192.168.254.0/24 RETURN > 10.0.0.0/8 logdrop # RFC 1918 > 172.16.0.0/12 logdrop # RFC 1918 > 192.168.0.0/16 logdrop # RFC 1918-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Stijn Jonker wrote: > > >>--------------------------------------------------------- >>[root@hn00sia01 shorewall]# /usr/sbin/tcpdump -p -i any -nn host >>10.123.17.158 >>tcpdump: listening on any >>19:29:20.849991 192.168.175.11 > 10.123.17.158: icmp: echo request >>19:29:20.850005 213.84.91.21 > 10.123.17.158: icmp: echo request >> > > >>[root@hn00sia01 shorewall]# grep -v "^#" /etc/shorewall/custom/rfc1918 >>172.16.127.0/24 RETURN >>172.20.173.0/24 RETURN >>172.31.60.0/24 RETURN >>10.64.111.0/24 RETURN >> >>192.168.1.0/24 RETURN >>192.168.2.0/24 RETURN >>192.168.175.0/24 RETURN > > > You have whitelisted the source so any traffic that it sends is allowed > through the RFC 1918 filtering. >Some readers may think that this behavior is wrong and that both the source and destination addresses should require whitelisting for traffic between RFC 1918 hosts to be allowed. The reason for the current behavior is that it is all that is possible without the ''conntrack state'' match. With the introduction of ''conntrack state'' match, it is possible to require both addresses to be whitelisted (I''ve just hacked out a prototype). I probably won''t include the new code in 2.2.2 but I will in 2.2.3. The new behavior will be disabled unless a new option in shorewall.conf is set; otherwise, upgrading to 2.2.3 from an earlier version will result in incompatible behavior. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom, Tom Eastep said the following on 10-Mar-05 19:40:> Stijn Jonker wrote: > > >>[root@hn00sia01 shorewall]# grep -v "^#" /etc/shorewall/custom/rfc1918 >>172.16.127.0/24 RETURN >>172.20.173.0/24 RETURN >>172.31.60.0/24 RETURN >>10.64.111.0/24 RETURN >> >>192.168.1.0/24 RETURN >>192.168.2.0/24 RETURN >>192.168.175.0/24 RETURN > > > You have whitelisted the source so any traffic that it sends is allowed > through the RFC 1918 filtering.Hmm, ok I understand, don''t like it but ok, it''s a simple fix for me, some additional rules or routes on the network borders.. Thanks for the quick and clear responses, and I like your idea for 2.2.X where X > 2 ;-) (in ohter words, don''t worry if you won''t include this in 2.2.3) Stijn> -Tom-- Met Vriendelijke groet/Yours Sincerely Stijn Jonker <SJCJonker@sjc.nl>
Stijn Jonker wrote:> > Thanks for the quick and clear responses, and I like your idea for 2.2.X > where X > 2 ;-) (in ohter words, don''t worry if you won''t include this > in 2.2.3)The new option was very straight-forward to add so I''ll include it in 2.2.2. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> The reason for the current > behavior is that it is all that is possible without the ''conntrack > state'' match.What I''m referring here is called "Connection Tracking Match" in the output of "shorewall check|start|restart" -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key