Bruce Edge
2012-Apr-16 20:48 UTC
Shorewall 2 port fw problems with one specific internet host.
Shorewall is, in general, working fine. Much better then ufw imho. I have one single problem with one single web site on a 2 interface fw. If I plug into my cable modem directly, this site works fine. I cannot access: https://www5.v1host.com/ from behind shorewall. In fact, I can''t get to it even from the fw itself. With the cable modem on eth0 of my fw, neither machines behind it on eth1, or the fw itself can get this one specific web site. I have not noticed problems with any other sites. Both dns & traceroute report the same end results whether plugged into cable modem direct, or behind the fw so I''m at a loss as to where to look next. policy: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT loc $FW ACCEPT # Let FW go wherever $FW net ACCEPT $FW loc ACCEPT $FW all REJECT info # # Policies for traffic originating from the Internet zone (net) # net $FW DROP info net loc DROP info net all DROP info # THE FOLLOWING POLICY MUST BE LAST rules: DNS(ACCEPT) $FW net # # Accept SSH connections from the local network for administration # SSH(ACCEPT) net $FW SSH(ACCEPT) loc $FW # # Allow Ping from the local network # Ping(ACCEPT) loc $FW # # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. # Ping(DROP) net $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp interfaces: #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians loc eth1 detect tcpflags,nosmurfs,routefilter,logmartians masq: #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK eth0 10.1.1.0/8 zones: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 Both curl & wget also fail. Here''s the curl output: 130 #> curl -v "https://www5.v1host.com" * About to connect() to www5.v1host.com port 443 (#0) * Trying 209.34.82.239... connected * Connected to www5.v1host.com (209.34.82.239) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using RC4-MD5 * Server certificate: * subject: serialNumber=2duG-ipSr4CUsFthi6dD0sRSicGl103e; C=US; ST=Georgia; L=Alpharetta; O=VersionOne, Inc.; OU=Corporate; CN=*.v1host.com * start date: 2012-02-09 02:59:13 GMT * expire date: 2013-05-12 20:47:54 GMT * subjectAltName: www5.v1host.com matched * issuer: C=US; O=GeoTrust, Inc.; CN=GeoTrust SSL CA * SSL certificate verify ok.> GET / HTTP/1.1 > User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3> Host: www5.v1host.com > Accept: */* >then nothing... ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2
Tom Eastep
2012-Apr-16 21:28 UTC
Re: Shorewall 2 port fw problems with one specific internet host.
On Apr 16, 2012, at 1:48 PM, Bruce Edge <bruce.edge@gmail.com> wrote:> Shorewall is, in general, working fine. Much better then ufw imho. > > I have one single problem with one single web site on a 2 interface fw. > > If I plug into my cable modem directly, this site works fine. > > I cannot access: https://www5.v1host.com/ from behind shorewall. In fact, I can''t get to it even from the fw itself. > > With the cable modem on eth0 of my fw, neither machines behind it on eth1, or the fw itself can get this one specific web site.If you temporarily ''shorewall clear'', can you access the site from the fw? (be sure to ''shorewall . start'' after testing. Tom ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2
Bruce Edge
2012-Apr-16 22:21 UTC
Re: Shorewall 2 port fw problems with one specific internet host.
On Mon, Apr 16, 2012 at 2:28 PM, Tom Eastep <teastep@shorewall.net> wrote:> > On Apr 16, 2012, at 1:48 PM, Bruce Edge <bruce.edge@gmail.com> wrote: > > Shorewall is, in general, working fine. Much better then ufw imho. > > I have one single problem with one single web site on a 2 interface fw. > > If I plug into my cable modem directly, this site works fine. > > I cannot access: https://www5.v1host.com/ from behind shorewall. In fact, > I can''t get to it even from the fw itself. > > With the cable modem on eth0 of my fw, neither machines behind it on eth1, > or the fw itself can get this one specific web site. > > > If you temporarily ''shorewall clear'', can you access the site from the fw? > (be sure to ''shorewall . > start'' after testing. > > Tom >No, that''s the part I don''t understand. Even that doesn''t work. Just to re-iterate for clarity, even after a "shorewall clear" I still cannot access that site from either the fw or any machines behind it. -Bruce ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2
Tom Eastep
2012-Apr-16 22:26 UTC
Re: Shorewall 2 port fw problems with one specific internet host.
On 04/16/2012 03:21 PM, Bruce Edge wrote:> > > On Mon, Apr 16, 2012 at 2:28 PM, Tom Eastep <teastep@shorewall.net > <mailto:teastep@shorewall.net>> wrote: > > > On Apr 16, 2012, at 1:48 PM, Bruce Edge <bruce.edge@gmail.com > <mailto:bruce.edge@gmail.com>> wrote: > >> Shorewall is, in general, working fine. Much better then ufw imho. >> >> I have one single problem with one single web site on a 2 >> interface fw. >> >> If I plug into my cable modem directly, this site works fine. >> >> I cannot access: https://www5.v1host.com/ from behind shorewall. >> In fact, I can''t get to it even from the fw itself. >> >> With the cable modem on eth0 of my fw, neither machines behind it >> on eth1, or the fw itself can get this one specific web site. > > If you temporarily ''shorewall clear'', can you access the site from > the fw? (be sure to ''shorewall . > start'' after testing. > > Tom > > > No, that''s the part I don''t understand. Even that doesn''t work. > > Just to re-iterate for clarity, even after a "shorewall clear" I still > cannot access that site from either the fw or any machines behind it.Then I''m afraid that your problem has nothing to do with your Shorewall configuration. -Tom ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2
Bruce Edge
2012-Apr-17 16:44 UTC
Re: Shorewall 2 port fw problems with one specific internet host.
On Mon, Apr 16, 2012 at 3:26 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 04/16/2012 03:21 PM, Bruce Edge wrote: > > > > > > On Mon, Apr 16, 2012 at 2:28 PM, Tom Eastep <teastep@shorewall.net > > <mailto:teastep@shorewall.net>> wrote: > > > > > > On Apr 16, 2012, at 1:48 PM, Bruce Edge <bruce.edge@gmail.com > > <mailto:bruce.edge@gmail.com>> wrote: > > > >> Shorewall is, in general, working fine. Much better then ufw imho. > >> > >> I have one single problem with one single web site on a 2 > >> interface fw. > >> > >> If I plug into my cable modem directly, this site works fine. > >> > >> I cannot access: https://www5.v1host.com/ from behind shorewall. > >> In fact, I can''t get to it even from the fw itself. > >> > >> With the cable modem on eth0 of my fw, neither machines behind it > >> on eth1, or the fw itself can get this one specific web site. > > > > If you temporarily ''shorewall clear'', can you access the site from > > the fw? (be sure to ''shorewall . > > start'' after testing. > > > > Tom > > > > > > No, that''s the part I don''t understand. Even that doesn''t work. > > > > Just to re-iterate for clarity, even after a "shorewall clear" I still > > cannot access that site from either the fw or any machines behind it. > > Then I''m afraid that your problem has nothing to do with your Shorewall > configuration. > >Not surprisingly, you were right. Just to followup in case this helps anyone else, I fixed this by forcing my MTU to 1500 on both interfaces. No clue why I only saw this on one specific site. Thanks for being patient with the clueless. -Bruce ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev
Tom Eastep
2012-Apr-17 16:50 UTC
Re: Shorewall 2 port fw problems with one specific internet host.
On 4/17/12 9:44 AM, Bruce Edge wrote:> > > On Mon, Apr 16, 2012 at 3:26 PM, Tom Eastep <teastep@shorewall.net > <mailto:teastep@shorewall.net>> wrote: > > On 04/16/2012 03:21 PM, Bruce Edge wrote: > > > > > > On Mon, Apr 16, 2012 at 2:28 PM, Tom Eastep <teastep@shorewall.net > <mailto:teastep@shorewall.net> > > <mailto:teastep@shorewall.net <mailto:teastep@shorewall.net>>> wrote: > > > > > > On Apr 16, 2012, at 1:48 PM, Bruce Edge <bruce.edge@gmail.com > <mailto:bruce.edge@gmail.com> > > <mailto:bruce.edge@gmail.com <mailto:bruce.edge@gmail.com>>> > wrote: > > > >> Shorewall is, in general, working fine. Much better then ufw > imho. > >> > >> I have one single problem with one single web site on a 2 > >> interface fw. > >> > >> If I plug into my cable modem directly, this site works fine. > >> > >> I cannot access: https://www5.v1host.com/ from behind shorewall. > >> In fact, I can''t get to it even from the fw itself. > >> > >> With the cable modem on eth0 of my fw, neither machines behind it > >> on eth1, or the fw itself can get this one specific web site. > > > > If you temporarily ''shorewall clear'', can you access the site from > > the fw? (be sure to ''shorewall . > > start'' after testing. > > > > Tom > > > > > > No, that''s the part I don''t understand. Even that doesn''t work. > > > > Just to re-iterate for clarity, even after a "shorewall clear" I still > > cannot access that site from either the fw or any machines behind it. > > Then I''m afraid that your problem has nothing to do with your Shorewall > configuration. > > > Not surprisingly, you were right. > > Just to followup in case this helps anyone else, I fixed this by forcing > my MTU to 1500 on both interfaces. > No clue why I only saw this on one specific site.A misconfigured router between you and that site is breaking path MTU discovery. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev