Hi All, I am trying to use shorewall6 to DROP/REJECT TCP/IPv6 traffic. I am running shorewall6 4.4.26.1 with one interface configuration on Ubuntu 12.04. What I found was that DROP works correctly, but REJECT does not. I have the following in /etc/shorewall6/policy #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW net REJECT net $FW DROP info net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info Then when I try to TCP connect to a host, I don''t get the connection refused immediately as shorewall does for TCP/IPv4. But the connection is trying until it is timed out later. Does anybody have any idea why I am getting this and how I make REJECT work as expected for TCP/IPv6. Your help is highly appreciated. Bin ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\''t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 09/26/2012 02:08 PM, Bin Wang wrote:> Hi All, > > I am trying to use shorewall6 to DROP/REJECT TCP/IPv6 traffic. I am > running shorewall6 4.4.26.1 with one interface configuration on Ubuntu > 12.04. What I found was that DROP works correctly, but REJECT does > not. > > I have the following in /etc/shorewall6/policy > > #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST > $FW net REJECT > net $FW DROP info > net all DROP info > > # The FOLLOWING POLICY MUST BE LAST > all all REJECT info > > Then when I try to TCP connect to a host, I don''t get the connection > refused immediately as shorewall does for TCP/IPv4. But the connection > is trying until it is timed out later. > > Does anybody have any idea why I am getting this and how I make REJECT > work as expected for TCP/IPv6. > > Your help is highly appreciated.Please forward as a compressed attachment the output of ''shorewall6 dump'' and explain the connection you were attempting to make which you felt should have been rejected (use IP addresses rather than DNS names). Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\''t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
Hi Tom, Here is the info you asked. 1. Start shorewall6 root@ubuntu:/etc/shorewall6# shorewall6 start Compiling... Processing /etc/shorewall6/shorewall6.conf... Loading Modules... Compiling /etc/shorewall6/zones... Compiling /etc/shorewall6/interfaces... Determining Hosts in Zones... Locating Action Files... Compiling /usr/share/shorewall6/action.Drop for chain Drop... Compiling /usr/share/shorewall6/action.AllowICMPs for chain AllowICMPs... Compiling /usr/share/shorewall6/action.Broadcast for chain Broadcast... Compiling /usr/share/shorewall/action.Invalid for chain Invalid... Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn... Compiling /usr/share/shorewall6/action.Reject for chain Reject... Compiling /etc/shorewall6/policy... Compiling TCP Flags filtering... Compiling MAC Filtration -- Phase 1... Compiling /etc/shorewall6/rules... Compiling MAC Filtration -- Phase 2... Applying Policies... Generating Rule Matrix... Creating ip6tables-restore input... Shorewall configuration compiled to /var/lib/shorewall6/.start Starting Shorewall6.... Initializing... Setting up Traffic Control... Preparing ip6tables-restore input... Running /sbin/ip6tables-restore... IPv6 Forwarding Disabled! done. 2. Ping the destination IP, it is OK root@ubuntu:/etc/shorewall6# ping6 2001:4998:c:401::c:9101 PING 2001:4998:c:401::c:9101(2001:4998:c:401::c:9101) 56 data bytes 64 bytes from 2001:4998:c:401::c:9101: icmp_seq=1 ttl=48 time=87.1 ms 64 bytes from 2001:4998:c:401::c:9101: icmp_seq=2 ttl=48 time=86.1 ms 64 bytes from 2001:4998:c:401::c:9101: icmp_seq=3 ttl=48 time=83.9 ms 64 bytes from 2001:4998:c:401::c:9101: icmp_seq=4 ttl=48 time=86.1 ms 3. Telnet to the HTTP port. The TCP connection timed out eventually. But I expect the TCP connection refused immediately. root@ubuntu:/etc/shorewall6# telnet 2001:4998:c:401::c:9101 80 Trying 2001:4998:c:401::c:9101... telnet: Unable to connect to remote host: Connection timed out 4. The output from "root@ubuntu:/etc/shorewall6# shorewall6 dump -l -x -m > status.txt" is attached. Bin On Wed, Sep 26, 2012 at 2:38 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 09/26/2012 02:08 PM, Bin Wang wrote: >> Hi All, >> >> I am trying to use shorewall6 to DROP/REJECT TCP/IPv6 traffic. I am >> running shorewall6 4.4.26.1 with one interface configuration on Ubuntu >> 12.04. What I found was that DROP works correctly, but REJECT does >> not. >> >> I have the following in /etc/shorewall6/policy >> >> #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST >> $FW net REJECT >> net $FW DROP info >> net all DROP info >> >> # The FOLLOWING POLICY MUST BE LAST >> all all REJECT info >> >> Then when I try to TCP connect to a host, I don''t get the connection >> refused immediately as shorewall does for TCP/IPv4. But the connection >> is trying until it is timed out later. >> >> Does anybody have any idea why I am getting this and how I make REJECT >> work as expected for TCP/IPv6. >> >> Your help is highly appreciated. > > Please forward as a compressed attachment the output of ''shorewall6 > dump'' and explain the connection you were attempting to make which you > felt should have been rejected (use IP addresses rather than DNS names). > > Thanks, > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > How fast is your code? > 3 out of 4 devs don\\\''t know how their code performs in production. > Find out how slow your code is with AppDynamics Lite. > http://ad.doubleclick.net/clk;262219672;13503038;z? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\''t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 9/26/12 4:46 PM, "Bin Wang" <binziwang@gmail.com> wrote:>Hi Tom, > >Here is the info you asked. > >1. Start shorewall6 > >root@ubuntu:/etc/shorewall6# shorewall6 start >Compiling... >Processing /etc/shorewall6/shorewall6.conf... >Loading Modules... >Compiling /etc/shorewall6/zones... >Compiling /etc/shorewall6/interfaces... >Determining Hosts in Zones... >Locating Action Files... >Compiling /usr/share/shorewall6/action.Drop for chain Drop... >Compiling /usr/share/shorewall6/action.AllowICMPs for chain AllowICMPs... >Compiling /usr/share/shorewall6/action.Broadcast for chain Broadcast... >Compiling /usr/share/shorewall/action.Invalid for chain Invalid... >Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn... >Compiling /usr/share/shorewall6/action.Reject for chain Reject... >Compiling /etc/shorewall6/policy... >Compiling TCP Flags filtering... >Compiling MAC Filtration -- Phase 1... >Compiling /etc/shorewall6/rules... >Compiling MAC Filtration -- Phase 2... >Applying Policies... >Generating Rule Matrix... >Creating ip6tables-restore input... >Shorewall configuration compiled to /var/lib/shorewall6/.start >Starting Shorewall6.... >Initializing... >Setting up Traffic Control... >Preparing ip6tables-restore input... >Running /sbin/ip6tables-restore... >IPv6 Forwarding Disabled! >done. > >2. Ping the destination IP, it is OK > >root@ubuntu:/etc/shorewall6# ping6 2001:4998:c:401::c:9101 >PING 2001:4998:c:401::c:9101(2001:4998:c:401::c:9101) 56 data bytes >64 bytes from 2001:4998:c:401::c:9101: icmp_seq=1 ttl=48 time=87.1 ms >64 bytes from 2001:4998:c:401::c:9101: icmp_seq=2 ttl=48 time=86.1 ms >64 bytes from 2001:4998:c:401::c:9101: icmp_seq=3 ttl=48 time=83.9 ms >64 bytes from 2001:4998:c:401::c:9101: icmp_seq=4 ttl=48 time=86.1 ms > >3. Telnet to the HTTP port. The TCP connection timed out eventually. >But I expect the TCP connection refused immediately. > >root@ubuntu:/etc/shorewall6# telnet 2001:4998:c:401::c:9101 80 >Trying 2001:4998:c:401::c:9101... >telnet: Unable to connect to remote host: Connection timed out > >4. The output from "root@ubuntu:/etc/shorewall6# shorewall6 dump -l -x >-m > status.txt" is attached.It appears that REJECT is acting like DROP with your kernel. There is nothing that you can do with your Shorewall configuration to correct this. Is this an official Ubuntu kernel? If so, I would submit a problem report. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
Thanks for the help, Tom. I was using official ubuntu 12.04. So there must be something wrong with the kernel. I then tried ubuntu 10.04. Everything works correctly. Bin On Wed, Sep 26, 2012 at 6:36 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 9/26/12 4:46 PM, "Bin Wang" <binziwang@gmail.com> wrote: > >>Hi Tom, >> >>Here is the info you asked. >> >>1. Start shorewall6 >> >>root@ubuntu:/etc/shorewall6# shorewall6 start >>Compiling... >>Processing /etc/shorewall6/shorewall6.conf... >>Loading Modules... >>Compiling /etc/shorewall6/zones... >>Compiling /etc/shorewall6/interfaces... >>Determining Hosts in Zones... >>Locating Action Files... >>Compiling /usr/share/shorewall6/action.Drop for chain Drop... >>Compiling /usr/share/shorewall6/action.AllowICMPs for chain AllowICMPs... >>Compiling /usr/share/shorewall6/action.Broadcast for chain Broadcast... >>Compiling /usr/share/shorewall/action.Invalid for chain Invalid... >>Compiling /usr/share/shorewall/action.NotSyn for chain NotSyn... >>Compiling /usr/share/shorewall6/action.Reject for chain Reject... >>Compiling /etc/shorewall6/policy... >>Compiling TCP Flags filtering... >>Compiling MAC Filtration -- Phase 1... >>Compiling /etc/shorewall6/rules... >>Compiling MAC Filtration -- Phase 2... >>Applying Policies... >>Generating Rule Matrix... >>Creating ip6tables-restore input... >>Shorewall configuration compiled to /var/lib/shorewall6/.start >>Starting Shorewall6.... >>Initializing... >>Setting up Traffic Control... >>Preparing ip6tables-restore input... >>Running /sbin/ip6tables-restore... >>IPv6 Forwarding Disabled! >>done. >> >>2. Ping the destination IP, it is OK >> >>root@ubuntu:/etc/shorewall6# ping6 2001:4998:c:401::c:9101 >>PING 2001:4998:c:401::c:9101(2001:4998:c:401::c:9101) 56 data bytes >>64 bytes from 2001:4998:c:401::c:9101: icmp_seq=1 ttl=48 time=87.1 ms >>64 bytes from 2001:4998:c:401::c:9101: icmp_seq=2 ttl=48 time=86.1 ms >>64 bytes from 2001:4998:c:401::c:9101: icmp_seq=3 ttl=48 time=83.9 ms >>64 bytes from 2001:4998:c:401::c:9101: icmp_seq=4 ttl=48 time=86.1 ms >> >>3. Telnet to the HTTP port. The TCP connection timed out eventually. >>But I expect the TCP connection refused immediately. >> >>root@ubuntu:/etc/shorewall6# telnet 2001:4998:c:401::c:9101 80 >>Trying 2001:4998:c:401::c:9101... >>telnet: Unable to connect to remote host: Connection timed out >> >>4. The output from "root@ubuntu:/etc/shorewall6# shorewall6 dump -l -x >>-m > status.txt" is attached. > > It appears that REJECT is acting like DROP with your kernel. There is > nothing that you can do with your Shorewall configuration to correct this. > Is this an official Ubuntu kernel? If so, I would submit a problem report. > > -Tom > You do not need a parachute to skydive. You only need a parachute to > skydive twice. > > > > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://ad.doubleclick.net/clk;258768047;13503038;j? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html