Shorewall users - Jun 2007 - Debian unstable and 3.4.4 upgrade: masq not working

Dear all,

I have upgraded my homes firewall to shorewall 3.4.4 using the respective
Debian package and have worked my way through the upgrade issues in the
release notes. Now masquerading of the systems behind the firewall seems to
be broken.
Is there anybody here who has experienced similar things and where might I
look to fix this?

Thanks for any insights,

Joh


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Johannes Graumann wrote:
> Dear all,
> 
> I have upgraded my homes firewall to shorewall 3.4.4 using the respective
> Debian package and have worked my way through the upgrade issues in the
> release notes. Now masquerading of the systems behind the firewall seems to
> be broken.
> Is there anybody here who has experienced similar things and where might I
> look to fix this?
Check the setting of IP_FORWARDING in shorewall.conf.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Check the setting of IP_FORWARDING in shorewall.conf.
This I adapted right away after upgrading - it''s not the culprit.

Joh


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Johannes Graumann wrote:
> Tom Eastep wrote:
>> Check the setting of IP_FORWARDING in shorewall.conf.
> This I adapted right away after upgrading - it''s not the culprit.
Then the output of "shorewall dump" (compressed) would be helpful.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Then the output of "shorewall dump" (compressed) would be
helpful.
Attached. Thanks for your time!

Joh


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Johannes Graumann wrote:
> Tom Eastep wrote:
>> Then the output of "shorewall dump" (compressed) would be
helpful.
> Attached. Thanks for your time!
> 
/proc
    ...
   /proc/sys/net/ipv4/ip_forward = 0


Looks like you need to check IP_FORWARDING again.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Johannes Graumann wrote:
>> Tom Eastep wrote:
>>> Then the output of "shorewall dump" (compressed) would be
helpful.
>> Attached. Thanks for your time!
>>
> 
> /proc
>     ...
>    /proc/sys/net/ipv4/ip_forward = 0
> 
> 
> Looks like you need to check IP_FORWARDING again.
And be sure that something else in the Etch configuration isn''t
resetting
forwarding. See if the above turns to ''1'' after a
''/sbin/shorewall restart'';
if so, it could be that it''s being reset by another reboot step.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep <teastep <at> shorewall.net> writes:
> 
> Tom Eastep wrote:
> > Johannes Graumann wrote:
> >> Tom Eastep wrote:
> >>> Then the output of "shorewall dump" (compressed)
would be helpful.
> >> Attached. Thanks for your time!
> >>
> > 
> > /proc
> >     ...
> >    /proc/sys/net/ipv4/ip_forward = 0
> > 
> > 
> > Looks like you need to check IP_FORWARDING again.
> 
> And be sure that something else in the Etch configuration isn''t
resetting
> forwarding. See if the above turns to ''1'' after a
''/sbin/shorewall restart'';
> if so, it could be that it''s being reset by another reboot step.
So here it is:
> reboot
> grep IP_FORWARD /etc/shorewall/shorewall.conf
IP_FORWARDING=Yes
> less /proc/sys/net/ipv4/ip_forward
0
> shorewall restart
> less /proc/sys/net/ipv4/ip_forward
0
> shorewall stop
> less /proc/sys/net/ipv4/ip_forward
0
> shorewall clear
> less /proc/sys/net/ipv4/ip_forward
1
> shorewall start
> less /proc/sys/net/ipv4/ip_forward
1

This, I suppose, implies that something is mocking with that ip_forward bit
after shorewall has run (?). Only other ipfilter related piece of software I run
is fail2ban - which to my knowledge did not change in conjunction with this
recent problematic shorewall update. I will have to investigate whether
that''s
the toublemaker. Any pointers on how to actually figure out what''s
changing the
ip_forward?

Thanks for any insight,

Joh



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Tom Eastep wrote:
>> Johannes Graumann wrote:
>>> Tom Eastep wrote:
>>>> Then the output of "shorewall dump" (compressed)
would be helpful.
>>> Attached. Thanks for your time!
>>>
>> 
>> /proc
>>     ...
>>    /proc/sys/net/ipv4/ip_forward = 0
>> 
>> 
>> Looks like you need to check IP_FORWARDING again.
> 
> And be sure that something else in the Etch configuration isn''t
resetting
> forwarding. See if the above turns to ''1'' after a
''/sbin/shorewall
> restart''; if so, it could be that it''s being reset by
another reboot step.
So here it is:
> reboot
> grep IP_FORWARD /etc/shorewall/shorewall.conf
IP_FORWARDING=Yes
> less /proc/sys/net/ipv4/ip_forward
0
> shorewall restart
> less /proc/sys/net/ipv4/ip_forward
0
> shorewall stop
> less /proc/sys/net/ipv4/ip_forward
0
> shorewall clear
> less /proc/sys/net/ipv4/ip_forward
1
> shorewall start
> less /proc/sys/net/ipv4/ip_forward
1

This, I suppose, implies that something is mocking with that ip_forward bit
after shorewall has run (?). Only other ipfilter related piece of software
I run is fail2ban - which to my knowledge did not change in conjunction
with this recent problematic shorewall update. I will have to investigate
whether that''s the troublemaker. Any pointers on how to actually figure
out
what''s changing the ip_forward?

Thanks for any insight,

Joh



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Johannes Graumann wrote:
> Tom Eastep <teastep <at> shorewall.net> writes:
> 
>> Tom Eastep wrote:
>>> Johannes Graumann wrote:
>>>> Tom Eastep wrote:
>>>>> Then the output of "shorewall dump" (compressed)
would be helpful.
>>>> Attached. Thanks for your time!
>>>>
>>> /proc
>>>     ...
>>>    /proc/sys/net/ipv4/ip_forward = 0
>>>
>>>
>>> Looks like you need to check IP_FORWARDING again.
>> And be sure that something else in the Etch configuration
isn''t resetting
>> forwarding. See if the above turns to ''1'' after a
''/sbin/shorewall restart'';
>> if so, it could be that it''s being reset by another reboot
step.
> 
> So here it is:
>> reboot
> 
>> grep IP_FORWARD /etc/shorewall/shorewall.conf
> IP_FORWARDING=Yes
Valid values for IP_FORWARDING are ''On'',
''Off'' and ''Keep''. A bit of a 4.0.0
change snuck in and is allowing ''Yes'' and
''No'' as well -- but those are
acting as ''Keep''.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> Valid values for IP_FORWARDING are ''On'',
''Off'' and ''Keep''. A bit of a
> 4.0.0 change snuck in and is allowing ''Yes'' and
''No'' as well -- but those
> are acting as ''Keep''.
I am deeply sorry to have troubled you with my superb fulfilling of your
usual email signature.

Thanks for your software and time,

Joh


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Tom Eastep wrote:
> 
> Valid values for IP_FORWARDING are ''On'',
''Off'' and ''Keep''. A bit of a 4.0.0
> change snuck in and is allowing ''Yes'' and
''No'' as well -- but those are
> acting as ''Keep''.
A fix is available.

See
http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.4/known_problems.txt.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Johannes Graumann wrote:
> Tom Eastep wrote:
>> Valid values for IP_FORWARDING are ''On'',
''Off'' and ''Keep''. A bit of a
>> 4.0.0 change snuck in and is allowing ''Yes'' and
''No'' as well -- but those
>> are acting as ''Keep''.
> I am deeply sorry to have troubled you with my superb fulfilling of your
> usual email signature.
It was my fault also -- If it weren''t for my bug, your problem would
have
been obvious.
> 
> Thanks for your software and time,
> 
You''re welcome.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/