brendlerjg@bluebottle.com
2008-Feb-29 19:19 UTC
shorewall-perl not handling "logmartians" correctly
I''ve set up a simple 2-interface Linux router using shorewall-perl 4.0.8 (and upgraded to 4.0.9). Everything works flawlessly. One small exception I have noticed (since I''m a new shorewall user I assume this is probably an error on my part). 1. Problem: With no "logmartians" entries in /etc/shorewall/interfaces, shorewall-perl sets /proc/sys/net/ipv4/conf/*/log_martians to "0". 2. Expected behavior: For any interface entry in /etc/shorewall/interfaces for which the "logmartians" option is not present, shorewall-perl should take no action, leaving the system settings alone. (Unless I have misunderstood the shorewall-interfaces man page and the release notes.) 3. Steps to reproduce: a. With /etc/sysctl.conf entries: net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.log_martians = 1 net.ipv4.conf.all.log_martians = 1 b. With /etc/shorewall/interfaces: (no "routefilter" options or "logmartians" entries of any type) c. Reboot d. cat /proc/sys/net/conf/*/log_martians (note that all are "0") e. Remove shorewall from init scripts (distro-specific) f. Reboot (without shorewall) g. cat /proc/sys/net/conf/*/log_martians (note that all are "1") h. With /etc/shorewall/interfaces: (add "routefilter" or "logmartians=1" to an interface) i. Restart shorewall j. cat /proc/sys/net/conf/*/log_martians (note that interface with "logmartians" entry now has log_martians=1) Obviously, that''s the simple work-around (explicitly enable logmartians where needed), but this seems to be contrary to the (new) behavior described in the man page for shorewall-interfaces and the release notes. Information required per web site: # shorewall version 4.0.9 # ip addr show brendlerjg@typhoon ~ $ sudo ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo 2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:01:02:86:4c:16 brd ff:ff:ff:ff:ff:ff inet XX.XX.XXX.XXX/22 brd 255.255.255.255 scope global eth1 3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:30:bd:06:3d:4b brd ff:ff:ff:ff:ff:ff inet 192.168.2.1/24 brd 192.168.2.255 scope global eth0 # ip route show 192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.1 XX.XX.XXX.0/22 dev eth1 proto kernel scope link src XX.XX.XXX.XXX 127.0.0.0/8 dev lo scope link default via XX.XX.XXX.1 dev eth1 ---------------------------------------------------------------------- Find out how you can get spam free email. http://www.bluebottle.com/tag/3 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
brendlerjg@bluebottle.com wrote:> I''ve set up a simple 2-interface Linux router using shorewall-perl 4.0.8 > (and upgraded to 4.0.9). Everything works flawlessly. One small > exception I have noticed (since I''m a new shorewall user I > assume this is probably an error on my part). > > 1. Problem: > With no "logmartians" entries in /etc/shorewall/interfaces, > shorewall-perl sets /proc/sys/net/ipv4/conf/*/log_martians to "0". > > 2. Expected behavior: > For any interface entry in /etc/shorewall/interfaces for which the > "logmartians" option is not present, shorewall-perl should take no > action, leaving the system settings alone. (Unless I have > misunderstood the shorewall-interfaces man page and the release notes.) >What is your setting for LOG_MARTIANS in shorewall.conf? It should be ''keep''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
John Brendler
2008-Mar-01 00:02 UTC
Re: shorewall-perl not handling "logmartians" correctly
Disregard. Solution: I had overlooked /etc/shorewall/shorewall.conf: LOG_MARTIANS=Keep Sorry for the unnecessary post. On Fri, 29 Feb 2008 14:19:58 -0500 brendlerjg@bluebottle.com wrote:> I''ve set up a simple 2-interface Linux router using shorewall-perl > 4.0.8 (and upgraded to 4.0.9). Everything works flawlessly. One small > exception I have noticed (since I''m a new shorewall user I > assume this is probably an error on my part). > > 1. Problem: > With no "logmartians" entries in /etc/shorewall/interfaces, > shorewall-perl sets /proc/sys/net/ipv4/conf/*/log_martians to "0".---------------------------------------------------------------------- Find out how you can get spam free email. http://www.bluebottle.com/tag/3 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
John Brendler wrote:> Disregard. > > Solution: I had overlooked /etc/shorewall/shorewall.conf: > > LOG_MARTIANS=Keep > > Sorry for the unnecessary post.No problem. I''ve changed the sample configs to include that setting. But beginning with Shorewall 4.2, the sample configs will have LOG_MARTIANS=Yes. It''s a good option that everyone should set. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Andrew Suffield
2008-Mar-01 07:40 UTC
Re: shorewall-perl not handling "logmartians" correctly
On Fri, Feb 29, 2008 at 06:18:09PM -0800, Tom Eastep wrote:> I''ve changed the sample configs to include that setting. But beginning with > Shorewall 4.2, the sample configs will have LOG_MARTIANS=Yes. It''s a good > option that everyone should set.Particularly since it''s a choice between "log martians" and "silently drop martians". Oddly, Linux has no way to disable martian checks. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Andrew Suffield wrote:> On Fri, Feb 29, 2008 at 06:18:09PM -0800, Tom Eastep wrote: >> I''ve changed the sample configs to include that setting. But beginning with >> Shorewall 4.2, the sample configs will have LOG_MARTIANS=Yes. It''s a good >> option that everyone should set. > > Particularly since it''s a choice between "log martians" and "silently > drop martians". Oddly, Linux has no way to disable martian checks.Although they can be made much less strict by turning off route filtering. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/