Shorewall users - Jul 2012 - Shorewall fails to start correctly when rebooting Debian Squeeze server

Hi there,

I''m quite puzzled with the proper configuration of Shorewall.
I''m
running Debian Squeeze in an OpenVZ container (virtual server with
3rd party company).

After installing and configuring Shorewall, I''ve tested the config
by pinging the server -- it didn''t respond as anticipated. Changing
Ping(DROP) to Ping(ACCEPT) and reloading the config I had full
response on my ping, so the firewall seems to work correctly, and I
changed back to Ping(DROP).

Of course, Shorewall should automatically start when rebooting.
Making the appropriate changes to shorewall.conf and
/etc/default/shorewall it should all be fine -- but it ain''t somehow.

First thing I''ve noticed are messages like "FATAL: Could not load
/lib/modules/2.6.32-028stab092.1/modules.dep: No such file or
directory". Solved by removing the module-init-tools package (see
Shorewall documentation on OpenVZ).

Again, reboot, and I can still ping the system. Bring Shorewall down
and up again -- no response on a ping. Why??

Looking at the /var/log/shorewall-init.log I''ve noticed that it
looks somehow "messed up" as if two instances of Shorewall were
started simultaneously while booting. They seem to interfere and
leave an empty iptables (see shorewall-init.log.1.gz). However,
after stopping/starting Shorewall, the iptables are filled correctly
and the firewall works (see shorewall-init.log.2.gz).

So, does anyone have an idea what goes wrong here? I''d be happy if
you could help me out with this one or point me to some websites
where problem is solved.

Cheers,
  Matthias




------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 07/06/2012 08:52 AM, Matthias Sitte wrote:
> Hi there,
>
> I''m quite puzzled with the proper configuration of Shorewall.
I''m
> running Debian Squeeze in an OpenVZ container (virtual server with
> 3rd party company).
That''s interesting -- most people trying to run Shorewall in an OpenVZ
container under Squeeze find that outgoing connections from the firewall
don''t work at all because Netfilter connection tracking is totally
broken. Possibly there has finally been a fix for that.
> Of course, Shorewall should automatically start when rebooting.
> Making the appropriate changes to shorewall.conf and
> /etc/default/shorewall it should all be fine -- but it ain''t
> somehow.
>
> Again, reboot, and I can still ping the system. Bring Shorewall down
> and up again -- no response on a ping.
How are you bringing Shorewall down at up again? Using
/etc/init.d/shorewall or /sbin/shorewall?
> Why??
>
> Looking at the /var/log/shorewall-init.log I''ve noticed that it
looks
> somehow "messed up" as if two instances of Shorewall were started
> simultaneously while booting. They seem to interfere and leave an
> empty iptables (see shorewall-init.log.1.gz).
Have you confirmed that it is empty? It looks to me as if Shorewall''s
stdout file and STARTUP_LOG files are both pointing to
/var/log/shorewall-init.log. That is causing the duplication of messages 
that you are seeing. Given that the two seem to have different verbosity 
(and STARTUP_LOG has timestamps), the buffers of the two files get 
filled at a different rate so they get flushed to disk at different points.
> However, after stopping/starting Shorewall, the iptables are filled
> correctly and the firewall works (see shorewall-init.log.2.gz).
>
> So, does anyone have an idea what goes wrong here? I''d be happy if
> you could help me out with this one or point me to some websites
> where problem is solved.
I don''t think we know exactly what the problem is at this point.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Hi Tom,

thanks for our quick reply.

On 07/06/2012 06:43 PM, Tom Eastep wrote:
> On 07/06/2012 08:52 AM, Matthias Sitte wrote:
>> Hi there,
>>
>> I''m quite puzzled with the proper configuration of Shorewall.
I''m
>> running Debian Squeeze in an OpenVZ container (virtual server with
>> 3rd party company).
> 
> That''s interesting -- most people trying to run Shorewall in an
OpenVZ
> container under Squeeze find that outgoing connections from the firewall
> don''t work at all because Netfilter connection tracking is totally
> broken. Possibly there has finally been a fix for that.
I''d be happy to share more details if you tell me what you need
(versions of which packages etc) to see why it works. It''s a clean
system with nothing but Shorewall installed. The config files for
Shorewall are pretty simple.
> 
>> Of course, Shorewall should automatically start when rebooting.
>> Making the appropriate changes to shorewall.conf and
>> /etc/default/shorewall it should all be fine -- but it ain''t
>> somehow.
>>
> 
>> Again, reboot, and I can still ping the system. Bring Shorewall down
>> and up again -- no response on a ping.
> 
> How are you bringing Shorewall down at up again? Using
> /etc/init.d/shorewall or /sbin/shorewall?
I''m simply using `shorewall stop'' and `shorewall
start''. Just to be on
the safe side, I''ve checked that using `/etc/init.d/shorewall
stop'' and
`/etc/init.d/shorewall start'' has the same outcome, i.e., `iptables
-L''
shows the "correct" set of rules.
> 
>> Why??
>>
>> Looking at the /var/log/shorewall-init.log I''ve noticed that
it looks
>> somehow "messed up" as if two instances of Shorewall were
started
>> simultaneously while booting. They seem to interfere and leave an
>> empty iptables (see shorewall-init.log.1.gz).
> 
> Have you confirmed that it is empty? It looks to me as if
Shorewall''s
> stdout file and STARTUP_LOG files are both pointing to
> /var/log/shorewall-init.log. That is causing the duplication of messages 
> that you are seeing. Given that the two seem to have different verbosity 
> (and STARTUP_LOG has timestamps), the buffers of the two files get 
> filled at a different rate so they get flushed to disk at different points.
Hm, I didn''t realize that Shorewall might be using the same file for
both `stdout'' and STARTUP_LOG. I''ll check on that ...

Anyway, right after the system comes up, `iptables -L'' gives me empty
lists:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Stopping/starting Shorewall as described above makes it work nicely, though.
> 
>> However, after stopping/starting Shorewall, the iptables are filled
>> correctly and the firewall works (see shorewall-init.log.2.gz).
>>
>> So, does anyone have an idea what goes wrong here? I''d be
happy if
>> you could help me out with this one or point me to some websites
>> where problem is solved.
> 
> I don''t think we know exactly what the problem is at this point.
A wild guess: I could check the /etc/init.d/* scripts for other things
that might interfere with the iptables...
> 
> -Tom
> 



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 07/06/2012 10:15 AM, Matthias Sitte wrote:
> I''d be happy to share more details if you tell me what you need
> (versions of which packages etc) to see why it works. It''s a clean
> system with nothing but Shorewall installed. The config files for
> Shorewall are pretty simple.
>
If you are able to create connections from the container to other hosts 
with Shorewall started, you are not experiencing the problem that others 
have run into.
>>
>>> Of course, Shorewall should automatically start when rebooting.
>>> Making the appropriate changes to shorewall.conf and
>>> /etc/default/shorewall it should all be fine -- but it
ain''t
>>> somehow.
>
> Anyway, right after the system comes up, `iptables -L'' gives me
empty lists:
>
> # iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
> Stopping/starting Shorewall as described above makes it work nicely,
though.
Try placing that command in /etc/shorewall/started and see if that still 
gives the same output when shorewall runs at boot (output should be in 
/var/log/shorewall-init.log so long as stdout is being directed there).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

Hi Tom,

after disentangling the output from stdout and STARTUP_LOG I just
realized that not two instances of Shorewall were interfering with
itself, but the Shorewall and Iptables init script actually stepped on
each other''s toes. As a matter of fact, on my Debian system there is a
pre-configured iptables script in /etc/rc2.d/ loading the "active",
but
empty ruleset. This was basically resetting all my settings which were
loaded in the shorewall script located in /etc/rcS.d/. After disabling
the iptables script and rebooting everything works perfectly now.

Thank you for your help! Cheers,
  Matthias

On 07/06/2012 07:25 PM, Tom Eastep wrote:
> On 07/06/2012 10:15 AM, Matthias Sitte wrote:
> 
>> I''d be happy to share more details if you tell me what you
need
>> (versions of which packages etc) to see why it works. It''s a
clean
>> system with nothing but Shorewall installed. The config files for
>> Shorewall are pretty simple.
>>
> 
> If you are able to create connections from the container to other hosts 
> with Shorewall started, you are not experiencing the problem that others 
> have run into.
> 
>>>
>>>> Of course, Shorewall should automatically start when rebooting.
>>>> Making the appropriate changes to shorewall.conf and
>>>> /etc/default/shorewall it should all be fine -- but it
ain''t
>>>> somehow.
> 
>>
>> Anyway, right after the system comes up, `iptables -L'' gives
me empty lists:
>>
>> # iptables -L
>> Chain INPUT (policy ACCEPT)
>> target     prot opt source               destination
>>
>> Chain FORWARD (policy ACCEPT)
>> target     prot opt source               destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target     prot opt source               destination
>>
>> Stopping/starting Shorewall as described above makes it work nicely,
though.
> 
> Try placing that command in /etc/shorewall/started and see if that still 
> gives the same output when shorewall runs at boot (output should be in 
> /var/log/shorewall-init.log so long as stdout is being directed there).
> 
> -Tom
> 



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/