Hello, When using a simple MASQ config such as: dds-4-1c01ppp 172.59.1.0/24 172.59.3.10 It happens from time to time that after applying the config, a 172.59.1.1 IP is not translated into .3.10. It is actually not translated until a ''conntrack -F'' is issued that flushes all connection tracking tables. Same happens when removing the MASQ config: .3.10 persists until a flush is made. These are obserbed when doing a continuous ping from 172.59.1.1 to a device beyond the device running the Shorewall config. And in some other times, it changes immediately. Is there Shorewall option that makes it so that the MASQ config always takes effect immediately when applied and when removed ? Thanks ! ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 07/16/2012 08:36 AM, Fred Maillou wrote:> Hello, > > When using a simple MASQ config such as: > > dds-4-1c01ppp 172.59.1.0/24 172.59.3.10 > > It happens from time to time that after applying the config, a > 172.59.1.1 IP is not translated into .3.10. It is actually not > translated until a ''conntrack -F'' is issued that flushes all > connection tracking tables. Same happens when removing the > MASQ config: .3.10 persists until a flush is made. These are > obserbed when doing a continuous ping from 172.59.1.1 to a > device beyond the device running the Shorewall config. > > And in some other times, it changes immediately. > > Is there Shorewall option that makes it so that the MASQ config > always takes effect immediately when applied and when removed ?What you are seeing is a result of the way that connection tracking works. You can always use the ''-p'' option when you start/restart Shorewall (that does the ''conntrack -F'' for you). If the problem happens only at boot time, then installing and configuring Shorewall-init will solve the problem. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> What you are seeing is a result of the way that connection > tracking works. You can always use the ''-p'' option when you > start/restart Shorewall (that does the ''conntrack -F'' for you).The drawback with this is that all tables would be flushed, including established ssh connections on other interfaces which could lead to some usability problems when setting/testing firewall setups remotely.> If the problem happens only at boot time, then installing and > configuring Shorewall-init will solve the problem.Are there persistent connection tracking (and related) parameters set at install time that would make do with this condition when enabling/disabling MASQ ? Thanks. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On Mon, 2012-07-16 at 10:32 -0700, Fred Maillou wrote:> Are there persistent connection tracking (and related) parameters > set at install time that would make do with this condition when > enabling/disabling MASQ ?Fred, If there were, don''t you think that I would have already implemented support for them (and told you about them)? How do you install a new updated firewall config? Hopefully not with ''shorewall stop; shorewall start''. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
(sorry, I simply pressed ''reply'' on this Yahoo thing and the reply went to your personal email when I intended it to be in the mailing list - so here it is in the mailing list) Hi Tom,>> Are there persistent connection tracking (and related) >> parameters set at install time that would make do with this >> condition when > enabling/disabling MASQ ?> If there were, don''t you think that I would have already > implemented support for them (and told you about them)?Right ;-)> How do you install a new updated firewall config? Hopefully not > with ''shorewall stop; shorewall start''.Actually modifications are made to the config files and ''shorewall restart'' is called. It''s been like that for years. The difference now is that the system is exclusively managed by a middleware configuration database (based on Yang data model/netconf, a replacement of SNMP) in which Shorewall is a managed object whose config files are written from what the user has specified in a config database. And then Shorewall is executed using those newly-created Shorewall config files. From the description of shorewall-init, I currently see no advantage in using it for the current context, eg. the connection tracking and MASQ enable/disable. There are already interactions at the system level (netlink msg listening) when some interfaces are changing states, by the application that manages the Shorewall object. And flushing all connection tables does nto seem like a good idea at the moment, because fo the possibility of terminating a remote ssh connection used to configure the firewall. OTOH, it could be that a custom crafted ''conntrack'' command can be made to flush uniquely the interface belonging to MASQ when enabling/disabling MASQ. Thanks for all comments. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 07/17/2012 06:16 AM, Fred Maillou wrote:>> How do you install a new updated firewall config? Hopefully not >> with ''shorewall stop; shorewall start''. > > Actually modifications are made to the config files and > ''shorewall restart'' is called. It''s been like that for years. > The difference now is that the system is exclusively managed by a > middleware configuration database (based on Yang data > model/netconf, a replacement of SNMP) in which Shorewall is a > managed object whose config files are written from what the user > has specified in a config database. And then Shorewall is > executed using those newly-created Shorewall config files. > > From the description of shorewall-init, I currently see no > advantage in using it for the current context, eg. the connection > tracking and MASQ enable/disable. There are already interactions > at the system level (netlink msg listening) when some interfaces > are changing states, by the application that manages the > Shorewall object. And flushing all connection tables does nto > seem like a good idea at the moment, because fo the possibility > of terminating a remote ssh connection used to configure the > firewall. OTOH, it could be that a custom crafted ''conntrack'' > command can be made to flush uniquely the interface belonging to > MASQ when enabling/disabling MASQ.Hi Fred, I don''t see how MASQ can be missed when doing a ''restart''. The old Netfilter nat table is replaced atomically by the new one. So there is never a time when the MASQ rule isn''t in place. Which Shorewall version are you running? Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/