I have a 2 firewalls with 8 interfaces each in HA. Two interfaces of then are CORPorate and DMZ. Since I have some devices in DMZ with different default gateway (some points to FW1 and others to FW2), I needed to create a quite complex setup of inclusions/exclusions and source/destination to allow video conferencing devices go to directly to the GateKeeper in DMZ, without NAT. Sometimes VC registered in GK with the FW''s IP, sometimes registered with VC''s IP (corporate IP, the correct). I''ve spent several hours troubleshooting this situation. Restarting Shorewall and un/re-registering the VC the situation changed randomly. There is a mix of several VC devices (around 30). Different models, brands, even some PCs with Netmeeting. Even cleaning all entries in MASQ to/from CORP amd DMZ, strange things happened. I got almost crazy. I just had migrated this FW firewall from Fedora Core 3 (Shorewall 2.x) to Fedora 8 (Shorewall 4.x). Before, the same rules were applied and everything worked fine When I noticed that WITHOUT any masqs some devices still registered with NATed IP, I went further and discovered: - 2 Netfilter modules are loaded by default in Fedora 8 --- nf_nat_h323 --- nf_conntrack_h323 Unloading (modprobe -r) then, just like a Magic, everything back to normal operations. My masq entries worked as should be. Two doubts: 1) Every shorewall restart load these two modules again. How can I configure Shorewall to not load them ? 2) Why, even without masq entries, some devices got NATed (modules problem?) ? -Guilsson ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Guilsson . wrote:> I have a 2 firewalls with 8 interfaces each in HA. Two interfaces of > then are CORPorate and DMZ. > > Since I have some devices in DMZ with different default gateway (some > points to FW1 and others to FW2), I needed to create a quite complex > setup of inclusions/exclusions and source/destination to allow video > conferencing devices go to directly to the GateKeeper in DMZ, without > NAT. > > Sometimes VC registered in GK with the FW''s IP, sometimes registered > with VC''s IP (corporate IP, the correct). > I''ve spent several hours troubleshooting this situation. > > Restarting Shorewall and un/re-registering the VC the situation > changed randomly. > There is a mix of several VC devices (around 30). Different models, > brands, even some PCs with Netmeeting. > Even cleaning all entries in MASQ to/from CORP amd DMZ, strange things happened. > I got almost crazy. > > I just had migrated this FW firewall from Fedora Core 3 (Shorewall > 2.x) to Fedora 8 (Shorewall 4.x). > Before, the same rules were applied and everything worked fine > > When I noticed that WITHOUT any masqs some devices still registered > with NATed IP, I went further and discovered: > - 2 Netfilter modules are loaded by default in Fedora 8 > --- nf_nat_h323 > --- nf_conntrack_h323 > > Unloading (modprobe -r) then, just like a Magic, everything back to > normal operations. My masq entries worked as should be. > > Two doubts: > 1) Every shorewall restart load these two modules again. How can I > configure Shorewall to not load them ?copy /usr/share/shorewall/modules to /etc/shorewall/modules, then edit that new file, # out what you don''t want. restart> 2) Why, even without masq entries, some devices got NATed (modules problem?) ? >That would need a dump to make sense of (maybe). Above might just straighten it all out for you. Jerry ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Guilsson . wrote:> > Two doubts: > 1) Every shorewall restart load these two modules again. How can I > configure Shorewall to not load them ?If you are running Shorewall 4.0.6 or later, simply list them in the DONT_LOAD variable in shorewall.conf. DONT_LOAD="nf_nat_h323,nf_conntrack_h323"> 2) Why, even without masq entries, some devices got NATed (modules problem?) ?I assume that is the behavior of nf_nat_h323. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Guilsson . wrote:>When I noticed that WITHOUT any masqs some devices still registered >with NATed IP, I went further and discovered: >- 2 Netfilter modules are loaded by default in Fedora 8 >--- nf_nat_h323 >--- nf_conntrack_h323 > >Unloading (modprobe -r) then, just like a Magic, everything back to >normal operations. My masq entries worked as should be. > >Two doubts: >1) Every shorewall restart load these two modules again. How can I >configure Shorewall to not load them ?IIRC, you copy the modules file from /usr/share/shorewall to /etc/shorewall, then comment out or delete those entries from the copy. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Simon Hobson wrote:> Guilsson . wrote: > >> When I noticed that WITHOUT any masqs some devices still registered >> with NATed IP, I went further and discovered: >> - 2 Netfilter modules are loaded by default in Fedora 8 >> --- nf_nat_h323 >> --- nf_conntrack_h323 >> >> Unloading (modprobe -r) then, just like a Magic, everything back to >> normal operations. My masq entries worked as should be. >> >> Two doubts: >> 1) Every shorewall restart load these two modules again. How can I >> configure Shorewall to not load them ? > > > IIRC, you copy the modules file from /usr/share/shorewall to > /etc/shorewall, then comment out or delete those entries from the > copy.If you are running a version of Shorewall prior to 4.0.6, that''s the only way to do it. Otherwise, it''s probably preferable to use DONT_LOAD as I explained in my earlier post. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
# shorewall version 4.0.8 It worked. Thanks a lot. One last question. Suppose I DO want to use these modules. Can I use Shorewall/iptables to really use them or they "work" independently of iptables ? -Guilsson On Fri, Feb 29, 2008 at 12:51 PM, Tom Eastep <teastep@shorewall.net> wrote:> Simon Hobson wrote: > > Guilsson . wrote: > > > >> When I noticed that WITHOUT any masqs some devices still registered > >> with NATed IP, I went further and discovered: > >> - 2 Netfilter modules are loaded by default in Fedora 8 > >> --- nf_nat_h323 > >> --- nf_conntrack_h323 > >> > >> Unloading (modprobe -r) then, just like a Magic, everything back to > >> normal operations. My masq entries worked as should be. > >> > >> Two doubts: > >> 1) Every shorewall restart load these two modules again. How can I > >> configure Shorewall to not load them ? > > > > > > IIRC, you copy the modules file from /usr/share/shorewall to > > /etc/shorewall, then comment out or delete those entries from the > > copy. > > If you are running a version of Shorewall prior to 4.0.6, that''s the only > way to do it. Otherwise, it''s probably preferable to use DONT_LOAD as I > explained in my earlier post. > > > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Guilsson . wrote:> # shorewall version > 4.0.8 > > It worked. > Thanks a lot. > > One last question. > Suppose I DO want to use these modules. Can I use Shorewall/iptables > to really use them or they "work" independently of iptables ? >See Shorewall FAQ 3. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
In fact, my doubt is more "generic", not specific do H.323. If you have a module loaded in kernel, what is the precedence ? Rules are processed before or after module takes place, considering, in this case (H.323) the module "try" to do Nat on the traffic ? -Guilsson On Fri, Feb 29, 2008 at 1:30 PM, Tom Eastep <teastep@shorewall.net> wrote:> Guilsson . wrote: > > # shorewall version > > 4.0.8 > > > > It worked. > > Thanks a lot. > > > > One last question. > > Suppose I DO want to use these modules. Can I use Shorewall/iptables > > to really use them or they "work" independently of iptables ? > > > > See Shorewall FAQ 3. > > > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Guilsson . wrote:> In fact, my doubt is more "generic", not specific do H.323. > If you have a module loaded in kernel, what is the precedence ? > Rules are processed before or after module takes place, considering, > in this case (H.323) the module "try" to do Nat on the traffic ?The module can do whatever it wants to. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Fri, Feb 29, 2008 at 6:58 PM, Tom Eastep <teastep@shorewall.net> wrote:> Guilsson . wrote: > > In fact, my doubt is more "generic", not specific do H.323. > > If you have a module loaded in kernel, what is the precedence ? > > Rules are processed before or after module takes place, considering, > > in this case (H.323) the module "try" to do Nat on the traffic ? > > The module can do whatever it wants to.But before of after iptables handling it ? -Guilsson ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Guilsson . wrote:> On Fri, Feb 29, 2008 at 6:58 PM, Tom Eastep <teastep@shorewall.net> wrote: >> Guilsson . wrote: >> > In fact, my doubt is more "generic", not specific do H.323. >> > If you have a module loaded in kernel, what is the precedence ? >> > Rules are processed before or after module takes place, considering, >> > in this case (H.323) the module "try" to do Nat on the traffic ? >> >> The module can do whatever it wants to. > > But before of after iptables handling it ? >That question has no meaningful answer. iptables doesn''t handle packets. Netfilter does. And modules modify the behavior of netfilter. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Sorry for the mistake to use the word IPTABLES instead of NETFILTER. On Fri, Feb 29, 2008 at 7:02 PM, Tom Eastep <teastep@shorewall.net> wrote:> > Guilsson . wrote: > > On Fri, Feb 29, 2008 at 6:58 PM, Tom Eastep <teastep@shorewall.net> wrote: > >> Guilsson . wrote: > >> > In fact, my doubt is more "generic", not specific do H.323. > >> > If you have a module loaded in kernel, what is the precedence ? > >> > Rules are processed before or after module takes place, considering, > >> > in this case (H.323) the module "try" to do Nat on the traffic ? > >> > >> The module can do whatever it wants to. > > > > But before of after iptables handling it ? > > > > That question has no meaningful answer. iptables doesn''t handle packets. > Netfilter does. And modules modify the behavior of netfilter. > > > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/