Shorewall users - Feb 2010 - Connections lost during restart; accounting chain rules

Hello all,

I''ve been spending the last few days setting up a Shorewall-based
firewall
for our new
data center - this takes the place of a CheckPoint firewall that was nothing
but headache
after headache after network outage after headache.

Anyway, everything is going very well. Still tweaking the traffic shaping to
get it to where
we need, and there will likely be a question or 40 about that later, but for
now just two
questions:

Any time we make changes to the firewall configurations and issue a
shorewall
safe-restart command, all of our phone calls (we are using an Asterisk
server behind our
firewall) get dropped. I suspect that this is because the DNAT rules are
getting wiped by
Shorewall just before it puts them back in; not normally a problem for
stateful TCP
connections, but UDP datagrams apparently get lost. (This is all speculation
- I lack the
networking knowledge to verify the "why".) Is there a way we can
prevent
this from
happening? It would be nice to be able to make changes to the configuration
without
automatically terminating every in-progress phone call.

The second question should be a really simple answer: When creating
accounting rules,
are these strictly first-matched like in the general rules file, or can
multiple accounting
rules be used to capture the same streams? Specifically, I want separate
accounting
chains for web, SVN, VOIP, etc. traffic, but I also want a single chain to
capture all
traffic and give us overall totals; is this possible?

Thanks in advance for any help you can provide.

-Travis


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Travis Veazey wrote:
> Any time we make changes to the firewall configurations and issue a
> shorewall
> safe-restart command, all of our phone calls (we are using an Asterisk
> server behind our
> firewall) get dropped. 
What Shorewall version are you using and are you using Shorewall-shell
or Shorewall-perl?
> 
> The second question should be a really simple answer: When creating
> accounting rules,
> are these strictly first-matched like in the general rules file, or can
> multiple accounting
> rules be used to capture the same streams? Specifically, I want separate
> accounting
> chains for web, SVN, VOIP, etc. traffic, but I also want a single chain
> to capture all
> traffic and give us overall totals; is this possible?
Yes.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Tom,

Thanks for your swift reply, and sorry for missing such basic information
initially!

I''m using Shorewall-perl version 4.2.10 (latest available in
Ubuntu''s
repository).

-Travis

On Tue, Feb 2, 2010 at 10:34 AM, Tom Eastep <teastep@shorewall.net> wrote:
> Travis Veazey wrote:
>
> > Any time we make changes to the firewall configurations and issue a
> > shorewall
> > safe-restart command, all of our phone calls (we are using an Asterisk
> > server behind our
> > firewall) get dropped.
>
> What Shorewall version are you using and are you using Shorewall-shell
> or Shorewall-perl?
>
> >
> > The second question should be a really simple answer: When creating
> > accounting rules,
> > are these strictly first-matched like in the general rules file, or
can
> > multiple accounting
> > rules be used to capture the same streams? Specifically, I want
separate
> > accounting
> > chains for web, SVN, VOIP, etc. traffic, but I also want a single
chain
> > to capture all
> > traffic and give us overall totals; is this possible?
>
> Yes.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the
> business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

-- 
"The reader is entertained by the journey of another, but the writer is the
changer of worlds."
- D''ni Proverb

0100111001000101010100100100010000100001
Stephen
Leacock<http://www.brainyquote.com/quotes/authors/s/stephen_leacock.html>
- "I detest life-insurance agents: they always argue that I shall some
day
die, which is not so."


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Travis Veazey wrote:
> Tom,
> 
> Thanks for your swift reply, and sorry for missing such basic information
> initially!
> 
> I''m using Shorewall-perl version 4.2.10 (latest available in
Ubuntu''s
> repository).
> 
> 
>     Travis Veazey wrote:
> 
>     > Any time we make changes to the firewall configurations and issue
a
>     > shorewall
>     > safe-restart command, all of our phone calls (we are using an
Asterisk
>     > server behind our
>     > firewall) get dropped.
The nat table rules are replaced atomically when using Shorewall-perl so
I think we need to look elsewhere. What other Shorewall features are you
using besides DNAT/SNAT and traffic shaping?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

>
> > Tom,
> >
> > Thanks for your swift reply, and sorry for missing such basic
information
> > initially!
> >
> > I''m using Shorewall-perl version 4.2.10 (latest available in
Ubuntu''s
> > repository).
> >
> >
> >     Travis Veazey wrote:
> >
> >     > Any time we make changes to the firewall configurations and
issue a
> >     > shorewall
> >     > safe-restart command, all of our phone calls (we are using an
> Asterisk
> >     > server behind our
> >     > firewall) get dropped.
>
> The nat table rules are replaced atomically when using Shorewall-perl so
> I think we need to look elsewhere. What other Shorewall features are you
> using besides DNAT/SNAT and traffic shaping?
>
> -Tom
>
We''re using DNAT, traffic shaping, accounting, and one change to the
modules
file as described here: http://www.shorewall.net/FAQ.htm#faq77  We have no
SNAT beyond the standard egress masquerade. We do have multiple IP
addresses on the external interface - 4, to be precise - but those are set
up via
our distribution''s built-in networking utilities, so Shorewall
shouldn''t be
doing
anything to those, right? We have DNAT rules that forward the same ports on
different IPs to different internal servers.

We also have a tunnel interface set up to accept OpenVPN connections, with
of course the necessary DNAT etc to make that work.

If there''s anything more specific you need to know, let me know. I
don''t
want
to just flood you with our config files. Thanks for your help!

-Travis


------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Travis Veazey wrote:
>     > Tom,
>     >
>     > Thanks for your swift reply, and sorry for missing such basic
>     information
>     > initially!
>     >
>     > I''m using Shorewall-perl version 4.2.10 (latest available
in Ubuntu''s
>     > repository).
>     >
>     >
>     >     Travis Veazey wrote:
>     >
>     >     > Any time we make changes to the firewall configurations
and
>     issue a
>     >     > shorewall
>     >     > safe-restart command, all of our phone calls (we are
using
>     an Asterisk
>     >     > server behind our
>     >     > firewall) get dropped.
> 
>     The nat table rules are replaced atomically when using Shorewall-perl
so
>     I think we need to look elsewhere. What other Shorewall features are
you
>     using besides DNAT/SNAT and traffic shaping?
> 
>     -Tom
> 
> 
> We''re using DNAT, traffic shaping, accounting, and one change to
the modules
> file as described here: http://www.shorewall.net/FAQ.htm#faq77  We have no
> SNAT beyond the standard egress masquerade. We do have multiple IP
> addresses on the external interface - 4, to be precise - but those are
> set up via
> our distribution''s built-in networking utilities, so Shorewall
shouldn''t
> be doing anything to those, right?
Correct.
> We have DNAT rules that forward the same ports on
> different IPs to different internal servers.
> 
> We also have a tunnel interface set up to accept OpenVPN connections, with
> of course the necessary DNAT etc to make that work.
> 
> If there''s anything more specific you need to know, let me know. I
don''t
> want to just flood you with our config files. Thanks for your help!
Please send /var/lib/shorewall/firewall as an attachment to me privately.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com

Tom Eastep wrote:
> 
> Please send /var/lib/shorewall/firewall as an attachment to me privately.
> 
Sorry -- you said that you are running 4.0.10. The file I need is
/var/lib/shorewall/.restore.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com