Shorewall users - Apr 2009 - connection tracking problem

Hi,

 

I am using Shorewall (4.0.12 shell) on a CentOS box which is mainly running
Asterisk (SIP server).

The box is also used as a gateway to internet using pppoe through one of its
ethernet interfaces.

PPPoE is run on eth1 and ppp0 interface is the wan interface.

The lan interface is br0 which also acts as a bridge for both eth2 and ath0
interfaces. Ath0 is used for wlan clients.

So mainly the shorewall acts as a firewall and NAT feature between br0 and
ppp0 interfaces.

 

I have SIP clients on the br0 interface (physically connected to eth2) which
register to the SIP server on the box.

 

Recently I noticed a problem with these SIP clients:

 

They send register messages to the SIP server every 600 seconds.

When the box is fresh (new rebooted) they successfully register every 600
seconds.

After some time, I see that the SIP packets are received on br0 but not
delivered to the application layer.

I understand that from the SIP debugs on Asterisk.

In this state, if I clear the connection tracking table with "conntrack
-F"
, the SIP packets get delivered to the application.

Well, it seems like a problem with connection tracking table, but I am not
an expert.

How can I solve this issue ?

 

I am attaching the dump from shorewall to this message. Also, below you can
find "ip addr show" output from the box:

 

[trixbox1.localdomain ~]# ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue 

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

    inet6 ::1/128 scope host 

       valid_lft forever preferred_lft forever

2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000

    link/ether 00:0d:b9:12:cf:90 brd ff:ff:ff:ff:ff:ff

    inet 192.168.1.2/24 brd 192.168.1.255 scope global eth1

    inet6 fe80::20d:b9ff:fe12:cf90/64 scope link 

       valid_lft forever preferred_lft forever

3: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000

    link/ether 00:0d:b9:12:cf:91 brd ff:ff:ff:ff:ff:ff

    inet6 fe80::20d:b9ff:fe12:cf91/64 scope link 

       valid_lft forever preferred_lft forever

4: wifi0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
199

    link/ieee802.11 00:80:48:4f:21:8d brd ff:ff:ff:ff:ff:ff

5: ath0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2290 qdisc noqueue 

    link/ether 00:80:48:4f:21:8d brd ff:ff:ff:ff:ff:ff

    inet6 fe80::280:48ff:fe4f:218d/64 scope link 

       valid_lft forever preferred_lft forever

6: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc htb 

    link/ether 00:0d:b9:12:cf:91 brd ff:ff:ff:ff:ff:ff

    inet 192.168.254.254/24 brd 192.168.254.255 scope global br0

    inet6 fe80::20d:b9ff:fe12:cf91/64 scope link 

       valid_lft forever preferred_lft forever

13: sit0: <NOARP> mtu 1480 qdisc noop 

    link/sit 0.0.0.0 brd 0.0.0.0

15: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc htb
qlen
3

    link/ppp 

    inet 195.87.156.15 peer 192.168.20.1/32 scope global ppp0

[trixbox1.localdomain ~]#

 

Thanks.





------------------------------------------------------------------------------

İlker Aktuna (Koç.net) wrote:
> After some time, I see that the SIP packets are received on br0 but not
> delivered to the application layer.
> 
> I understand that from the SIP debugs on Asterisk.
> 
> In this state, if I clear the connection tracking table with
"conntrack
> -F" , the SIP packets get delivered to the application.
> 
> Well, it seems like a problem with connection tracking table, but I am
> not an expert.
> 
> How can I solve this issue ?
Sounds like the conntrack table is filling up -- look at your log. A
Google search should yield instructions for re-sizing the table.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------

> Sounds like the conntrack table is filling up -- look at your log. A
> Google search should yield instructions for re-sizing the table.
which log can I check ?
 

_____________________________________________________________________________________________________________________________________________
Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir. Eger bu
e-posta mesaji size yanlislikla ulasmissa, icerigini hic bir sekilde
kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen e-posta mesajini
kullaniciya hemen geri gonderiniz ve tum kopyalarini mesaj kutunuzdan siliniz.
Bu e-posta mesaji, hic bir sekilde, herhangi bir amac icin cogaltilamaz,
yayinlanamaz ve para karsiligi satilamaz. Bu e-posta mesaji viruslere karsi
anti-virus sistemleri tarafindan taranmistir. Ancak yollayici, bu e-posta
mesajinin - virus koruma sistemleri ile kontrol ediliyor olsa bile - virus
icermedigini garanti etmez ve meydana gelebilecek zararlardan dogacak hicbir
sorumlulugu kabul etmez.
This message is intended solely for the use of the individual or entity to whom
it is addressed , and may contain confidential information. If you are not the
intended recipient of this message or you receive this mail in error, you should
refrain from making any use of the contents and from opening any attachment. In
that case, please notify the sender immediately and return the message to the
sender, then, delete and destroy all copies. This e-mail message, can not be
copied, published or sold for any reason. This e-mail message has been swept by
anti-virus systems for the presence of computer viruses. In doing so, however,
sender cannot warrant that virus or other forms of data corruption may not be
present and do not take any responsibility in any occurrence.
_____________________________________________________________________________________________________________________________________________


------------------------------------------------------------------------------

İlker Aktuna (Koç.net) wrote:
> 
> 
>> Sounds like the conntrack table is filling up -- look at your log. A
>> Google search should yield instructions for re-sizing the table.
> 
> which log can I check ?
Whichever one your distribution logs kernel messages to -- probably
/var/log/messages.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------

>>> Sounds like the conntrack table is filling up -- look at your log.
A
>>> Google search should yield instructions for re-sizing the table.
>>
>> which log can I check ?
>Whichever one your distribution logs kernel messages to -- probably
>/var/log/messages.

well, I don''t see any lines which include "track" keyword in
the messages file. just these :
Jan  1 00:02:07 trixbox1 kernel: ip_conntrack version 2.4 (2048 buckets, 16384
max) - 228 bytes per conntrack
Jan  1 00:02:09 trixbox1 kernel: ip_conntrack_pptp version 3.1 loaded
 
what is the correct keyword to search ?
 
does resizing this table include any kernel modding ?

_____________________________________________________________________________________________________________________________________________
Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir. Eger bu
e-posta mesaji size yanlislikla ulasmissa, icerigini hic bir sekilde
kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen e-posta mesajini
kullaniciya hemen geri gonderiniz ve tum kopyalarini mesaj kutunuzdan siliniz.
Bu e-posta mesaji, hic bir sekilde, herhangi bir amac icin cogaltilamaz,
yayinlanamaz ve para karsiligi satilamaz. Bu e-posta mesaji viruslere karsi
anti-virus sistemleri tarafindan taranmistir. Ancak yollayici, bu e-posta
mesajinin - virus koruma sistemleri ile kontrol ediliyor olsa bile - virus
icermedigini garanti etmez ve meydana gelebilecek zararlardan dogacak hicbir
sorumlulugu kabul etmez.
This message is intended solely for the use of the individual or entity to whom
it is addressed , and may contain confidential information. If you are not the
intended recipient of this message or you receive this mail in error, you should
refrain from making any use of the contents and from opening any attachment. In
that case, please notify the sender immediately and return the message to the
sender, then, delete and destroy all copies. This e-mail message, can not be
copied, published or sold for any reason. This e-mail message has been swept by
anti-virus systems for the presence of computer viruses. In doing so, however,
sender cannot warrant that virus or other forms of data corruption may not be
present and do not take any responsibility in any occurrence.
_____________________________________________________________________________________________________________________________________________


------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com

I found this document: http://www.wallfire.org/misc/netfilter_conntrack_perf.txt
 
But I am not sure which value to set. My current values are:
 
[trixbox1.localdomain log]# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
16384
[trixbox1.localdomain log]# cat
/proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
2048
 
What would be a good setting ?
 
And can I set it anytime ? Or should I set it when booting ?
 

________________________________

Kimden: İlker Aktuna (Koç.net) [mailto:ilkera@koc.net]
Gönderilmiş: Pzt 06.04.2009 20:21
Kime: Shorewall Users
Konu: [Shorewall-users] YNT: YNT: connection tracking problem


 

>>> Sounds like the conntrack table is filling up -- look at your log.
A
>>> Google search should yield instructions for re-sizing the table.
>>
>> which log can I check ?
>Whichever one your distribution logs kernel messages to -- probably
>/var/log/messages.

well, I don''t see any lines which include "track" keyword in
the messages file. just these :
Jan  1 00:02:07 trixbox1 kernel: ip_conntrack version 2.4 (2048 buckets, 16384
max) - 228 bytes per conntrack
Jan  1 00:02:09 trixbox1 kernel: ip_conntrack_pptp version 3.1 loaded
 
what is the correct keyword to search ?
 
does resizing this table include any kernel modding ?
_____________________________________________________________________________________________________________________________________________
Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir. Eger bu
e-posta mesaji size yanlislikla ulasmissa, icerigini hic bir sekilde
kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen e-posta mesajini
kullaniciya hemen geri gonderiniz ve tum kopyalarini mesaj kutunuzdan siliniz.
Bu e-posta mesaji, hic bir sekilde, herhangi bir amac icin cogaltilamaz,
yayinlanamaz ve para karsiligi satilamaz. Bu e-posta mesaji viruslere karsi
anti-virus sistemleri tarafindan taranmistir. Ancak yollayici, bu e-posta
mesajinin - virus koruma sistemleri ile kontrol ediliyor olsa bile - virus
icermedigini garanti etmez ve meydana gelebilecek zararlardan dogacak hicbir
sorumlulugu kabul etmez.
This message is intended solely for the use of the individual or entity to whom
it is addressed , and may contain confidential information. If you are not the
intended recipient of this message or you receive this mail in error, you should
refrain from making any use of the contents and from opening any attachment. In
that case, please notify the sender immediately and return the message to the
sender, then, delete and destroy all copies. This e-mail message, can not be
copied, published or sold for any reason. This e-mail message has been swept by
anti-virus systems for the presence of computer viruses. In doing so, however,
sender cannot warrant that virus or other forms of data corruption may not be
present and do not take any responsibility in any occurrence.
_____________________________________________________________________________________________________________________________________________

_____________________________________________________________________________________________________________________________________________
Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir. Eger bu
e-posta mesaji size yanlislikla ulasmissa, icerigini hic bir sekilde
kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen e-posta mesajini
kullaniciya hemen geri gonderiniz ve tum kopyalarini mesaj kutunuzdan siliniz.
Bu e-posta mesaji, hic bir sekilde, herhangi bir amac icin cogaltilamaz,
yayinlanamaz ve para karsiligi satilamaz. Bu e-posta mesaji viruslere karsi
anti-virus sistemleri tarafindan taranmistir. Ancak yollayici, bu e-posta
mesajinin - virus koruma sistemleri ile kontrol ediliyor olsa bile - virus
icermedigini garanti etmez ve meydana gelebilecek zararlardan dogacak hicbir
sorumlulugu kabul etmez.
This message is intended solely for the use of the individual or entity to whom
it is addressed , and may contain confidential information. If you are not the
intended recipient of this message or you receive this mail in error, you should
refrain from making any use of the contents and from opening any attachment. In
that case, please notify the sender immediately and return the message to the
sender, then, delete and destroy all copies. This e-mail message, can not be
copied, published or sold for any reason. This e-mail message has been swept by
anti-virus systems for the presence of computer viruses. In doing so, however,
sender cannot warrant that virus or other forms of data corruption may not be
present and do not take any responsibility in any occurrence.
_____________________________________________________________________________________________________________________________________________


------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com

İlker Aktuna (Koç.net) wrote:
> I found this document:
> http://www.wallfire.org/misc/netfilter_conntrack_perf.txt
>  
> But I am not sure which value to set. My current values are:
>  
> [trixbox1.localdomain log]# cat
> /proc/sys/net/ipv4/netfilter/ip_conntrack_max
> 16384
> [trixbox1.localdomain log]# cat
> /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
> 2048
>  
> What would be a good setting ?
>  
> And can I set it anytime ? Or should I set it when booting ?
It strikes me that if you aren''t seeing allocation failures, there is
no
point in changing the table settings. If you search the web for
''conntrack_max'', you should find lots of info about the
conntrack table.

To help you any further, I would have to do research on the web myself
then pass the information on to you. That isn''t good use of my time.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com

I understand you.
Could you at least tell me what to search for in my log files ?
I need to solve this problem but I don''t know even the root cause now.
if it is not the table size, what else could it be ?

________________________________

Kimden: Tom Eastep [mailto:teastep@shorewall.net]
Gönderilmiş: Pzt 06.04.2009 20:50
Kime: Shorewall Users
Konu: Re: [Shorewall-users] YNT: YNT: YNT: connection tracking problem



İlker Aktuna (Koç.net) wrote:
> I found this document:
> http://www.wallfire.org/misc/netfilter_conntrack_perf.txt
> 
> But I am not sure which value to set. My current values are:
> 
> [trixbox1.localdomain log]# cat
> /proc/sys/net/ipv4/netfilter/ip_conntrack_max
> 16384
> [trixbox1.localdomain log]# cat
> /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
> 2048
> 
> What would be a good setting ?
> 
> And can I set it anytime ? Or should I set it when booting ?
It strikes me that if you aren''t seeing allocation failures, there is
no
point in changing the table settings. If you search the web for
''conntrack_max'', you should find lots of info about the
conntrack table.

To help you any further, I would have to do research on the web myself
then pass the information on to you. That isn''t good use of my time.



_____________________________________________________________________________________________________________________________________________
Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir. Eger bu
e-posta mesaji size yanlislikla ulasmissa, icerigini hic bir sekilde
kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen e-posta mesajini
kullaniciya hemen geri gonderiniz ve tum kopyalarini mesaj kutunuzdan siliniz.
Bu e-posta mesaji, hic bir sekilde, herhangi bir amac icin cogaltilamaz,
yayinlanamaz ve para karsiligi satilamaz. Bu e-posta mesaji viruslere karsi
anti-virus sistemleri tarafindan taranmistir. Ancak yollayici, bu e-posta
mesajinin - virus koruma sistemleri ile kontrol ediliyor olsa bile - virus
icermedigini garanti etmez ve meydana gelebilecek zararlardan dogacak hicbir
sorumlulugu kabul etmez.
This message is intended solely for the use of the individual or entity to whom
it is addressed , and may contain confidential information. If you are not the
intended recipient of this message or you receive this mail in error, you should
refrain from making any use of the contents and from opening any attachment. In
that case, please notify the sender immediately and return the message to the
sender, then, delete and destroy all copies. This e-mail message, can not be
copied, published or sold for any reason. This e-mail message has been swept by
anti-virus systems for the presence of computer viruses. In doing so, however,
sender cannot warrant that virus or other forms of data corruption may not be
present and do not take any responsibility in any occurrence.
_____________________________________________________________________________________________________________________________________________


------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com

İlker Aktuna (Koç.net) wrote:
> I understand you.
> Could you at least tell me what to search for in my log files ?
The second hit on Google when searching for "conntrack_max" gives the
exact text of the message. Again, I''m having to use Google to help you
at all with this since I''ve never had the problem.
> I need to solve this problem but I don''t know even the root cause
now.
> if it is not the table size, what else could it be ?
I don''t know.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com

So you are 100% sure that it''s not caused by Shorewall or
misconfiguration of it ?
 

________________________________

Kimden: Tom Eastep [mailto:teastep@shorewall.net]
Gönderilmiş: Pzt 06.04.2009 21:51
Kime: Shorewall Users
Konu: Re: [Shorewall-users] YNT: YNT: YNT: YNT: connection trackingproblem



İlker Aktuna (Koç.net) wrote:
> I understand you.
> Could you at least tell me what to search for in my log files ?
The second hit on Google when searching for "conntrack_max" gives the
exact text of the message. Again, I''m having to use Google to help you
at all with this since I''ve never had the problem.
> I need to solve this problem but I don''t know even the root cause
now.
> if it is not the table size, what else could it be ?
I don''t know.

-Tom
--
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net <http://shorewall.net/> 
\________________________________________________




_____________________________________________________________________________________________________________________________________________
Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir. Eger bu
e-posta mesaji size yanlislikla ulasmissa, icerigini hic bir sekilde
kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen e-posta mesajini
kullaniciya hemen geri gonderiniz ve tum kopyalarini mesaj kutunuzdan siliniz.
Bu e-posta mesaji, hic bir sekilde, herhangi bir amac icin cogaltilamaz,
yayinlanamaz ve para karsiligi satilamaz. Bu e-posta mesaji viruslere karsi
anti-virus sistemleri tarafindan taranmistir. Ancak yollayici, bu e-posta
mesajinin - virus koruma sistemleri ile kontrol ediliyor olsa bile - virus
icermedigini garanti etmez ve meydana gelebilecek zararlardan dogacak hicbir
sorumlulugu kabul etmez.
This message is intended solely for the use of the individual or entity to whom
it is addressed , and may contain confidential information. If you are not the
intended recipient of this message or you receive this mail in error, you should
refrain from making any use of the contents and from opening any attachment. In
that case, please notify the sender immediately and return the message to the
sender, then, delete and destroy all copies. This e-mail message, can not be
copied, published or sold for any reason. This e-mail message has been swept by
anti-virus systems for the presence of computer viruses. In doing so, however,
sender cannot warrant that virus or other forms of data corruption may not be
present and do not take any responsibility in any occurrence.
_____________________________________________________________________________________________________________________________________________


------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com

İlker Aktuna (Koç.net) wrote:
> So you are 100% sure that it''s not caused by Shorewall or
> misconfiguration of it ?
Given that Shorewall is nothing but a configuration tool, problems where
the firewall works for a while then stops working can''t possibly be
traced to Shorewall. Once ''shorewall start'' has completed,
there is no
Shorewall code left running in your system at all.

Unless you are using CONNLIMIT, there isn''t any way that I know of that
Shorewall could be mis-configured such that your problem could be
resolved by ''conntrack -F''.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com