Shorewall users - Mar 2008 - Shorewall/iptables hangs while reloading: LDAP nss problem

Tried to send in traces and such the other day, but they were just too big
and got rejected.  Here''s a description of the problem; should be
enough
without the traces.

We run CentOS 5 with an LDAP directory.  Shorewall/iptables hung at the last
line in the following listing:

    progress_message2 "Creating action chain Drop"

    run_iptables -A Drop -p tcp --dport 113 -j reject
    progress_message "   Rule \"REJECT - - tcp 113 -  - \"
added."
    run_iptables -A Drop -p all -j dropBcast

A trace of the /sbin/iptables process revealed the iptables process doing an
LDAP query; turned out to be searching for a protocols entry (files was
listed first in nsswitch.conf; I didn''t get as far as to see which
protocol
it was looking for, or if it was doing a getent for the whole table).

CentOS''s authconfig script enables ldap for protocols by default in
/etc/nsswitch.conf.  Removing the ''ldap'' from the mapping in
nsswitch.confstopped this query and everything worked again.

It seems that this command is being executed in a certain part of the
shorewall script where network access is being blocked.  We don''t
really
care, since we don''t put the protocols map in our LDAP directory, but
I''m
posting this as an FYI, perhaps for the next person.

One more thing I found:  if shorewall stops in mid-flight at at this point,
the iptables rules are left in a state where the LDAP server is still
inaccessible.  Rerunning shorewall will hang again, even if the
nsswitch.conf protocols ldap mapping is removed; to get shorewall running
again, either the iptables rules must be cleared, or the passwd ldap mapping
must be temporarily removed.

    John


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

John Morris wrote:
> Tried to send in traces and such the other day, but they were just too 
> big and got rejected.  Here''s a description of the problem; should
be
> enough without the traces.
> 
> We run CentOS 5 with an LDAP directory.  Shorewall/iptables hung at the 
> last line in the following listing:
> 
>     progress_message2 "Creating action chain Drop"
> 
>     run_iptables -A Drop -p tcp --dport 113 -j reject
>     progress_message "   Rule \"REJECT - - tcp 113 -  - \"
added."
>     run_iptables -A Drop -p all -j dropBcast
> 
> A trace of the /sbin/iptables process revealed the iptables process 
> doing an LDAP query; turned out to be searching for a protocols entry 
> (files was listed first in nsswitch.conf; I didn''t get as far as
to see
> which protocol it was looking for, or if it was doing a getent for the 
> whole table).
> 
> CentOS''s authconfig script enables ldap for protocols by default
in
> /etc/nsswitch.conf.  Removing the ''ldap'' from the mapping
in
> nsswitch.conf stopped this query and everything worked again.
> 
> It seems that this command is being executed in a certain part of the 
> shorewall script where network access is being blocked.  We don''t
really
> care, since we don''t put the protocols map in our LDAP directory,
but
> I''m posting this as an FYI, perhaps for the next person.
> 
> One more thing I found:  if shorewall stops in mid-flight at at this 
> point, the iptables rules are left in a state where the LDAP server is 
> still inaccessible.  Rerunning shorewall will hang again, even if the 
> nsswitch.conf protocols ldap mapping is removed; to get shorewall 
> running again, either the iptables rules must be cleared, or the passwd 
> ldap mapping must be temporarily removed.
See Shorewall FAQ 62 and either

a) Beat yourself violently about the head for ever believing that LDAP 
authentication on a firewall was a good idea; or

b) List your LDAP server(s) IP address(es) in 
/etc/shorewall/routestopped with the ''critical'' option and
hope for the
best.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Tom Eastep wrote:
> 
> See Shorewall FAQ 62 and either
> 
> a) Beat yourself violently about the head for ever believing that LDAP 
> authentication on a firewall was a good idea; or
> 
> b) List your LDAP server(s) IP address(es) in 
> /etc/shorewall/routestopped with the ''critical'' option
and hope for the
> best.
or

c) Upgrade to Shorewall 4 and migrate to Shorewall-perl which doesn''t 
have this problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Tom,

On Thu, Mar 6, 2008 at 1:36 PM, Tom Eastep <teastep@shorewall.net> wrote:
> Tom Eastep wrote:
> >
> > See Shorewall FAQ 62 and either
>
Ah, thank you for this and b) and c) below.  I''m using Shorewall 4
already,
so I''ll go that way.
>
> > a) Beat yourself violently about the head for ever believing that LDAP
> > authentication on a firewall was a good idea; or
>
This is an intranet server on the loc subnet.  I just like shorewall better
than /etc/sysconfig/iptables.  Do I still have to beat myself?  What if I
promise to read every single FAQ from 1 to 76, can I avoid the violence,
then?

      John

> > b) List your LDAP server(s) IP address(es) in
> > /etc/shorewall/routestopped with the ''critical''
option and hope for the
> > best.
>
> or
>
> c) Upgrade to Shorewall 4 and migrate to Shorewall-perl which
doesn''t
> have this problem.
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

John Morris wrote:
> ...
> Ah, thank you for this and b) and c) below.  I''m using Shorewall 4
already,
> so I''ll go that way.
> 
>>> a) Beat yourself violently about the head for ever believing that
LDAP
>>> authentication on a firewall was a good idea; or
> 
> This is an intranet server on the loc subnet.  I just like shorewall better
> than /etc/sysconfig/iptables.  Do I still have to beat myself?  What if I
> promise to read every single FAQ from 1 to 76, can I avoid the violence,
> then?
Yes, but as a substitute, you must do manual long division of a 
100-digit number with a 20-digit divisor to prove your attitude of 
humility and repentance.  ;-)


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

I''d like to follow up on this thread so that if anyone later encounters
this
difficulty, they can avoid going through a) below (though I performed that
step as a result of feelings of frustration rather than those of guilt).

Implementing b) and c) helped with *some* of the cases where shorewall
encountered nss_ldap-related timeouts, but there was still a last one left.

When shutting down a CentOS system with the EPEL Shorewall RPM, the network
is shutdown before Shorewall.  There is still a case where Shorewall
requires a passwd getent lookup in the "determine_capabilities"
function in
/usr/share/shorewall/lib.base on this line:

    qt $IPTABLES -A $chain -m owner --uid-owner 0 -j ACCEPT &&
OWNER_MATCH=Yes

It''s quite possible that my nss_ldap configuration is wrong, since uid
0 is
in the /etc/passwd file.

Anyway, disregarding that problem, if one generates the
/etc/shorewall/capabilities file with "shorewall show -f capabilities >
/etc/shorewall/capabilities", Shorewall reads this file instead of
performing the tests itself, and everything behaves well again.

    John



On Thu, Mar 6, 2008 at 1:36 PM, Tom Eastep <teastep@shorewall.net> wrote:
> Tom Eastep wrote:
>
> >
> > See Shorewall FAQ 62 and either
> >
> > a) Beat yourself violently about the head for ever believing that LDAP
> > authentication on a firewall was a good idea; or
> >
> > b) List your LDAP server(s) IP address(es) in
> > /etc/shorewall/routestopped with the ''critical''
option and hope for the
> > best.
> >
>
> or
>
> c) Upgrade to Shorewall 4 and migrate to Shorewall-perl which
doesn''t have
> this problem.
>
>
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

On Thu, Apr 03, 2008 at 06:17:14PM +0800, John Morris
wrote:
> When shutting down a CentOS system with the EPEL Shorewall RPM, the network
> is shutdown before Shorewall.  There is still a case where Shorewall
> requires a passwd getent lookup in the "determine_capabilities"
function in
> /usr/share/shorewall/lib.base on this line:
> 
>     qt $IPTABLES -A $chain -m owner --uid-owner 0 -j ACCEPT &&
> OWNER_MATCH=Yes
> 
> It''s quite possible that my nss_ldap configuration is wrong, since
uid 0 is
> in the /etc/passwd file.
You have placed ldap before passwd in /etc/nsswitch.conf. That means
you want to make a slow-maybe-fails lookup first, and only use
/etc/passwd after it fails or returns not-found. If you had them in
the other order then no lookup would be made for things in
/etc/passwd. That''s usually what you want, so that all the system
entries are fast.

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

That was my first thought too, but:

passwd:     files ldap
shadow:     files ldap
group:      files ldap

This was all set up by the RH authconfig script, by the way.  I''ll
pursue
this other half of the problem on the nssldap list, perhaps.

    John


On Thu, Apr 3, 2008 at 6:26 PM, Andrew Suffield
<asuffield@suffields.me.uk>
wrote:
>
>
> You have placed ldap before passwd in /etc/nsswitch.conf. That means
> you want to make a slow-maybe-fails lookup first, and only use
> /etc/passwd after it fails or returns not-found. If you had them in
> the other order then no lookup would be made for things in
> /etc/passwd. That''s usually what you want, so that all the system
> entries are fast.
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It''s the best place to buy or sell services for
> just about anything Open Source.
>
>
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace