Hi List,
I recently switched to Shorewall, and I it works like a charm (well...
nearly :)
However, there is (minor) problem when using a pptp-client behind the
firewall.
Based on the two interface example, I like to use a (masq) client to connect
to an pptp-server outside:
Client (private net) -> { (private net) <-FW-> (public net) } ->
Internet
-> PPtP-server
Modules loaded:
nf_nat_pptp
nf_nat_proto_gre
nf_conntrack_pptp
nf_conntrack_proto_gre
The request went out, but the response (gre, 47) is blocked by the rule
"net2fw", so no connection is possible. If I manually add the rule for
gre
(macro.GRE) in section "NEW", it works as expected.
So my question(s):
Is this really necessary, or am I missing something?
If this is needed, should the destination be "$FW", "loc"
or "all"?
Thanks in advance,
Tarqi
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 09/18/2012 12:44 PM, Tarqi Kazan wrote:> Hi List, > > I recently switched to Shorewall, and I it works like a charm (well... > nearly :) > However, there is (minor) problem when using a pptp-client behind the > firewall. > > Based on the two interface example, I like to use a (masq) client to connect > to an pptp-server outside: > > Client (private net) -> { (private net) <-FW-> (public net) } -> Internet > -> PPtP-server > > Modules loaded: > nf_nat_pptp > nf_nat_proto_gre > nf_conntrack_pptp > nf_conntrack_proto_gre >Try unloading the GRE modules. You should only require the pptp modules for this to work. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Thanks for your fast reply, but... I already read this in your docs and tried it. Unfortunately the modules depends each other: Example: modinfo nf_nat_pptp ------------------- filename: /lib/modules/3.5.3-1-ARCH/kernel/net/ipv4/netfilter/nf_nat_pptp.ko.gz alias: ip_nat_pptp description: Netfilter NAT helper module for PPTP author: Harald Welte <laforge@gnumonks.org> license: GPL depends: nf_conntrack_pptp,nf_nat_proto_gre,nf_nat,nf_conntrack intree: Y vermagic: 3.5.3-1-ARCH SMP preempt mod_unload modversions 686 Blacklisting (all of them?) in "helpers" or "modules.conf will not help I suppose? OT: Sorry for the email-formatting, need to figure out which mail-client to use for the list :( Tarqi -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Tuesday, September 18, 2012 10:20 PM To: Shorewall Users Subject: Re: [Shorewall-users] GRE blocked on Masq PPTP On 09/18/2012 12:44 PM, Tarqi Kazan wrote:> Hi List, > > I recently switched to Shorewall, and I it works like a charm (well... > nearly :) > However, there is (minor) problem when using a pptp-client behind the > firewall. > > Based on the two interface example, I like to use a (masq) client to > connect to an pptp-server outside: > > Client (private net) -> { (private net) <-FW-> (public net) } -> > Internet > -> PPtP-server > > Modules loaded: > nf_nat_pptp > nf_nat_proto_gre > nf_conntrack_pptp > nf_conntrack_proto_gre >Try unloading the GRE modules. You should only require the pptp modules for this to work. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ---------------------------------------------------------------------------- -- Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 09/18/2012 01:36 PM, Tarqi Kazan wrote:> Thanks for your fast reply, but... > I already read this in your docs and tried it. > Unfortunately the modules depends each other: > Example: > > modinfo nf_nat_pptp > ------------------- > filename: > /lib/modules/3.5.3-1-ARCH/kernel/net/ipv4/netfilter/nf_nat_pptp.ko.gz > alias: ip_nat_pptp > description: Netfilter NAT helper module for PPTP > author: Harald Welte <laforge@gnumonks.org> > license: GPL > depends: nf_conntrack_pptp,nf_nat_proto_gre,nf_nat,nf_conntrack > intree: Y > vermagic: 3.5.3-1-ARCH SMP preempt mod_unload modversions 686 > > Blacklisting (all of them?) in "helpers" or "modules.conf will not help I > suppose?No. It''s been years since I''ve used PPTP, given its weak authentication scheme. I guess you''ll have to allow incoming GRE.> > OT: Sorry for the email-formatting, need to figure out which mail-client to > use for the list :(No Problem. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Well, I already kicked my own pptp-server and switched to ipsec (in progress), which will (hopefully not) lead to some more questions... However, pptp is still needed to connect my client to an outside network, so I can''t get rid of it right now :( Ok then, thanks a lot, if I find a solution beside what you''ve mentioned, I''ll let you know. Tarqi PS: What will I need to do to get the mails send in fashion, that they are threaded in the mailing list (Outlook 2007)? If someone knows, please let me know. Thanks. -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Tuesday, September 18, 2012 11:17 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] GRE blocked on Masq PPTP On 09/18/2012 01:36 PM, Tarqi Kazan wrote:> Thanks for your fast reply, but... > I already read this in your docs and tried it. > Unfortunately the modules depends each other: > Example: > > modinfo nf_nat_pptp > ------------------- > filename: > /lib/modules/3.5.3-1-ARCH/kernel/net/ipv4/netfilter/nf_nat_pptp.ko.gz > alias: ip_nat_pptp > description: Netfilter NAT helper module for PPTP > author: Harald Welte <laforge@gnumonks.org> > license: GPL > depends: nf_conntrack_pptp,nf_nat_proto_gre,nf_nat,nf_conntrack > intree: Y > vermagic: 3.5.3-1-ARCH SMP preempt mod_unload modversions 686 > > Blacklisting (all of them?) in "helpers" or "modules.conf will not > help I suppose?No. It''s been years since I''ve used PPTP, given its weak authentication scheme. I guess you''ll have to allow incoming GRE.> > OT: Sorry for the email-formatting, need to figure out which > mail-client to use for the list :(No Problem. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ---------------------------------------------------------------------------- -- Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Tom, the tunnels file doesnt work here? On Tue, Sep 18, 2012 at 6:35 PM, Tarqi Kazan <tarqi@cfs.dyndns.biz> wrote:> Well, > > I already kicked my own pptp-server and switched to ipsec (in progress), > which will (hopefully not) lead to some more questions... > > However, pptp is still needed to connect my client to an outside network, > so > I can''t get rid of it right now :( > > Ok then, thanks a lot, if I find a solution beside what you''ve mentioned, > I''ll let you know. > > Tarqi > > PS: What will I need to do to get the mails send in fashion, that they are > threaded in the mailing list (Outlook 2007)? If someone knows, please let > me > know. Thanks. > > > -----Original Message----- > From: Tom Eastep [mailto:teastep@shorewall.net] > Sent: Tuesday, September 18, 2012 11:17 PM > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] GRE blocked on Masq PPTP > > On 09/18/2012 01:36 PM, Tarqi Kazan wrote: > > Thanks for your fast reply, but... > > I already read this in your docs and tried it. > > Unfortunately the modules depends each other: > > Example: > > > > modinfo nf_nat_pptp > > ------------------- > > filename: > > /lib/modules/3.5.3-1-ARCH/kernel/net/ipv4/netfilter/nf_nat_pptp.ko.gz > > alias: ip_nat_pptp > > description: Netfilter NAT helper module for PPTP > > author: Harald Welte <laforge@gnumonks.org> > > license: GPL > > depends: nf_conntrack_pptp,nf_nat_proto_gre,nf_nat,nf_conntrack > > intree: Y > > vermagic: 3.5.3-1-ARCH SMP preempt mod_unload modversions 686 > > > > Blacklisting (all of them?) in "helpers" or "modules.conf will not > > help I suppose? > > No. > > It''s been years since I''ve used PPTP, given its weak authentication scheme. > I guess you''ll have to allow incoming GRE. > > > > > OT: Sorry for the email-formatting, need to figure out which > > mail-client to use for the list :( > > No Problem. > > -Tom > > > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ---------------------------------------------------------------------------- > -- > Live Security Virtual Conference > Exclusive live event will cover all the ways today''s security and threat > landscape has changed and how IT managers can respond. Discussions will > include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today''s security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 09/19/2012 05:20 AM, Nico Pagliaro wrote:> Tom, the tunnels file doesnt work here? >The tunnels file only applies when a VPN endpoint is on the firewall itself. As I understood the problem, the VPN client is in the local network and the server is remote. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Ok, I found out the following: PPTP Client from the LAN to a remote side needs NO modules loaded, which means: If the modules: nf_nat_pptp nf_nat_proto_gre nf_conntrack_pptp nf_conntrack_proto_gre are NOT loaded, everything works like expected. There are NO rules needed. However, how can I prevent shorewall from loading these modules? I did the following: - copied "helpers" to /etc/shorewall AND commented out the modules - set strongwall.conf "AUTOHELPERS" to "No" - set strongwall.conf "LOAD_HELPERS_ONLY" to "Yes" - set strongwall.conf "HELPERS" to "" However, the modules are still loaded. There are no rules, which may autoload them involved. Any clues? Thanks, Tarqi -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Wednesday, September 19, 2012 6:37 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] GRE blocked on Masq PPTP On 09/19/2012 05:20 AM, Nico Pagliaro wrote:> Tom, the tunnels file doesnt work here? >The tunnels file only applies when a VPN endpoint is on the firewall itself. As I understood the problem, the VPN client is in the local network and the server is remote. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ---------------------------------------------------------------------------- -- Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/21/2012 03:14 PM, Tarqi Kazan wrote:> Ok, > > I found out the following: > > PPTP Client from the LAN to a remote side needs NO modules loaded, which > means: > > If the modules: > nf_nat_pptp > nf_nat_proto_gre > nf_conntrack_pptp > nf_conntrack_proto_gre > > are NOT loaded, everything works like expected. > There are NO rules needed. > > However, how can I prevent shorewall from loading these modules? > > I did the following: > - copied "helpers" to /etc/shorewall AND commented out the modules > - set strongwall.conf "AUTOHELPERS" to "No"You probably don''t want that.> - set strongwall.conf "LOAD_HELPERS_ONLY" to "Yes" > - set strongwall.conf "HELPERS" to "" > > However, the modules are still loaded. There are no rules, which may > autoload them involved. > > Any clues?Did you unload the modules? Changing the modules configuration won''t unload any modules that are already loaded. -Tom PS -- the product is ''shorewall'', not ''strongwall'' :-) -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
I tried several combinations and ended up with the loaded modules all the time. And yes, after a reboot I unloaded the modules, and everything worked. So something is loading the modules automatically, regardless what I set in shorewall.conf and "helpers". The docs in shorewall.conf says to set AUTOHELPERS to NO if using kernel > 3.5, which is the case. Tarqi -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Saturday, September 22, 2012 12:35 AM To: Shorewall Users Subject: Re: [Shorewall-users] GRE blocked on Masq PPTP On 09/21/2012 03:14 PM, Tarqi Kazan wrote:> Ok, > > I found out the following: > > PPTP Client from the LAN to a remote side needs NO modules loaded, > which > means: > > If the modules: > nf_nat_pptp > nf_nat_proto_gre > nf_conntrack_pptp > nf_conntrack_proto_gre > > are NOT loaded, everything works like expected. > There are NO rules needed. > > However, how can I prevent shorewall from loading these modules? > > I did the following: > - copied "helpers" to /etc/shorewall AND commented out the modules > - set strongwall.conf "AUTOHELPERS" to "No"You probably don''t want that.> - set strongwall.conf "LOAD_HELPERS_ONLY" to "Yes" > - set strongwall.conf "HELPERS" to "" > > However, the modules are still loaded. There are no rules, which may > autoload them involved. > > Any clues?Did you unload the modules? Changing the modules configuration won''t unload any modules that are already loaded. -Tom PS -- the product is ''shorewall'', not ''strongwall'' :-) -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/21/2012 03:43 PM, Tarqi Kazan wrote:> I tried several combinations and ended up with the loaded modules all the > time. > And yes, after a reboot I unloaded the modules, and everything worked. > So something is loading the modules automatically, regardless what I set in > shorewall.conf and "helpers". > The docs in shorewall.conf says to set AUTOHELPERS to NO if using kernel > > 3.5, which is the case.What does ''fgrep loadmodule /var/lib/shorewall/firewall'' display? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
So, after a lot of reboots some information: nf_nat_pptp has been loaded by an forgotten script on reboot - shame on me THIS module pulls in nf_nat_proto_gre and (both of them?) caused the initial problem. nf_conntrack_pptp pulls nf_conntrack_proto_gre and seems to be loaded automatically when needed. They are needed and make no problems (as far I can see). However, a lot of modules are loaded by shorewall, even if not active. I removed everything network-related stuff (including shorewall) and rebooted -> no relevant modules loaded, no iptables, nothing. So far so good. The I started shorewall. It loads everything(?), regardless what''s defined in /etc/shorewall/helpers. There was no network activity, which could have been load them automatically. The command you mentioned will reflect what''s included in /etc/shorewall/helpers, but it seems to be ignored. Some data: /etc/shorewall/shorewall.conf: ------------------------------ AUTOHELPERS=No HELPERSLOAD_HELPERS_ONLY=Yes fgrep loadmodule /var/lib/shorewall/firewall -------------------------------------------- loadmodule() # $1 = module name, $2 - * arguments loadmodule ip_conntrack_ftp loadmodule ip_conntrack_irc loadmodule ip_conntrack_netbios_ns loadmodule ip_nat_ftp loadmodule ip_nat_irc loadmodule nf_conntrack_ftp loadmodule nf_conntrack_irc loadmodule nf_conntrack_netbios_ns loadmodule nf_conntrack_netlink loadmodule nf_nat_ftp loadmodule nf_nat_irc loadmodule nf_nat /etc/shorewall/helpers ---------------------- loadmodule ip_conntrack_ftp loadmodule ip_conntrack_irc loadmodule ip_conntrack_netbios_ns loadmodule ip_nat_ftp loadmodule ip_nat_irc loadmodule nf_conntrack_ftp loadmodule nf_conntrack_irc loadmodule nf_conntrack_netbios_ns loadmodule nf_conntrack_netlink loadmodule nf_nat_ftp loadmodule nf_nat_irc loadmodule nf_nat lsmod (only some modules, which shouldn''t have been loaded and appear after a "shorewall start") ---------------------------------------------------------------------------- -------------------- nf_conntrack_amanda 1713 0 nf_conntrack_irc 2639 0 nf_conntrack_snmp 891 0 nf_conntrack_sip 16004 0 nf_conntrack_pptp 3625 0 nf_conntrack_proto_gre 3766 1 nf_conntrack_pptp nf_conntrack_tftp 2529 0 nf_conntrack_sane 2724 0 . . . Some of them may be pulled in as a dependency, but not all I think. Tarqi -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Saturday, September 22, 2012 12:50 AM To: Shorewall Users Subject: Re: [Shorewall-users] GRE blocked on Masq PPTP On 09/21/2012 03:43 PM, Tarqi Kazan wrote:> I tried several combinations and ended up with the loaded modules all > the time. > And yes, after a reboot I unloaded the modules, and everything worked. > So something is loading the modules automatically, regardless what I > set in shorewall.conf and "helpers". > The docs in shorewall.conf says to set AUTOHELPERS to NO if using > kernel > 3.5, which is the case.What does ''fgrep loadmodule /var/lib/shorewall/firewall'' display? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\''t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> PS -- the product is ''shorewall'', not ''strongwall'' :-)-- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ Hups, just saw this right now. Sorry, I have poked around Strongswan and Shorewall the same time... sometimes I got a bit confused :) Tarqi ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\''t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 9/21/12 6:13 PM, "Tarqi Kazan" <tarqi@cfs.dyndns.biz> wrote:>So, >after a lot of reboots some information: > >nf_nat_pptp has been loaded by an forgotten script on reboot - shame on me >THIS module pulls in nf_nat_proto_gre and (both of them?) caused the >initial >problem. > >nf_conntrack_pptp pulls nf_conntrack_proto_gre and seems to be loaded >automatically when needed. They are needed and make no problems (as far I >can see). > >However, a lot of modules are loaded by shorewall, even if not active.The *only* modules which Shorewall loads explicitly are those loaded by the ''load module'' function.> >I removed everything network-related stuff (including shorewall) and >rebooted -> no relevant modules loaded, no iptables, nothing. So far so >good. > >The I started shorewall. It loads everything(?), regardless what''s defined >in /etc/shorewall/helpers. There was no network activity, which could have >been load them automatically.What is being loaded is *autoloaded* as a result of your Shorewall configuration. If you don''t like what gets loaded, then don''t use a statefull firewall on Linux. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\''t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
Wow, why so rude? I just try to help and to understand what''s going on. So if it''s autoloaded because of my config: I am not using snmp, sip or anything, so I haven''t configured this. It''s all based on the 2 gateway example. I even don''t know what''s "Amanda". I also could have stopped to investigate after I found my problem, but I thought it may be a good thing for you, that I dig deeper. If you don''t like that people trying contribute, simply close the mailing-list. Tarqi -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Saturday, September 22, 2012 4:48 AM To: Shorewall Users Subject: Re: [Shorewall-users] GRE blocked on Masq PPTP On 9/21/12 6:13 PM, "Tarqi Kazan" <tarqi@cfs.dyndns.biz> wrote:>So, >after a lot of reboots some information: > >nf_nat_pptp has been loaded by an forgotten script on reboot - shame on >me THIS module pulls in nf_nat_proto_gre and (both of them?) caused the >initial problem. > >nf_conntrack_pptp pulls nf_conntrack_proto_gre and seems to be loaded >automatically when needed. They are needed and make no problems (as far >I can see). > >However, a lot of modules are loaded by shorewall, even if not active.The *only* modules which Shorewall loads explicitly are those loaded by the ''load module'' function.> >I removed everything network-related stuff (including shorewall) and >rebooted -> no relevant modules loaded, no iptables, nothing. So far so >good. > >The I started shorewall. It loads everything(?), regardless what''s >defined in /etc/shorewall/helpers. There was no network activity, which >could have been load them automatically.What is being loaded is *autoloaded* as a result of your Shorewall configuration. If you don''t like what gets loaded, then don''t use a statefull firewall on Linux. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ---------------------------------------------------------------------------- -- How fast is your code? 3 out of 4 devs don\\\''t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\''t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/21/2012 07:57 PM, Tarqi Kazan wrote:> Wow, > > why so rude? I just try to help and to understand what''s going on. > > So if it''s autoloaded because of my config: > > I am not using snmp, sip or anything, so I haven''t configured this. It''s all > based on the 2 gateway example. I even don''t know what''s "Amanda". > > I also could have stopped to investigate after I found my problem, but I > thought it may be a good thing for you, that I dig deeper. If you don''t like > that people trying contribute, simply close the mailing-list. >I apologize, Tarqi. I realized when I woke up this morning that you may be running into the changes I made to support kernel 3.5 and later. Let''s go back to one of your previous posts:> I did the following: > - copied "helpers" to /etc/shorewall AND commented out the modules > - set strongwall.conf "AUTOHELPERS" to "No" > - set strongwall.conf "LOAD_HELPERS_ONLY" to "Yes" > - set strongwall.conf "HELPERS" to "" >Even with LOAD_HELPERS_ONLY=Yes, the compiler is unconditionally checking for the presence of all of the application helpers. It is checking by running iptables commands that will autoload each of the helper modules. You can avoid this behaviour by creating a capabilities file: shorewall show -f capabilities > /etc/shorewall/capabilities Now, if you reboot, only the modules that you actually use will be loaded. Back to your original problem, did you have AUTOHELPERS=No all along? With AUTOHELPERS=No on a 3.5 kernel, unless you have specifically modified /etc/shorewall/conntrack to associate the PPTP helper with TCP port 1729, the behaviour of the system should be the same as if you hadn''t loaded the module at all. If it is not, then we need to investigate further. Regards, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\''t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/22/2012 07:57 AM, Tom Eastep wrote:> On 09/21/2012 07:57 PM, Tarqi Kazan wrote: >> Wow, >> >> why so rude? I just try to help and to understand what''s going on. >> >> So if it''s autoloaded because of my config: >> >> I am not using snmp, sip or anything, so I haven''t configured this. It''s all >> based on the 2 gateway example. I even don''t know what''s "Amanda". >> >> I also could have stopped to investigate after I found my problem, but I >> thought it may be a good thing for you, that I dig deeper. If you don''t like >> that people trying contribute, simply close the mailing-list. >> > > I apologize, Tarqi. I realized when I woke up this morning that you may > be running into the changes I made to support kernel 3.5 and later. > > Let''s go back to one of your previous posts: > >> I did the following: >> - copied "helpers" to /etc/shorewall AND commented out the modules >> - set strongwall.conf "AUTOHELPERS" to "No" >> - set strongwall.conf "LOAD_HELPERS_ONLY" to "Yes" >> - set strongwall.conf "HELPERS" to "" >> > > Even with LOAD_HELPERS_ONLY=Yes, the compiler is unconditionally > checking for the presence of all of the application helpers. It is > checking by running iptables commands that will autoload each of the > helper modules. > > You can avoid this behaviour by creating a capabilities file: > > shorewall show -f capabilities > /etc/shorewall/capabilities > > Now, if you reboot, only the modules that you actually use will be loaded. > > Back to your original problem, did you have AUTOHELPERS=No all along? > With AUTOHELPERS=No on a 3.5 kernel, unless you have specifically > modified /etc/shorewall/conntrack to associate the PPTP helper with TCP > port 1729, the behaviour of the system should be the same as if you > hadn''t loaded the module at all. > > If it is not, then we need to investigate further.Here is a lightly-tested patch that does not probe the helpers when LOAD_HELPERS_ONLY=Yes. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\''t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/22/2012 08:17 AM, Tom Eastep wrote:> On 09/22/2012 07:57 AM, Tom Eastep wrote: >> On 09/21/2012 07:57 PM, Tarqi Kazan wrote: >>> Wow, >>> >>> why so rude? I just try to help and to understand what''s going on. >>> >>> So if it''s autoloaded because of my config: >>> >>> I am not using snmp, sip or anything, so I haven''t configured this. It''s all >>> based on the 2 gateway example. I even don''t know what''s "Amanda". >>> >>> I also could have stopped to investigate after I found my problem, but I >>> thought it may be a good thing for you, that I dig deeper. If you don''t like >>> that people trying contribute, simply close the mailing-list. >>> >> >> I apologize, Tarqi. I realized when I woke up this morning that you may >> be running into the changes I made to support kernel 3.5 and later. >> >> Let''s go back to one of your previous posts: >> >>> I did the following: >>> - copied "helpers" to /etc/shorewall AND commented out the modules >>> - set strongwall.conf "AUTOHELPERS" to "No" >>> - set strongwall.conf "LOAD_HELPERS_ONLY" to "Yes" >>> - set strongwall.conf "HELPERS" to "" >>> >> >> Even with LOAD_HELPERS_ONLY=Yes, the compiler is unconditionally >> checking for the presence of all of the application helpers. It is >> checking by running iptables commands that will autoload each of the >> helper modules. >> >> You can avoid this behaviour by creating a capabilities file: >> >> shorewall show -f capabilities > /etc/shorewall/capabilities >> >> Now, if you reboot, only the modules that you actually use will be loaded. >> >> Back to your original problem, did you have AUTOHELPERS=No all along? >> With AUTOHELPERS=No on a 3.5 kernel, unless you have specifically >> modified /etc/shorewall/conntrack to associate the PPTP helper with TCP >> port 1729, the behaviour of the system should be the same as if you >> hadn''t loaded the module at all. >> >> If it is not, then we need to investigate further. > > > Here is a lightly-tested patch that does not probe the helpers when > LOAD_HELPERS_ONLY=Yes.I also noticed this morning that the released ''conntrack'' files are incorrect; they specify 1729 as the PPTP control port rather than 1723. This prevents the PPTP helpers from working correctly on Kernel 3.5. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>> >> I apologize, Tarqi. I realized when I woke up this morning that you >> may be running into the changes I made to support kernel 3.5 and later. >>You''re welcome.>> >> You can avoid this behaviour by creating a capabilities file: >> >> shorewall show -f capabilities > /etc/shorewall/capabilities >> >> Now, if you reboot, only the modules that you actually use will beloaded.>>I will try this, thanks.>> Back to your original problem, did you have AUTOHELPERS=No all along? >> With AUTOHELPERS=No on a 3.5 kernel, unless you have specifically >> modified /etc/shorewall/conntrack to associate the PPTP helper with >> TCP port 1729, the behaviour of the system should be the same as if >> you hadn''t loaded the module at all. >> >> If it is not, then we need to investigate further. >After trying some different combinations, I can''t say this anymore. I just remember that AUTOHELPERS has been initially "Yes". If I find some time I will test this again, but I can''t promise this.> > Here is a lightly-tested patch that does not probe the helpers when > LOAD_HELPERS_ONLY=Yes.Thanks, this will be present in the next release, I think?> I also noticed this morning that the released ''conntrack'' files areincorrect; they specify 1729 as the > PPTP control port rather than 1723.> This prevents the PPTP helpers from working correctly on Kernel 3.5.Strange. Even with the wrong settings in "conntrack" everything works, IF(!) nf_nat_pptp and nf_nat_proto_gre are not loaded. The nf_conntrack* modules aren''t a problem.> -TomNote: There is also a typo in "macro.PPtP" which prevents Shorewall from compiling it: The "Format" entry needs to be commented I think, currently it''s a "?" instead of "#". - Tarqi ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 9/23/12 10:32 AM, "Tarqi Kazan" <tarqi@cfs.dyndns.biz> wrote:> >>> Back to your original problem, did you have AUTOHELPERS=No all along? >>> With AUTOHELPERS=No on a 3.5 kernel, unless you have specifically >>> modified /etc/shorewall/conntrack to associate the PPTP helper with >>> TCP port 1729, the behaviour of the system should be the same as if >>> you hadn''t loaded the module at all. >>> >>> If it is not, then we need to investigate further. >> > >After trying some different combinations, I can''t say this anymore. I just >remember that AUTOHELPERS has been initially "Yes". If I find some time I >will test this again, but I can''t promise this. > >> >> Here is a lightly-tested patch that does not probe the helpers when >> LOAD_HELPERS_ONLY=Yes. > >Thanks, this will be present in the next release, I think?Yes.> >> I also noticed this morning that the released ''conntrack'' files are >incorrect; they specify 1729 as the > PPTP control port rather than 1723. >> This prevents the PPTP helpers from working correctly on Kernel 3.5. > >Strange. Even with the wrong settings in "conntrack" everything works, >IF(!) >nf_nat_pptp and nf_nat_proto_gre are not loaded. The nf_conntrack* modules >aren''t a problem.With AUTOHELPERS=No, the wrong port makes no difference. The entries in the released conntrack file are only used with AUTOHELPERS=Yes. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 9/23/12 10:32 AM, "Tarqi Kazan" <tarqi@cfs.dyndns.biz> wrote:> >Note: There is also a typo in "macro.PPtP" which prevents Shorewall from >compiling it: >The "Format" entry needs to be commented I think, currently it''s a "?" >instead of "#".You should remove the ''?''. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html