Shorewall users - May 2006 - Breaks in connection

Hi,

I have setup a firewall on a linux box as per the two interface guide  
http://shorewall.net/two-interface.htm

I''ve made a few additions to the policy, rules and masq files.

The policy file was modified to give the local zone access to the  
firewall and the firewall access to everything on the local zone. I  
need this so SAMBA would function correctly as a domain controller.

policy

$FW     loc     ACCEPT <-- new entries
loc     $FW     ACCEPT <-- new entries

loc     net     ACCEPT
net     all     DROP    info
all     all     REJECT  info
$FW     net     ACCEPT

rules

REDIRECT loc    8000    tcp     www     -       # Redirects www  
trafic to squid
ACCEPT  net     $FW     tcp     2222    # Allows SSH to work
ACCEPT  net     $FW     tcp     80      # Allows Apache to work
ACCEPT  net     $FW     tcp     25      # Allow SMTP to work
ACCEPT  net     $FW     tcp     110     # Allow POP to work
ACCEPT  net     $FW     tcp     143     # Allow IMAP to work

interfaces

net     ppp0    detect
loc     eth0    detect

zones

fw      firewall
net     ipv4
loc     ipv4

masq

ppp0    eth0

The problem is after about 10 minutes from a computer on the local  
zone all connections are reset.

For example we have samba on $FW hosting a shared drive the  
connection suddenly reset. It can be reestablished but after 10  
minutes the connection resets again.

Another example is connecting to the server from the local zone via  
ssh using putty. The connection remains up for about 10-15 minutes  
and then putty''s connection resets.

Both the samba and putty reset happens simultaneously.

Am I missing something in the configuration?

Any suggestions?

Thanks


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642

> The problem is after about 10 minutes from a computer on the local
> zone all connections are reset.
>
> For example we have samba on $FW hosting a shared drive the
> connection suddenly reset. It can be reestablished but after 10
> minutes the connection resets again.
Hi Daniel

This doesn''t sound like a Shorewall-problem to me.

My first guess would be a problem with DHCP.  Maybe your DHCP-server
forces a change of IP-addresses?  (You wouldn''t have two DHCP-servers
on your network, would you?)

Another possibility is that you have some script auto-running that
does weird things.

The third thing that I can think of is problems at the link-level.
Some switch, cable or network card is unstable.  But if your
disconnects occur very regularly, then that is not so likely.

Do you have any routers or other unusual equipment between your
linux-box and your local system?


Rune


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642

Hi Rune,

I only have one DHCP-server the lease time is set to 3 days.

We are currently using a hub. I tried to install a switch a while ago  
but we experienced network connection errors and drop outs so we  
switched back to the hub.

I replaced the network cards in the server and also removed all hosts  
off the network and reintroduced them back one at a time but couldn''t  
narrow the fault to a single offending piece of hardware.

Before shorewall I used a simple firewall script using iptables  
everything seemed to work fine.

Maybe shorewall is picking up some strange traffic on the network and  
causing connection resets?

Does anyone know why a hub would work but a switch dosen''t?


On 31/05/2006, at 9:32 PM, Rune Kock wrote:
>> The problem is after about 10 minutes from a computer on the local
>> zone all connections are reset.
>>
>> For example we have samba on $FW hosting a shared drive the
>> connection suddenly reset. It can be reestablished but after 10
>> minutes the connection resets again.
>
> Hi Daniel
>
> This doesn''t sound like a Shorewall-problem to me.
>
> My first guess would be a problem with DHCP.  Maybe your DHCP-server
> forces a change of IP-addresses?  (You wouldn''t have two
DHCP-servers
> on your network, would you?)
>
> Another possibility is that you have some script auto-running that
> does weird things.
>
> The third thing that I can think of is problems at the link-level.
> Some switch, cable or network card is unstable.  But if your
> disconnects occur very regularly, then that is not so likely.
>
> Do you have any routers or other unusual equipment between your
> linux-box and your local system?
>
>
> Rune
>
>
> -------------------------------------------------------
> All the advantages of Linux Managed Hosting--Without the Cost and  
> Risk!
> Fully trained technicians. The highest number of Red Hat  
> certifications in
> the hosting industry. Fanatical Support. Click to learn more
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=107521&bid=248729&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642

Daniel Czarnecki wrote:
> Hi Rune,
>
> I only have one DHCP-server the lease time is set to 3 days.
>
> We are currently using a hub. I tried to install a switch a while ago 
> but we experienced network connection errors and drop outs so we 
> switched back to the hub.
>
> I replaced the network cards in the server and also removed all hosts 
> off the network and reintroduced them back one at a time but
couldn''t
> narrow the fault to a single offending piece of hardware.
>
> Before shorewall I used a simple firewall script using iptables 
> everything seemed to work fine.
>
> Maybe shorewall is picking up some strange traffic on the network and 
> causing connection resets?
Shorewall doesn''t interact with the system after you start it.  It 
creates the iptables rules and then exits.  Once shorewall has 
successfully started, it is no longer working on your system.

-- 
Ray Booysen
rj_booysen@rjb.za.net



-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642

>>
>> Maybe shorewall is picking up some strange traffic on the network  
>> and causing connection resets?
>
> Shorewall doesn''t interact with the system after you start it.  It
> creates the iptables rules and then exits.  Once shorewall has  
> successfully started, it is no longer working on your system.
By default does shorewall setup iptable rules to do any sort of rate  
or connection limiting from a host? Is it possible to drop  
connections via iptable rules if limits are reached?




-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642

Daniel Czarnecki wrote:
> 
> By default does shorewall setup iptable rules to do any sort of rate or
> connection limiting from a host? Is it possible to drop connections via
> iptable rules if limits are reached?
Not by default.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Daniel Czarnecki wrote:
> 
> Maybe shorewall is picking up some strange traffic on the network and
> causing connection resets?
> 
> Does anyone know why a hub would work but a switch dosen''t?
> 
A couple of netiquette tips:

a) This isn''t a blog -- please stop top-posting. We read from top to
bottom, not
bottom to top.

b) Please quote appropriately. We''ve read the previous post -- we
don''t need to
see them again in their entireity; only the parts that you want to specifically
respond to should be included in the reply.

Now to your problem -- you don''t have both network interfaces connected
to the
same hub do you?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

>
> A couple of netiquette tips:
>
> a) This isn''t a blog -- please stop top-posting. We read from top
> to bottom, not
> bottom to top.
>
Is this ok?
>
> Now to your problem -- you don''t have both network interfaces  
> connected to the
> same hub do you?
No


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642

Daniel Czarnecki wrote:
> Does anyone know why a hub would work but a switch dosen''t?
    Daniel,

    Based on what I''m reading, I''d do an ethereal packet
capture, or
better, bring up etherape on a machine connected the the physical 
segment in question and get a good look at what the network is actually 
doing. Etherape is the quickest way to get a visual representation of 
your real time traffic.

    There''s only two possible issues here:

    1. Crapping out of the firewall

    2. Strange network/datalink level problem.

    Though, this looks suspiciously like one of those problems where 
there''s "more than one problem". A hub working, but a switch
not
looking, is fishy- assuming your switch is known to be good.

    I''d also look at recursive loops in the LAN setup. Some hubs will 
function in that situation, while many el-cheapo (read no spanning tree) 
switches will fail.

    Just a few ideas.

--
Michael Cozzi
cozzi@cozziconsulting.com


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642

Daniel Czarnecki wrote:
>>
>> A couple of netiquette tips:
>>
>> a) This isn''t a blog -- please stop top-posting. We read from
top to
>> bottom, not
>> bottom to top.
>>
> 
> Is this ok?
Yes, thanks
> 
>>
>> Now to your problem -- you don''t have both network interfaces
>> connected to the
>> same hub do you?
> 
> No
> 
Then the next thing that I would suggest is to stop your
''cron'' daemon
temporarily and see if the problem goes away.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On 5/31/06, Daniel Czarnecki <daniel@zoltak.com>
wrote:
>
> We are currently using a hub. I tried to install a switch a while ago
> but we experienced network connection errors and drop outs so we
> switched back to the hub.
>
> Does anyone know why a hub would work but a switch dosen''t?
Assuming that the switch is OK, this sounds strange.  If the switch is
a very expensive model, it may need to be configured before use.

As far as I know, hubs always run without duplex, whereas a switch
will try to autodetect whether each network card supports duplex
(duplex = transmission in both directions at the same time).  Could it
be that one of your network cards screws up on autodetection?

If your switch is faster than your hub (for instance switch is 100Mbit
but hub is 10Mbit), then the extra speed may need better cables.

In any case, I suggest that you investigate this further.
>I replaced the network cards in the server and also removed all hosts
>off the network and reintroduced them back one at a time but
couldn''t
>narrow the fault to a single offending piece of hardware.
Did you do that to check your new Shorewall-problem, or back when you
tried connecting the switch?

Keep a careful eye on the lamps on the switch while reintroducing the
hosts.  Any unusual flashing?

----------

The two last things, I don''t really consider likely, but I''ll
mention
them anyway:
- two computers have the same IP-address?
- two computers have the same MAC-address?



Rune


-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642