Shorewall users - Dec 2007 - kernel panic with shorewall

I have an old Pentium II which I use as a gateway and firewall
for a home network. The external interface is a modem on ppp and the
internal interface is ethernet. I have had this setup running
successfully for many years starting with the early 2.x series
Shorewall.

My ISP recently changed my dial-up ''phone number and presumably also
the system at the other end of my modem (they won''t tell me). Ever
since this change I have had regular kernel panics (5-6 per day
depending on activity). I can reproduce the crash by initiating a port
scan from the Shields Up website.

The kernel panics can be avoided by doing a shorewall stop, removing
shorewall entirely, setting shorewall to debug and using an
alternative ISP. When set to debug the old Pentium II has CPU at about
85% dealing with syslog.

Any suggestions?

Shorewall 3.2.6-2
Linux kernel 2.6.22 (also tried 2.6.18 same symptom)
ppp 3.2.6-2
Debian Etch

Attached:

Shorewall conf files
kernel info file including kern.log (just prior to crash and reboot)
kernel panic (transcribed from photograph)

-- 
Kind regards,
Iain.









-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

On Fri, Dec 14, 2007 at 11:45:26AM +0000, Iain Mac Donald
wrote:
> The kernel panics can be avoided by doing a shorewall stop, removing
> shorewall entirely, setting shorewall to debug and using an
> alternative ISP. When set to debug the old Pentium II has CPU at about
> 85% dealing with syslog.
> 
> Any suggestions?
Kernel bug or hardware fault. Unrelated to shorewall, either way.

-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

Apologies!

It has been brought to my attention that my first mail the attachments
were incorrectly encoded. I have re-attached them and they no appear
to be correctly encoded now.

Attachments:
Shorewall conf files
kernel info file including kern.log (just prior to crash and reboot)
kernel panic (transcribed from photograph)

On Fri, 14 Dec 2007 12:43:50 +0000
Andrew Suffield <asuffield@suffields.me.uk> wrote:
> 
> Kernel bug or hardware fault. Unrelated to shorewall, either way.
I have tried it with 3 different PCs same result. I have also tried it
with 3 different kernels (2.6.8, 2.6.18 and 2.6.22) same result.

With the exact same kernel and hardware but with Shorewall off crash
doesn''t happen. With Shorewall on and set to debug crash
doesn''t happen
- timing issue?

-- 
Kind regards,
Iain.









-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

Iain Mac Donald wrote:
> 
> My ISP recently changed my dial-up ''phone number and presumably
also
> the system at the other end of my modem (they won''t tell me). Ever
> since this change I have had regular kernel panics (5-6 per day
> depending on activity). I can reproduce the crash by initiating a port
> scan from the Shields Up website.
> 
> The kernel panics can be avoided by doing a shorewall stop, removing
> shorewall entirely,
What does that mean? /sbin/shorewall clear? dpkg -r shorewall? ???
> setting shorewall to debug
What does that mean?
> and using an alternative ISP.
So, all of that is sufficient to avoid the problem. Are all steps also
necessary to avoid the problem?
> When set to debug the old Pentium II has CPU at about
> 85% dealing with syslog.
> 
> Any suggestions?
> 
> Shorewall 3.2.6-2
> Linux kernel 2.6.22 (also tried 2.6.18 same symptom)
> ppp 3.2.6-2
> Debian Etch
> 
> Attached:
> 
> Shorewall conf files
> kernel info file including kern.log (just prior to crash and reboot)
> kernel panic (transcribed from photograph)
Shorewall 3.2.6 is nothing but a set of shell scripts that configures
Netfilter and /proc/sys/net. Once ''shorewall start'' completes,
there is no
Shorewall code running in your system whatsoever. So, while posting this
problem on the Shorewall list may get you sympathy, there is no one here who
can analyze or solve the problem for you. The failure is likely triggered by
the presence of Netfilter rules and you could use any firewall configuration
tool to set up a similar iptables/Netfilter ruleset and the result would be
the same.

I suggest posting on the netfilter and linux-net lists. And you will need to
explain what "setting shorewall to debug" means in iptables/Netfilter
terms.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

On Fri, 14 Dec 2007 08:33:56 -0800
Tom Eastep <teastep@shorewall.net> wrote:
> > The kernel panics can be avoided by doing a shorewall stop, removing
> > shorewall entirely,
> What does that mean? /sbin/shorewall clear? dpkg -r shorewall? ???
"stop   Stops the firewall. The only traffic permitted through the
firewall is from systems listed in /etc/shorewall/routestopped."
Copyright (C) 1999-2005 by Tom Eastep
I''m sorry if I inadvertently used something distribution specific but
I used the term I was familiar with from the man page.

By removing shorewall entirely I meant removing all rules and chains,
remove the application and restarting the pc.
> > setting shorewall to debug
> 
> What does that mean?
Set the policy conf file log level column to debug for all.

> So, all of that is sufficient to avoid the problem. Are all steps also
> necessary to avoid the problem?
Sorry for not being clear - any one of the actions prevents the problem.

> Shorewall 3.2.6 is nothing but a set of shell scripts that configures
> Netfilter and /proc/sys/net. Once ''shorewall start''
completes, there
> is no Shorewall code running in your system whatsoever. 
I understand that however I thought, one possibility, might have been
a poor configuration setup by me ultimately causing the problem.
> The failure is likely triggered by the presence of Netfilter rules
> and you could use any firewall configuration tool to set up a similar
> iptables/Netfilter ruleset and the result would be the same.
I shall try that.
> I suggest posting on the netfilter and linux-net lists.
I shall do that too.

Thank you for your suggestions.

-- 
Kind regards,
Iain.

-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

Iain Mac Donald wrote:
> On Fri, 14 Dec 2007 08:33:56 -0800
> Tom Eastep <teastep@shorewall.net> wrote:
> 
>>> setting shorewall to debug
>> What does that mean?
> Set the policy conf file log level column to debug for all.
The effect of that will be entirely dependent on the syslog configuration.
In many cases, it results in LESS logging, rather than more. I take it that
in your case, it results in substantially more logging.
> I understand that however I thought, one possibility, might have been
> a poor configuration setup by me ultimately causing the problem.
Operating systems are responsible for protecting themselves against
applications. Shorewall is just an application so if running that
application causes a subsequent system crash, then the operating system
itself is ultimately at fault.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

There comes to my mind a chipset issue I had back in Time with VIA Chipsets.

Try - without shorewall - to perform a Big file transfer, and at the
same time generate some Harddisk IO.

This Locked the system hard everytime I did it.
It was due to noise on the PCI Bus - which the system didn''t like.
Another thing I had was a sound-card. As soon as I did a File-Transfer
and played some music - Hard-Lock. This was due to Interrupts hanging on
the Chipset.

If I had a high system load - without IO on Disk or Network (seti@home)
the system was running fine for weeks.

As soon as I transferred files through the network card through another
path than the Modem (which was slow) - Bang / Crash.

Just a Hint & my 2cent :)

Cheers
Joerg


Tom Eastep wrote:
> Iain Mac Donald wrote:
>> On Fri, 14 Dec 2007 08:33:56 -0800
>> Tom Eastep <teastep@shorewall.net> wrote:
>>
>>>> setting shorewall to debug
>>> What does that mean?
>> Set the policy conf file log level column to debug for all.
> 
> The effect of that will be entirely dependent on the syslog configuration.
> In many cases, it results in LESS logging, rather than more. I take it that
> in your case, it results in substantially more logging.
> 
>> I understand that however I thought, one possibility, might have been
>> a poor configuration setup by me ultimately causing the problem.
> 
> Operating systems are responsible for protecting themselves against
> applications. Shorewall is just an application so if running that
> application causes a subsequent system crash, then the operating system
> itself is ultimately at fault.

-- 
------------------------------------------------------------------------
| Joerg Mertin              :  smurphy@solsys.org                (Home)|
| in Forchheim/Germany      :  smurphy@linux.de                  (Alt1)|
| Stardust''s LiNUX System   :                                         
|
| Web: http://www.solsys.org                                           |
------------------------------------------------------------------------
PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A

-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace