Shorewall users - Feb 2008 - MASQ nightmare - 99% solved

I have a 2 firewalls with 8 interfaces each in HA. Two interfaces of
then are CORPorate and DMZ.

Since I have some devices in DMZ with different default gateway (some
points to FW1 and others to FW2), I needed to create a quite complex
setup of inclusions/exclusions and source/destination to allow video
conferencing devices go to directly to the GateKeeper in DMZ, without
NAT.

Sometimes VC registered in GK with the FW''s IP, sometimes registered
with VC''s IP (corporate IP, the correct).
I''ve spent several hours troubleshooting this situation.

Restarting Shorewall and un/re-registering the VC the situation
changed randomly.
There is a mix of several VC devices (around 30). Different models,
brands, even some PCs with Netmeeting.
Even cleaning all entries in MASQ to/from CORP amd DMZ, strange things happened.
I got almost crazy.

I just had migrated this FW firewall from Fedora Core 3 (Shorewall
2.x) to Fedora 8 (Shorewall 4.x).
Before, the same rules were applied and everything worked fine

When I noticed that WITHOUT any masqs some devices still registered
with NATed IP, I went further and discovered:
- 2 Netfilter modules are loaded by default in Fedora 8
--- nf_nat_h323
--- nf_conntrack_h323

Unloading (modprobe -r) then, just like a Magic, everything back to
normal operations. My masq entries worked as should be.

Two doubts:
1) Every shorewall restart load these two modules again. How can I
configure Shorewall to not load them ?
2) Why, even without masq entries, some devices got NATed (modules problem?) ?

-Guilsson

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Guilsson . wrote:
> I have a 2 firewalls with 8 interfaces each in HA. Two interfaces of
> then are CORPorate and DMZ.
> 
> Since I have some devices in DMZ with different default gateway (some
> points to FW1 and others to FW2), I needed to create a quite complex
> setup of inclusions/exclusions and source/destination to allow video
> conferencing devices go to directly to the GateKeeper in DMZ, without
> NAT.
> 
> Sometimes VC registered in GK with the FW''s IP, sometimes
registered
> with VC''s IP (corporate IP, the correct).
> I''ve spent several hours troubleshooting this situation.
> 
> Restarting Shorewall and un/re-registering the VC the situation
> changed randomly.
> There is a mix of several VC devices (around 30). Different models,
> brands, even some PCs with Netmeeting.
> Even cleaning all entries in MASQ to/from CORP amd DMZ, strange things
happened.
> I got almost crazy.
> 
> I just had migrated this FW firewall from Fedora Core 3 (Shorewall
> 2.x) to Fedora 8 (Shorewall 4.x).
> Before, the same rules were applied and everything worked fine
> 
> When I noticed that WITHOUT any masqs some devices still registered
> with NATed IP, I went further and discovered:
> - 2 Netfilter modules are loaded by default in Fedora 8
> --- nf_nat_h323
> --- nf_conntrack_h323
> 
> Unloading (modprobe -r) then, just like a Magic, everything back to
> normal operations. My masq entries worked as should be.
> 
> Two doubts:
> 1) Every shorewall restart load these two modules again. How can I
> configure Shorewall to not load them ?
copy /usr/share/shorewall/modules to /etc/shorewall/modules, then edit 
that new file, # out what you don''t want. restart
> 2) Why, even without masq entries, some devices got NATed (modules
problem?) ?
> 
That would need a dump to make sense of (maybe). Above might just 
straighten it all out for you.

Jerry

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Guilsson . wrote:
> 
> Two doubts:
> 1) Every shorewall restart load these two modules again. How can I
> configure Shorewall to not load them ?
If you are running Shorewall 4.0.6 or later, simply list them in the
DONT_LOAD variable in shorewall.conf.

	DONT_LOAD="nf_nat_h323,nf_conntrack_h323"
> 2) Why, even without masq entries, some devices got NATed (modules
problem?) ?
I assume that is the behavior of nf_nat_h323.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Guilsson . wrote:
>When I noticed that WITHOUT any masqs some devices still registered
>with NATed IP, I went further and discovered:
>- 2 Netfilter modules are loaded by default in Fedora 8
>--- nf_nat_h323
>--- nf_conntrack_h323
>
>Unloading (modprobe -r) then, just like a Magic, everything back to
>normal operations. My masq entries worked as should be.
>
>Two doubts:
>1) Every shorewall restart load these two modules again. How can I
>configure Shorewall to not load them ?

IIRC, you copy the modules file from /usr/share/shorewall to 
/etc/shorewall, then comment out or delete those entries from the 
copy.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Simon Hobson wrote:
> Guilsson . wrote:
> 
>> When I noticed that WITHOUT any masqs some devices still registered
>> with NATed IP, I went further and discovered:
>> - 2 Netfilter modules are loaded by default in Fedora 8
>> --- nf_nat_h323
>> --- nf_conntrack_h323
>>
>> Unloading (modprobe -r) then, just like a Magic, everything back to
>> normal operations. My masq entries worked as should be.
>>
>> Two doubts:
>> 1) Every shorewall restart load these two modules again. How can I
>> configure Shorewall to not load them ?
> 
> 
> IIRC, you copy the modules file from /usr/share/shorewall to 
> /etc/shorewall, then comment out or delete those entries from the 
> copy.
If you are running a version of Shorewall prior to 4.0.6, that''s the
only
way to do it. Otherwise, it''s probably preferable to use DONT_LOAD as I
explained in my earlier post.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

# shorewall version
4.0.8

It worked.
Thanks a lot.

One last question.
Suppose I DO want to use these modules. Can I use Shorewall/iptables
to really use them or they "work" independently of iptables ?

-Guilsson

On Fri, Feb 29, 2008 at 12:51 PM, Tom Eastep <teastep@shorewall.net>
wrote:
> Simon Hobson wrote:
>  > Guilsson . wrote:
>  >
>  >> When I noticed that WITHOUT any masqs some devices still
registered
>  >> with NATed IP, I went further and discovered:
>  >> - 2 Netfilter modules are loaded by default in Fedora 8
>  >> --- nf_nat_h323
>  >> --- nf_conntrack_h323
>  >>
>  >> Unloading (modprobe -r) then, just like a Magic, everything back
to
>  >> normal operations. My masq entries worked as should be.
>  >>
>  >> Two doubts:
>  >> 1) Every shorewall restart load these two modules again. How can
I
>  >> configure Shorewall to not load them ?
>  >
>  >
>  > IIRC, you copy the modules file from /usr/share/shorewall to
>  > /etc/shorewall, then comment out or delete those entries from the
>  > copy.
>
>  If you are running a version of Shorewall prior to 4.0.6, that''s
the only
>  way to do it. Otherwise, it''s probably preferable to use
DONT_LOAD as I
>  explained in my earlier post.
>
>
>
>  -Tom
>  --
>  Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>  Shoreline,     \ http://shorewall.net
>  Washington USA  \ teastep@shorewall.net
>  PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
> -------------------------------------------------------------------------
>  This SF.net email is sponsored by: Microsoft
>  Defy all challenges. Microsoft(R) Visual Studio 2008.
>  http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
>  Shorewall-users mailing list
>  Shorewall-users@lists.sourceforge.net
>  https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Guilsson . wrote:
> # shorewall version
> 4.0.8
> 
> It worked.
> Thanks a lot.
> 
> One last question.
> Suppose I DO want to use these modules. Can I use Shorewall/iptables
> to really use them or they "work" independently of iptables ?
> 
See Shorewall FAQ 3.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

In fact, my doubt is more "generic", not specific do H.323.
If you have a module loaded in kernel, what is the precedence ?
Rules are processed before or after module takes place, considering,
in this case (H.323) the module "try" to do Nat on the traffic ?

-Guilsson

On Fri, Feb 29, 2008 at 1:30 PM, Tom Eastep <teastep@shorewall.net>
wrote:
> Guilsson . wrote:
>  > # shorewall version
>  > 4.0.8
>  >
>  > It worked.
>  > Thanks a lot.
>  >
>  > One last question.
>  > Suppose I DO want to use these modules. Can I use Shorewall/iptables
>  > to really use them or they "work" independently of iptables
?
>  >
>
>  See Shorewall FAQ 3.
>
>
>
>  -Tom
>  --
>  Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>  Shoreline,     \ http://shorewall.net
>  Washington USA  \ teastep@shorewall.net
>  PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
> -------------------------------------------------------------------------
>  This SF.net email is sponsored by: Microsoft
>  Defy all challenges. Microsoft(R) Visual Studio 2008.
>  http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
>  Shorewall-users mailing list
>  Shorewall-users@lists.sourceforge.net
>  https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Guilsson . wrote:
> In fact, my doubt is more "generic", not specific do H.323.
> If you have a module loaded in kernel, what is the precedence ?
> Rules are processed before or after module takes place, considering,
> in this case (H.323) the module "try" to do Nat on the traffic ?
The module can do whatever it wants to.

-Tom

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Fri, Feb 29, 2008 at 6:58 PM, Tom Eastep <teastep@shorewall.net>
wrote:
> Guilsson . wrote:
>  > In fact, my doubt is more "generic", not specific do H.323.
>  > If you have a module loaded in kernel, what is the precedence ?
>  > Rules are processed before or after module takes place, considering,
>  > in this case (H.323) the module "try" to do Nat on the
traffic ?
>
>  The module can do whatever it wants to.
But before of after iptables handling it ?

-Guilsson

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Guilsson . wrote:
> On Fri, Feb 29, 2008 at 6:58 PM, Tom Eastep <teastep@shorewall.net>
wrote:
>> Guilsson . wrote:
>>  > In fact, my doubt is more "generic", not specific do
H.323.
>>  > If you have a module loaded in kernel, what is the precedence ?
>>  > Rules are processed before or after module takes place,
considering,
>>  > in this case (H.323) the module "try" to do Nat on the
traffic ?
>>
>>  The module can do whatever it wants to.
> 
> But before of after iptables handling it ?
>
That question has no meaningful answer. iptables doesn''t handle
packets.
Netfilter does. And modules modify the behavior of netfilter.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Sorry for the mistake to use the word IPTABLES instead of NETFILTER.

On Fri, Feb 29, 2008 at 7:02 PM, Tom Eastep <teastep@shorewall.net>
wrote:
>
> Guilsson . wrote:
>  > On Fri, Feb 29, 2008 at 6:58 PM, Tom Eastep
<teastep@shorewall.net> wrote:
>  >> Guilsson . wrote:
>  >>  > In fact, my doubt is more "generic", not specific
do H.323.
>  >>  > If you have a module loaded in kernel, what is the
precedence ?
>  >>  > Rules are processed before or after module takes place,
considering,
>  >>  > in this case (H.323) the module "try" to do Nat
on the traffic ?
>  >>
>  >>  The module can do whatever it wants to.
>  >
>  > But before of after iptables handling it ?
>  >
>
>  That question has no meaningful answer. iptables doesn''t handle
packets.
>  Netfilter does. And modules modify the behavior of netfilter.
>
>
>
>  -Tom
>  --
>  Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>  Shoreline,     \ http://shorewall.net
>  Washington USA  \ teastep@shorewall.net
>  PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
> -------------------------------------------------------------------------
>  This SF.net email is sponsored by: Microsoft
>  Defy all challenges. Microsoft(R) Visual Studio 2008.
>  http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
>  Shorewall-users mailing list
>  Shorewall-users@lists.sourceforge.net
>  https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/