Shorewall users - Jun 2009 - OT - shorewall / xen / vlan : blocking strange traffic

Hello,

I this is not a problem with my shorewall configuration but strange
logs that I''d like to understand, so sorry for being a little
offtopic.

I have setup a xen machine (debian lenny + shorewall 3.2) with bonding
and vlans following the attached schema (or here :
http://i39.tinypic.com/esstqc.png)

As soon as I launch my first domU in vlan 2, I get a lot of traffic
aimed at other machines (and not broadcast) that is dropped.
I find it strange to receive all that junk, and wondered if someone
could tell me why it happens ?

Jun 18 18:41:22 axen3 kernel: [ 7430.003077]
Shorewall:FORWARD:REJECT:IN=br2 OUT=br2 PHYSIN=bond0.2 PHYSOUT=vif2.0
SRC=172.20.0.1 DST=172.20.2.xyz LEN=152 TOS=0x00 PREC=0x00 TTL=255
ID=61701 PROTO=UDP SPT=63577 DPT=514 LEN=132

Interfaces :
#ZONE   INTERFACE       BROADCAST       OPTIONS
net2    br2
net5    br5
net10   br10


Zones :
net2
dmz2:net2
net5
dmz5:net5
net10
dmz10:net10


Hosts :
dmz2          br2:$VLAN2_DOMU
dmz5          br5:$VLAN5_DOMU
dmz10          br10:$VLAN10_DOMU

here a /etc/network/interface extract for br2 :

iface br2 inet manual
     up ifconfig bond0.2 mtu 1492
     bridge_ports bond0.2
     bridge_fd 1
     bridge_hello 1
     bridge_stp off


Would anyone have an idea about why this happens ? Is this something
inherent to bridges I have not understood ? Or should I better look at
the switches ?


Regards,

Mikael Kermorgant


------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

On Thu, Jun 18, 2009 at 7:10 PM, Mikael Kermorgant <
mikael.kermorgant@gmail.com> wrote:
>
>
> Would anyone have an idea about why this happens ? Is this something
> inherent to bridges I have not understood ? Or should I better look at
> the switches ?
>

I just found this in the FAQ which seems to apply to my problem :
INPUT or FORWARD

The packet has a source IP address that isn''t in any of your defined
zones
(“*shorewall[-lite] show zones*” and look at the printed zone definitions)
or the chain is FORWARD and the destination IP isn''t in any of your
defined
zones. If the chain is FORWARD and the IN and OUT interfaces are the same,
then you probably need the *routeback* option on that interface in
/etc/shorewall/interfaces <manpages/shorewall-interfaces.html> , you need
the *routeback* option in the relevant entry in
/etc/shorewall/hosts<manpages/shorewall-hosts.html> or
you''ve done something silly like define a default route out of an
internal
interface.

In Shorewall 3.3.3 and later versions with OPTIMIZE=1 in
shorewall.conf<manpages/shorewall.conf.html>,
such packets may also be logged out of a <zone>2all chain or the all2all
chain.

I''ll test that monday, but I still fail to understand how an udp stream
with
a host ip destination can reach my machine with shorewall in a switched
environment.

Regards,

-- 
Mikael Kermorgant


------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Mikael Kermorgant wrote:
> 
> 
> On Thu, Jun 18, 2009 at 7:10 PM, Mikael Kermorgant
> <mikael.kermorgant@gmail.com
<mailto:mikael.kermorgant@gmail.com>> wrote:
> 
> 
> 
>     Would anyone have an idea about why this happens ? Is this something
>     inherent to bridges I have not understood ? Or should I better look at
>     the switches ?
> 
> 
> 
> I just found this in the FAQ which seems to apply to my problem :
> 
> INPUT or FORWARD
> 
>     The packet has a source IP address that isn''t in any of your
defined
>     zones (“*shorewall[-lite] show zones*” and look at the printed zone
>     definitions) or the chain is FORWARD and the destination IP
isn''t in
>     any of your defined zones. If the chain is FORWARD and the IN and
>     OUT interfaces are the same, then you probably need
>     the *routeback* option on that interface
>     in |/etc/shorewall/interfaces
>     <manpages/shorewall-interfaces.html> |, you need
>     the *routeback* option in the relevant entry
>     in |/etc/shorewall/hosts <manpages/shorewall-hosts.html> or
you''ve
>     done something silly like define a default route out of an internal
>     interface.|
> 
>     In Shorewall 3.3.3 and later versions with OPTIMIZE=1
>     in shorewall.conf <manpages/shorewall.conf.html>, such packets
may
>     also be logged out of a <zone>2all chain or the all2all chain.
> 
> 
> I''ll test that monday, but I still fail to understand how an udp
stream
> with a host ip destination can reach my machine with shorewall in a
> switched environment.
Where can we read your original post? It apparently was not sent to this
list.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

> Where can we read your original post? It apparently was not sent to this
> list.
Here it is (was moderated because of attachment) :

Hello,

I this is not a problem with my shorewall configuration but strange
logs that I''d like to understand, so sorry for being a little
offtopic.

I have setup a xen machine (debian lenny + shorewall 3.2) with bonding
and vlans following the attached schema (or here :
http://i39.tinypic.com/esstqc.png)

As soon as I launch my first domU in vlan 2, I get a lot of traffic
aimed at other machines (and not broadcast) that is dropped.
I find it strange to receive all that junk, and wondered if someone
could tell me why it happens ?

Jun 18 18:41:22 axen3 kernel: [ 7430.003077]
Shorewall:FORWARD:REJECT:IN=br2 OUT=br2 PHYSIN=bond0.2 PHYSOUT=vif2.0
SRC=172.20.0.1 DST=172.20.2.xyz LEN=152 TOS=0x00 PREC=0x00 TTL=255
ID=61701 PROTO=UDP SPT=63577 DPT=514 LEN=132

Interfaces :
#ZONE   INTERFACE       BROADCAST       OPTIONS
net2    br2
net5    br5
net10   br10


Zones :
net2
dmz2:net2
net5
dmz5:net5
net10
dmz10:net10


Hosts :
dmz2          br2:$VLAN2_DOMU
dmz5          br5:$VLAN5_DOMU
dmz10          br10:$VLAN10_DOMU

here a /etc/network/interface extract for br2 :

iface br2 inet manual
     up ifconfig bond0.2 mtu 1492
     bridge_ports bond0.2
     bridge_fd 1
     bridge_hello 1
     bridge_stp off


Would anyone have an idea about why this happens ? Is this something
inherent to bridges I have not understood ? Or should I better look at
the switches ?


Regards,

Mikael Kermorgant

------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Mikael Kermorgant wrote:
> 
> Would anyone have an idea about why this happens ? Is this something
> inherent to bridges I have not understood ? Or should I better look at
> the switches ?
As described in Shorewall FAQ 17, you simply need to set the
''routeback''
option on br2 in /etc/shorewall/interfaces. ''routeback'' is
always
required when an interface is really a Linux bridge.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Tom Eastep wrote:
> Mikael Kermorgant wrote:
> 
>> Would anyone have an idea about why this happens ? Is this something
>> inherent to bridges I have not understood ? Or should I better look at
>> the switches ?
> 
> As described in Shorewall FAQ 17, you simply need to set the
''routeback''
> option on br2 in /etc/shorewall/interfaces. ''routeback''
is always
> required when an interface is really a Linux bridge.
I''ve taken another look at your post and believe that this is something
other than a simple ''routeback'' issue. I now understand your
confusion
about what is happening and I apologize for being so quick to post.

I assume that the various $VLANx_DOMU variables hold lists of IP
addresses? And that one of the two IP addresses mentioned in the log
message isn''t associated with any of your zones?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

On Fri, Jun 19, 2009 at 5:29 PM, Tom Eastep <teastep@shorewall.net> wrote:
> Tom Eastep wrote:
> > Mikael Kermorgant wrote:
> >
> >> Would anyone have an idea about why this happens ? Is this
something
> >> inherent to bridges I have not understood ? Or should I better
look at
> >> the switches ?
> >
> > As described in Shorewall FAQ 17, you simply need to set the
''routeback''
> > option on br2 in /etc/shorewall/interfaces.
''routeback'' is always
> > required when an interface is really a Linux bridge.
>
> I''ve taken another look at your post and believe that this is
something
> other than a simple ''routeback'' issue. I now understand
your confusion
> about what is happening and I apologize for being so quick to post.
>
> I assume that the various $VLANx_DOMU variables hold lists of IP
> addresses? And that one of the two IP addresses mentioned in the log
> message isn''t associated with any of your zones?
>

Yes, exactly. Sorry for the inaccurate post and thanks for answering anyway
!

Regards,

-- 
Mikael Kermorgant


------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects