Shorewall users - Apr 2012 - Shorewall 2 port fw problems with one specific internet host.

Shorewall is, in general, working fine. Much better then ufw imho.

I have one single problem with one single web site on a 2 interface fw.

If I plug into my cable modem directly, this site works fine.

I cannot access: https://www5.v1host.com/ from behind shorewall. In fact, I
can''t get to it even from the fw itself.

With the cable modem on eth0 of my fw, neither machines behind it on eth1,
or the fw itself can get this one specific web site.
I have not noticed problems with any other sites.

Both dns & traceroute report the same end results whether plugged into
cable modem direct, or behind the fw so I''m at a loss as to where to
look
next.

policy:
#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
loc             net             ACCEPT
loc             $FW             ACCEPT

# Let FW go wherever
$FW             net             ACCEPT
$FW             loc             ACCEPT
$FW             all             REJECT          info

#
# Policies for traffic originating from the Internet zone (net)
#
net             $FW             DROP            info
net             loc             DROP            info
net             all             DROP            info

# THE FOLLOWING POLICY MUST BE LAST

rules:

DNS(ACCEPT) $FW net
#
# Accept SSH connections from the local network for administration
#
SSH(ACCEPT) net $FW
SSH(ACCEPT) loc $FW
#
# Allow Ping from the local network
#
Ping(ACCEPT) loc $FW
#
# Drop Ping from the "bad" net zone.. and prevent your log from being
flooded..
#
Ping(DROP) net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp

interfaces:

#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            detect
 dhcp,tcpflags,nosmurfs,routefilter,logmartians
loc     eth1            detect
 tcpflags,nosmurfs,routefilter,logmartians

masq:

#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S)
IPSEC   MARK
eth0                    10.1.1.0/8

zones:
#ZONE   TYPE    OPTIONS                 IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
loc     ipv4

Both curl & wget also fail. Here''s the curl output:

130 #> curl -v  "https://www5.v1host.com"
* About to connect() to www5.v1host.com port 443 (#0)
*   Trying 209.34.82.239... connected
* Connected to www5.v1host.com (209.34.82.239) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-MD5
* Server certificate:
*        subject: serialNumber=2duG-ipSr4CUsFthi6dD0sRSicGl103e; C=US;
ST=Georgia; L=Alpharetta; O=VersionOne, Inc.; OU=Corporate; CN=*.v1host.com
*        start date: 2012-02-09 02:59:13 GMT
*        expire date: 2013-05-12 20:47:54 GMT
*        subjectAltName: www5.v1host.com matched
*        issuer: C=US; O=GeoTrust, Inc.; CN=GeoTrust SSL CA
*        SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6
OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3
> Host: www5.v1host.com
> Accept: */*
>
then nothing...


------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On Apr 16, 2012, at 1:48 PM, Bruce Edge <bruce.edge@gmail.com> wrote:
> Shorewall is, in general, working fine. Much better then ufw imho.
> 
> I have one single problem with one single web site on a 2 interface fw.
> 
> If I plug into my cable modem directly, this site works fine. 
> 
> I cannot access: https://www5.v1host.com/ from behind shorewall. In fact, I
can''t get to it even from the fw itself.
> 
> With the cable modem on eth0 of my fw, neither machines behind it on eth1,
or the fw itself can get this one specific web site.
If you temporarily ''shorewall clear'', can you access the site
from the fw? (be sure to ''shorewall .
start'' after testing.

Tom

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On Mon, Apr 16, 2012 at 2:28 PM, Tom Eastep <teastep@shorewall.net> wrote:
>
> On Apr 16, 2012, at 1:48 PM, Bruce Edge <bruce.edge@gmail.com> wrote:
>
> Shorewall is, in general, working fine. Much better then ufw imho.
>
> I have one single problem with one single web site on a 2 interface fw.
>
> If I plug into my cable modem directly, this site works fine.
>
> I cannot access: https://www5.v1host.com/ from behind shorewall. In fact,
> I can''t get to it even from the fw itself.
>
> With the cable modem on eth0 of my fw, neither machines behind it on eth1,
> or the fw itself can get this one specific web site.
>
>
> If you temporarily ''shorewall clear'', can you access the
site from the fw?
> (be sure to ''shorewall .
> start'' after testing.
>
> Tom
>
No, that''s the part I don''t understand. Even that
doesn''t work.

Just to re-iterate for clarity, even after a "shorewall clear" I still
cannot access that site from either the fw or any machines behind it.

-Bruce


------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On 04/16/2012 03:21 PM, Bruce Edge wrote:
> 
> 
> On Mon, Apr 16, 2012 at 2:28 PM, Tom Eastep <teastep@shorewall.net
> <mailto:teastep@shorewall.net>> wrote:
> 
> 
>     On Apr 16, 2012, at 1:48 PM, Bruce Edge <bruce.edge@gmail.com
>     <mailto:bruce.edge@gmail.com>> wrote:
> 
>>     Shorewall is, in general, working fine. Much better then ufw imho.
>>
>>     I have one single problem with one single web site on a 2
>>     interface fw.
>>
>>     If I plug into my cable modem directly, this site works fine. 
>>
>>     I cannot access: https://www5.v1host.com/ from behind shorewall.
>>     In fact, I can''t get to it even from the fw itself. 
>>
>>     With the cable modem on eth0 of my fw, neither machines behind it
>>     on eth1, or the fw itself can get this one specific web site. 
> 
>     If you temporarily ''shorewall clear'', can you access
the site from
>     the fw? (be sure to ''shorewall .
>     start'' after testing.
> 
>     Tom
> 
> 
> No, that''s the part I don''t understand. Even that
doesn''t work.
> 
> Just to re-iterate for clarity, even after a "shorewall clear" I
still
> cannot access that site from either the fw or any machines behind it.
Then I''m afraid that your problem has nothing to do with your Shorewall
configuration.

-Tom



------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

On Mon, Apr 16, 2012 at 3:26 PM, Tom Eastep <teastep@shorewall.net> wrote:
> On 04/16/2012 03:21 PM, Bruce Edge wrote:
> >
> >
> > On Mon, Apr 16, 2012 at 2:28 PM, Tom Eastep <teastep@shorewall.net
> > <mailto:teastep@shorewall.net>> wrote:
> >
> >
> >     On Apr 16, 2012, at 1:48 PM, Bruce Edge <bruce.edge@gmail.com
> >     <mailto:bruce.edge@gmail.com>> wrote:
> >
> >>     Shorewall is, in general, working fine. Much better then ufw
imho.
> >>
> >>     I have one single problem with one single web site on a 2
> >>     interface fw.
> >>
> >>     If I plug into my cable modem directly, this site works fine.
> >>
> >>     I cannot access: https://www5.v1host.com/ from behind
shorewall.
> >>     In fact, I can''t get to it even from the fw itself.
> >>
> >>     With the cable modem on eth0 of my fw, neither machines behind
it
> >>     on eth1, or the fw itself can get this one specific web site.
> >
> >     If you temporarily ''shorewall clear'', can you
access the site from
> >     the fw? (be sure to ''shorewall .
> >     start'' after testing.
> >
> >     Tom
> >
> >
> > No, that''s the part I don''t understand. Even that
doesn''t work.
> >
> > Just to re-iterate for clarity, even after a "shorewall
clear" I still
> > cannot access that site from either the fw or any machines behind it.
>
> Then I''m afraid that your problem has nothing to do with your
Shorewall
> configuration.
>
>
Not surprisingly, you were right.

Just to followup in case this helps anyone else, I fixed this by forcing my
MTU to 1500 on both interfaces.
No clue why I only saw this on one specific site.

Thanks for being patient with the clueless.

-Bruce


------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev

On 4/17/12 9:44 AM, Bruce Edge wrote:
> 
> 
> On Mon, Apr 16, 2012 at 3:26 PM, Tom Eastep <teastep@shorewall.net
> <mailto:teastep@shorewall.net>> wrote:
> 
>     On 04/16/2012 03:21 PM, Bruce Edge wrote:
>     >
>     >
>     > On Mon, Apr 16, 2012 at 2:28 PM, Tom Eastep
<teastep@shorewall.net
>     <mailto:teastep@shorewall.net>
>     > <mailto:teastep@shorewall.net
<mailto:teastep@shorewall.net>>> wrote:
>     >
>     >
>     >     On Apr 16, 2012, at 1:48 PM, Bruce Edge
<bruce.edge@gmail.com
>     <mailto:bruce.edge@gmail.com>
>     >     <mailto:bruce.edge@gmail.com
<mailto:bruce.edge@gmail.com>>>
>     wrote:
>     >
>     >>     Shorewall is, in general, working fine. Much better then
ufw
>     imho.
>     >>
>     >>     I have one single problem with one single web site on a 2
>     >>     interface fw.
>     >>
>     >>     If I plug into my cable modem directly, this site works
fine.
>     >>
>     >>     I cannot access: https://www5.v1host.com/ from behind
shorewall.
>     >>     In fact, I can''t get to it even from the fw
itself.
>     >>
>     >>     With the cable modem on eth0 of my fw, neither machines
behind it
>     >>     on eth1, or the fw itself can get this one specific web
site.
>     >
>     >     If you temporarily ''shorewall clear'', can
you access the site from
>     >     the fw? (be sure to ''shorewall .
>     >     start'' after testing.
>     >
>     >     Tom
>     >
>     >
>     > No, that''s the part I don''t understand. Even
that doesn''t work.
>     >
>     > Just to re-iterate for clarity, even after a "shorewall
clear" I still
>     > cannot access that site from either the fw or any machines behind
it.
> 
>     Then I''m afraid that your problem has nothing to do with your
Shorewall
>     configuration.
> 
> 
> Not surprisingly, you were right. 
> 
> Just to followup in case this helps anyone else, I fixed this by forcing
> my MTU to 1500 on both interfaces.
> No clue why I only saw this on one specific site.
A misconfigured router between you and that site is breaking path MTU
discovery.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second 
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev