Shorewall users - Mar 2011 - Problems moving from 4.0.6 to 4.4.6 and to a new system

Folks,

This is my first post to the group, I like Shorewall very much! Until now I have
had no problems.

I recently built up a system to replace my old FW. The old one was OLD and 
running Ubuntu 8.04 LTS and Shorewall 4.0.6. Everything works fine. It still is 
going, however, I am unable to update it any more (no space). That is the reason
for the exercise.

The new system is running Ubuntu 10.04.2 LTS and Shorewall 4.4.6 I copied all 
the files from /etc/shorewall from the old to the new. Things are working fine 
EXCEPT I am not able to obtain and IP address via DHCP from my provider for the 
outside world.

I have verified the configuration files contain exactly what I would expect to 
see there and have edited /etc/default/shorewall and set startup=1.

Shorewall is running, yet no connection. There is nothing obvious in the logs 
that would indicate what the trouble might be. What could be the problem? What 
information should I provide to help isolate the trouble?

Regards,
Jay
-- 


Jay Ridgley
jridgley2@austin.rr.com
Registered Linux User ID - 9115
Registered Ubuntu User ID - 23320

------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

Hello Jay,

At 2011-03-05 13:53, Jay Ridgley wrote:
> Things are working fine
> EXCEPT I am not able to obtain and IP address via DHCP from my provider for
the
> outside world.
Have you verified it connects and gets an IP without Shorewall being 
installed? (To check if it’s related to Shorewall at all.)
If that works, the next step I would try, is the most minimal and open 
Shorewall configuration possible. (To check if it’s your configuration 
or Shorewall itself.)
Finally if that still works (verification it can work at all), you could 
add parts of your configuration, from the general to the specific, until 
it stops working. And there would be the problem.
If you can’t solve that one for yourself, I’d recommend asking here, and 
attaching the details about that specific rule or setting that caused it.

In case it’s related to Shorewall, but not because of your 
configuration, then (I’m no developer, just another user?, I guess a 
good point to start is to send a “Shorewall dump” to this mailing list, 
as described in the support guide: 
http://www.shorewall.net/support.htm#Guidelines

If it’s one thing I learned while using Linux (Oh, and while answering 
the ultimate question ;): There is no problem that is not resolvable. :)

Navid

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

On 3/5/11 5:55 AM, Evi1M4chine wrote:
> Hello Jay,
> 
> At 2011-03-05 13:53, Jay Ridgley wrote:
>> Things are working fine
>> EXCEPT I am not able to obtain and IP address via DHCP from my provider
for the
>> outside world.
> Have you verified it connects and gets an IP without Shorewall being 
> installed? (To check if it’s related to Shorewall at all.)
> If that works, the next step I would try, is the most minimal and open 
> Shorewall configuration possible. (To check if it’s your configuration 
> or Shorewall itself.)
> Finally if that still works (verification it can work at all), you could 
> add parts of your configuration, from the general to the specific, until 
> it stops working. And there would be the problem.
> If you can’t solve that one for yourself, I’d recommend asking here, and 
> attaching the details about that specific rule or setting that caused it.
> 
> In case it’s related to Shorewall, but not because of your 
> configuration, then (I’m no developer, just another user?, I guess a 
> good point to start is to send a “Shorewall dump” to this mailing list, 
> as described in the support guide: 
> http://www.shorewall.net/support.htm#Guidelines
> 
> If it’s one thing I learned while using Linux (Oh, and while answering 
> the ultimate question ;): There is no problem that is not resolvable. :)
> 
I will add one note to Navid''s excellent advice; there is an article
that attempts to explain all of the pitfalls when migrating to Shorewall
4.4. It''s at:

	http://www.shorewall.net/LennyToSqueeze.html

While the URL suggests that it is specific to Lenny->Squeeze Debian
upgrades, the issues are exactly the same when going from Ubuntu 8.04 to
Ubuntu 10.04.

Regards,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

On 03/05/2011 09:48 AM, Tom Eastep wrote:
> On 3/5/11 5:55 AM, Evi1M4chine wrote:
>> Hello Jay,
>>
>> At 2011-03-05 13:53, Jay Ridgley wrote:
>>> Things are working fine
>>> EXCEPT I am not able to obtain and IP address via DHCP from my
provider for the
>>> outside world.
>> Have you verified it connects and gets an IP without Shorewall being
>> installed? (To check if it’s related to Shorewall at all.)
>> If that works, the next step I would try, is the most minimal and open
>> Shorewall configuration possible. (To check if it’s your configuration
>> or Shorewall itself.)
>> Finally if that still works (verification it can work at all), you
could
>> add parts of your configuration, from the general to the specific,
until
>> it stops working. And there would be the problem.
>> If you can’t solve that one for yourself, I’d recommend asking here,
and
>> attaching the details about that specific rule or setting that caused
it.
>>
>> In case it’s related to Shorewall, but not because of your
>> configuration, then (I’m no developer, just another user?, I guess a
>> good point to start is to send a “Shorewall dump” to this mailing list,
>> as described in the support guide:
>> http://www.shorewall.net/support.htm#Guidelines
>>
>> If it’s one thing I learned while using Linux (Oh, and while answering
>> the ultimate question ;): There is no problem that is not resolvable.
:)
>>
>
> I will add one note to Navid's excellent advice; there is an article
> that attempts to explain all of the pitfalls when migrating to Shorewall
> 4.4. It's at:
>
> 	http://www.shorewall.net/LennyToSqueeze.html
>
> While the URL suggests that it is specific to Lenny->Squeeze Debian
> upgrades, the issues are exactly the same when going from Ubuntu 8.04 to
> Ubuntu 10.04.
>
> Regards,
> -Tom
>
>
>
>
------------------------------------------------------------------------------
> What You Don't Know About Data Connectivity CAN Hurt You
> This paper provides an overview of data connectivity, details
> its effect on application quality, and explores various alternative
> solutions. http://p.sf.net/sfu/progress-d2d
>
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
Gentlemen (Navid and Tom),

I have tried to connect to my provider with a direct connection to the cable 
modem, no other connections present; NOT SUCCESSFUL...

I did notice that Shorewall was still listed in a ps display, even though I had 
set startup=0 in /etc/default/shorewall. Is there something else I must do to 
insure that Shorewall is not running? At this point I am not sure the problems 
lies in shorewall.

I will read the article you mention, Tom.

Thanks,
Jay
-- 


Jay Ridgley
jridgley2@austin.rr.com
Registered Linux User ID - 9115
Registered Ubuntu User ID - 23320

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

On 3/5/11 9:22 AM, Jay Ridgley wrote:
> 
> Gentlemen (Navid and Tom),
> 
> I have tried to connect to my provider with a direct connection to the
cable
> modem, no other connections present; NOT SUCCESSFUL...
If you ''shorewall clear'', can you
connect?
> 
> I did notice that Shorewall was still listed in a ps display, even though I
had
> set startup=0 in /etc/default/shorewall. Is there something else I must do
to
> insure that Shorewall is not running? At this point I am not sure the
problems
> lies in shorewall.
Given that Shorewall is not a daemon, it should not appear in a
''ps''
display unless there is an active shorewall operation in progress or you
are running something like ''shorewall logwatch''. What exactly
does the
''shorewall'' entry in the ''ps'' output look
like?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

>> I have tried to connect to my provider with a direct connection to the
cable
>> modem, no other connections present; NOT SUCCESSFUL...
> If you 'shorewall clear', can you connect?
May I add, that of course, if you configured Shorewall in a way that 
when stopped, it blocks everything, or in a way that you need some rules 
for routing, and clearing removes that, you should make sure the routing 
is properly configured and everything is open. That’s why I said 
uninstalling (and doing the routing manually), instead of just stopping it.
>> I did notice that Shorewall was still listed in a ps display
Also, Jay, it is important when going through the steps of finding a 
problem, to always verify that things really are like described and 
expected (Shorewall is really stopped) on the current step, before 
trying the next step (connecting). Otherwise one loses sight of where 
one got stuck (At “Shorewall not stopping”, instead of “not being able 
to connect”.) I know that it might become tedious and one gets 
impatient, because I did the same thing in the past, but haste makes it 
worse, leading to messing around for days, instead of focusing on the 
problem.  I don’t want you to fall into the same trap. :)

Navid

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

On 03/05/2011 11:29 AM, Tom Eastep wrote:
> On 3/5/11 9:22 AM, Jay Ridgley wrote:
>
>>
>> Gentlemen (Navid and Tom),
>>
>> I have tried to connect to my provider with a direct connection to the
cable
>> modem, no other connections present; NOT SUCCESSFUL...
>
> If you ''shorewall clear'', can you connect?
Message returned is "Shorewall has never been started" see below (my
bad)
Still no connection, it has to be something in my network config information, at
least that is what I am thinking at this point.
>>
>> I did notice that Shorewall was still listed in a ps display, even
though I had
>> set startup=0 in /etc/default/shorewall. Is there something else I must
do to
>> insure that Shorewall is not running? At this point I am not sure the
problems
>> lies in shorewall.
>
> Given that Shorewall is not a daemon, it should not appear in a
''ps''
> display unless there is an active shorewall operation in progress or you
> are running something like ''shorewall logwatch''. What
exactly does the
> ''shorewall'' entry in the ''ps'' output
look like?
I was wrong... what I was seeing was the result of my grep.

I am going to go read the info you suggested and will also research into why I 
am unable to connect at all. I will be out of pocket for the rest of today.

Thanks to you both for you assistance. I will not give up and will be sure to 
take notes of what I do going forward. I am also going to review the config file
settings in detail (by doing a diff between the running set and the new ones.), 
let me know if a copy of that would be significant.

Thanks again,
Jay
>
> -Tom
>
>
>
>
------------------------------------------------------------------------------
> What You Don''t Know About Data Connectivity CAN Hurt You
> This paper provides an overview of data connectivity, details
> its effect on application quality, and explores various alternative
> solutions. http://p.sf.net/sfu/progress-d2d
>
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

-- 


Jay Ridgley
jridgley2@austin.rr.com
Registered Linux User ID - 9115
Registered Ubuntu User ID - 23320

------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

On 3/5/11 10:47 AM, Jay Ridgley wrote:
> 
> Thanks to you both for you assistance. I will not give up and will be sure
to
> take notes of what I do going forward. I am also going to review the config
file
> settings in detail (by doing a diff between the running set and the new
ones.),
> let me know if a copy of that would be significant.
Jay,

I think you need to solve your connection problem to your ISP before
dealing with Shorewall. Be sure that Shorewall is cleared while you are
troubleshooting that part.

When asking for assistance with connection problems, we always want to
see the output of ''shorewall dump'' rather than your
configuration files.
See the link that Navid referred you to for guidelines.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d

On Sat, Mar 05, 2011 at 12:47:18PM -0600, Jay Ridgley
wrote:
> 
> I was wrong... what I was seeing was the result of my grep.
> 
ps aux |grep -i [s]horewall

That will prevent your grep command from grepping itself.  The key part
is to enclose one letter in the square brackets.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


------------------------------------------------------------------------------
What You Don''t Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d