Hello everyone,
Background:
Gentoo Linux system. One ethernet interface with private IP address
behind Juniper NetScreen firewall. Using port forwarding/MIP (mapped IP)
the linux system has a public IP address. We have bridged openvpn server
running on linux box working fine and shorewall appears to be
firewalling connections correctly (to/from "vpn" zone).
Problem:
Our 3Com NBX V3000 system sends out about 100kbps of Music On Hold
broadcast/multicast traffic constantly to every node in the network (as
well as System State and a few other ''channels''). The pain
with the
Music On Hold ''bin'' is that it doesn''t have a source
of destination IP
address. I think they figured it would be the best way of stopping
100kbps of traffic from taking up bandwidth on internet connections.
This poses a problem with Shorewall it would seem. I can''t work out how
to block the Music On Hold broadcast packets.
Here are the relevant portions of the config:
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
- br0 detect
/etc/shorewall/hosts:
#ZONE HOST(S) OPTIONS
loc br0:eth0:192.168.1.0/24 routeback,blacklist
net br0:eth0:!192.168.1.0/24 routeback
vpn br0:tap+ routeback,blacklist
/etc/shorewall/policy:
#SOURCE DEST POLICY LOG
LIMIT:BURST
# LEVEL
loc all DROP info
net all DROP info
vpn all DROP info
fw all ACCEPT
/etc/shorewall/blacklists:
#ADDRESS/SUBNET PROTOCOL PORT
~00-e0-bb-23-d7-0e # System State
multicast bin
~01-e0-bb-00-00-15 # MOH multicast
bin
Notes:
We can block the system state from being broadcast over the openvpn
tunnel and I can see the packets (1 every second) being blocked, but I
can''t work out how to block the music on hold multicast. It
doesn''t have
a source or destination IP address so that rules out doing it that way.
Below is a tcpdump of the tap0 interface:
17:11:24.836208 00:e0:bb:23:d7:0e (oui Unknown) > 01:e0:bb:00:00:15 (oui
Unknown), ethertype 802.1Q (0x8100), length 234:
0x0000: c000 8868 4841 00e0 bb23 d70e 80b3 0000
...hHA...#......
0x0010: ffff 0002 0001 0100 215d f5e9 e6f0 ef76
........!].....v
0x0020: 74f7 f3f0 f4f6 f8fb 7979 f8e7 e2e9 ebee
t.......yy......
0x0030: fc78 716c 6964 .xqlid
17:11:24.860068 00:e0:bb:23:d7:0e (oui Unknown) > 01:e0:bb:00:00:15 (oui
Unknown), ethertype 802.1Q (0x8100), length 234:
0x0000: c000 8868 4841 00e0 bb23 d70e 80b3 0000
...hHA...#......
0x0010: ffff 0002 0001 0100 215e f0e8 e9ef f97d
........!^.....}
0x0020: 7772 706f 6f6f 6f6f 7172 7475 7778 797a
wrpoooooqrtuwxyz
0x0030: 7c7d 7eff fe7f |}~...
17:11:24.884179 00:e0:bb:23:d7:0e (oui Unknown) > 01:e0:bb:00:00:15 (oui
Unknown), ethertype 802.1Q (0x8100), length 234:
0x0000: c000 8868 4841 00e0 bb23 d70e 80b3 0000
...hHA...#......
0x0010: ffff 0002 0001 0100 215f 7a7b 7c7d 7d7e
........!_z{|}}~
0x0020: ffff fe7d 7cfa fbfc fd77 7df9 f7fb fdf6
...}|....w}.....
0x0030: f97d fdfb fcfd .}....
Are we able to block this traffic with Shorewall? At least I think I
should be blocking this traffic. Am I looking in the wrong direction?
The MAC addresses in the tcpdump are the NBX''s MAC and the MOH bin MAC.
It really does chew up the data if you accidentally leave the openvpn
connection open for too long.
Thanks in advance,
Tristan
--
Tristan Griffiths
IT Manager
Stomp Pty Ltd
5 Harper St.
Abbotsford, VIC 3067
AUSTRALIA
Phone: +61 (0) 3 9412 3590 (Direct)
Phone: +61 (0) 3 9412 3555 (Reception)
Fax: +61 (0) 3 9495 6255
www: http://www.stomp.com.au/
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Sat, 2006-07-15 at 17:14 +1000, Tristan Griffiths wrote:> > We can block the system state from being broadcast over the openvpn > tunnel and I can see the packets (1 every second) being blocked, but I > can''t work out how to block the music on hold multicast. It doesn''t have > a source or destination IP address so that rules out doing it that way. > Below is a tcpdump of the tap0 interface: > > 17:11:24.836208 00:e0:bb:23:d7:0e (oui Unknown) > 01:e0:bb:00:00:15 (oui > Unknown), ethertype 802.1Q (0x8100), length 234: > 0x0000: c000 8868 4841 00e0 bb23 d70e 80b3 0000 > ...hHA...#...... > 0x0010: ffff 0002 0001 0100 215d f5e9 e6f0 ef76 > ........!].....v > 0x0020: 74f7 f3f0 f4f6 f8fb 7979 f8e7 e2e9 ebee > t.......yy...... > 0x0030: fc78 716c 6964 .xqlid > 17:11:24.860068 00:e0:bb:23:d7:0e (oui Unknown) > 01:e0:bb:00:00:15 (oui > Unknown), ethertype 802.1Q (0x8100), length 234: > 0x0000: c000 8868 4841 00e0 bb23 d70e 80b3 0000 > ...hHA...#...... > 0x0010: ffff 0002 0001 0100 215e f0e8 e9ef f97d > ........!^.....} > 0x0020: 7772 706f 6f6f 6f6f 7172 7475 7778 797a > wrpoooooqrtuwxyz > 0x0030: 7c7d 7eff fe7f |}~... > 17:11:24.884179 00:e0:bb:23:d7:0e (oui Unknown) > 01:e0:bb:00:00:15 (oui > Unknown), ethertype 802.1Q (0x8100), length 234: > 0x0000: c000 8868 4841 00e0 bb23 d70e 80b3 0000 > ...hHA...#...... > 0x0010: ffff 0002 0001 0100 215f 7a7b 7c7d 7d7e > ........!_z{|}}~ > 0x0020: ffff fe7d 7cfa fbfc fd77 7df9 f7fb fdf6 > ...}|....w}..... > 0x0030: f97d fdfb fcfd .}.... > > Are we able to block this traffic with Shorewall?Those are VLAN frames (802.1Q) which are not passed through the IP stack and are hence not visible to Netfilter. You will have to filter them using ebtables or you will have to implement VLAN on your Shorewall box. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> -----Original Message----- > From: shorewall-users-bounces@lists.sourceforge.net > [mailto:shorewall-users-bounces@lists.sourceforge.net] On > Behalf Of Tom Eastep > Sent: Sunday, 16 July 2006 12:06 AM > To: Shorewall Users > Subject: Re: [Shorewall-users] Multicast from 3Com NBX over > openvpn bridge > > On Sat, 2006-07-15 at 17:14 +1000, Tristan Griffiths wrote: > > > > > We can block the system state from being broadcast over the openvpn > > tunnel and I can see the packets (1 every second) being > blocked, but I > > can''t work out how to block the music on hold multicast. It doesn''t > > have a source or destination IP address so that rules out > doing it that way. > > Below is a tcpdump of the tap0 interface: > > > > 17:11:24.884179 00:e0:bb:23:d7:0e (oui Unknown) > 01:e0:bb:00:00:15 > > (oui Unknown), ethertype 802.1Q (0x8100), length 234: > > 0x0000: c000 8868 4841 00e0 bb23 d70e 80b3 0000 > > ...hHA...#...... > > 0x0010: ffff 0002 0001 0100 215f 7a7b 7c7d 7d7e > > ........!_z{|}}~ > > 0x0020: ffff fe7d 7cfa fbfc fd77 7df9 f7fb fdf6 > > ...}|....w}..... > > 0x0030: f97d fdfb fcfd .}.... > > > > Are we able to block this traffic with Shorewall? > > Those are VLAN frames (802.1Q) which are not passed through > the IP stack and are hence not visible to Netfilter. You will > have to filter them using ebtables or you will have to > implement VLAN on your Shorewall box. > > -TomThanks Tom, I have investigated why the packets are tagged as VLAN when we aren''t using VLAN. Turns out it was configured on the NBX with vlan id 0. I''ve turned that off and now the tcpdump shows: 13:27:21.515124 00:e0:bb:23:d7:0e (oui Unknown) > 01:e0:bb:00:00:15 (oui Unknown), ethertype Unknown (0x8868), length 230: 0x0000: 4841 00e0 bb23 d70e 80b3 0000 ffff 0002 HA...#.......... 0x0010: 0001 0100 1715 efe9 e06c 61f7 f2e1 f2ee .........la..... 0x0020: fd6b 6d78 7d67 6e6f 6d68 5e6e 72fe f87d .kmx}gnomh^nr..} 0x0030: f479 f1ee 6468 .y..dh Can shorewall do bridge filtering if the packet doesn''t reach Layer 3? Tristan ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> -----Original Message----- > From: shorewall-users-bounces@lists.sourceforge.net > [mailto:shorewall-users-bounces@lists.sourceforge.net] On > Behalf Of Tristan Griffiths > Sent: Sunday, 16 July 2006 1:32 PM > To: Shorewall Users > Subject: Re: [Shorewall-users] Multicast from 3Com NBX over > openvpn bridge > > > -----Original Message----- > > From: shorewall-users-bounces@lists.sourceforge.net > > [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of > > Tom Eastep > > Sent: Sunday, 16 July 2006 12:06 AM > > To: Shorewall Users > > Subject: Re: [Shorewall-users] Multicast from 3Com NBX over openvpn > > bridge > > > > On Sat, 2006-07-15 at 17:14 +1000, Tristan Griffiths wrote: > > > > > > > > We can block the system state from being broadcast over > the openvpn > > > tunnel and I can see the packets (1 every second) being > > blocked, but I > > > can''t work out how to block the music on hold multicast. > It doesn''t > > > have a source or destination IP address so that rules out > > doing it that way. > > > Below is a tcpdump of the tap0 interface: > > > > > > 17:11:24.884179 00:e0:bb:23:d7:0e (oui Unknown) > > 01:e0:bb:00:00:15 > > > (oui Unknown), ethertype 802.1Q (0x8100), length 234: > > > 0x0000: c000 8868 4841 00e0 bb23 d70e 80b3 0000 > > > ...hHA...#...... > > > 0x0010: ffff 0002 0001 0100 215f 7a7b 7c7d 7d7e > > > ........!_z{|}}~ > > > 0x0020: ffff fe7d 7cfa fbfc fd77 7df9 f7fb fdf6 > > > ...}|....w}..... > > > 0x0030: f97d fdfb fcfd .}.... > > > > > > Are we able to block this traffic with Shorewall? > > > > Those are VLAN frames (802.1Q) which are not passed through the IP > > stack and are hence not visible to Netfilter. You will have > to filter > > them using ebtables or you will have to implement VLAN on your > > Shorewall box. > > > > -Tom > > Thanks Tom, > > I have investigated why the packets are tagged as VLAN when > we aren''t using VLAN. Turns out it was configured on the NBX > with vlan id 0. I''ve turned that off and now the tcpdump shows: > > 13:27:21.515124 00:e0:bb:23:d7:0e (oui Unknown) > > 01:e0:bb:00:00:15 (oui Unknown), ethertype Unknown (0x8868), > length 230: > 0x0000: 4841 00e0 bb23 d70e 80b3 0000 ffff 0002 > HA...#.......... > 0x0010: 0001 0100 1715 efe9 e06c 61f7 f2e1 f2ee > .........la..... > 0x0020: fd6b 6d78 7d67 6e6f 6d68 5e6e 72fe f87d > .kmx}gnomh^nr..} > 0x0030: f479 f1ee 6468 .y..dh > > Can shorewall do bridge filtering if the packet doesn''t reach Layer 3? > > TristanReplying to my own E-mail. Sad ;-) Thanks again Tom, you gave me the hint that led me in the right direction. Using this single line in the local.start conf.d file: ebtables -A FORWARD -p 0x8868 -d 01:e0:bb:00:00:15 -j DROP Blocks all that pesky music on hold (don''t want that when using the phone system as a road-warrior anyways ;-) ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642