I just setup a new system with Ubuntu 12.04 and shorewall and I''m having an issue where web traffic is not working from the local net to the Internet, however pings from the local net to google work. All files right now are the defaults from the 2 interface example though I have set the IP_FORWARDING setting to on and have even set a rule of ACCEPT loc net all without a change in behavior. Please shed some light on this problem because I am baffled. Thanks, Nathan ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 9/30/12 3:57 PM, Nathan Kennedy wrote:> I just setup a new system with Ubuntu 12.04 and shorewall and I''m having > an issue where web traffic is not working from the local net to the > Internet, however pings from the local net to google work. All files > right now are the defaults from the 2 interface example though I have > set the IP_FORWARDING setting to on and have even set a rule of ACCEPT > loc net all without a change in behavior. > Please shed some light on this problem because I am baffled.Please shed some light, yourself; "It doesn''t work" isn''t a problem report that we can do anything with. See http://www.shorewall.net/support.htm#Guidelines -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
I understand that "It doesn''t work" doesn''t help too much but frankly this is confusing me as all get out. I have setup shorewall a ton of times on previous versions of Ubuntu, Gentoo and CentOS with no problems yet this one is causing me fits. Why would ping to the outside world work but no other protocols are being allowed out and there are no log entries to speak of? I''m not totally certain this is entirely a shorewall issue but I am lost for place to look other than dropping to ubuntu 10.04 and getting it setup there where I know it works. Nathan On 09/30/2012 06:40 PM, Tom Eastep wrote:> On 9/30/12 3:57 PM, Nathan Kennedy wrote: >> I just setup a new system with Ubuntu 12.04 and shorewall and I''m having >> an issue where web traffic is not working from the local net to the >> Internet, however pings from the local net to google work. All files >> right now are the defaults from the 2 interface example though I have >> set the IP_FORWARDING setting to on and have even set a rule of ACCEPT >> loc net all without a change in behavior. >> Please shed some light on this problem because I am baffled. > Please shed some light, yourself; "It doesn''t work" isn''t a problem > report that we can do anything with. > > See http://www.shorewall.net/support.htm#Guidelines > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Got visibility? > Most devs has no idea what their production app looks like. > Find out how fast your code is with AppDynamics Lite. > http://ad.doubleclick.net/clk;262219671;13503038;y? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
On 9/30/12 6:49 PM, Nathan Kennedy wrote:> I understand that "It doesn''t work" doesn''t help too much but frankly > this is confusing me as all get out. I have setup shorewall a ton of > times on previous versions of Ubuntu, Gentoo and CentOS with no problems > yet this one is causing me fits. Why would ping to the outside world > work but no other protocols are being allowed out and there are no log > entries to speak of? I''m not totally certain this is entirely a > shorewall issue but I am lost for place to look other than dropping to > ubuntu 10.04 and getting it setup there where I know it works.As I indicated in my earlier post, there is information that you could provide that might help us help you. If you don''t want to give us that information, then falling back to 10.04 is your only option. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
I am completely obtuse for some reason today, I''ll send the list a dump tomorrow morning. Nathan On 09/30/2012 07:12 PM, Tom Eastep wrote:> On 9/30/12 6:49 PM, Nathan Kennedy wrote: >> I understand that "It doesn''t work" doesn''t help too much but frankly >> this is confusing me as all get out. I have setup shorewall a ton of >> times on previous versions of Ubuntu, Gentoo and CentOS with no problems >> yet this one is causing me fits. Why would ping to the outside world >> work but no other protocols are being allowed out and there are no log >> entries to speak of? I''m not totally certain this is entirely a >> shorewall issue but I am lost for place to look other than dropping to >> ubuntu 10.04 and getting it setup there where I know it works. > As I indicated in my earlier post, there is information that you could > provide that might help us help you. If you don''t want to give us that > information, then falling back to 10.04 is your only option. > > -Tom > > > ------------------------------------------------------------------------------ > Got visibility? > Most devs has no idea what their production app looks like. > Find out how fast your code is with AppDynamics Lite. > http://ad.doubleclick.net/clk;262219671;13503038;y? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
Here is the dump file, one thing that was interesting was that when I ran the dump command with the redirect it came up with a message saying command line incomplete, though this message did not appear when running it normally. In this dump I am simply trying to get out to the www.freshmeat.net from my internal host 192.168.30.4. Thank you for your assistance and patience. On 09/30/2012 07:12 PM, Tom Eastep wrote:> On 9/30/12 6:49 PM, Nathan Kennedy wrote: >> I understand that "It doesn''t work" doesn''t help too much but frankly >> this is confusing me as all get out. I have setup shorewall a ton of >> times on previous versions of Ubuntu, Gentoo and CentOS with no problems >> yet this one is causing me fits. Why would ping to the outside world >> work but no other protocols are being allowed out and there are no log >> entries to speak of? I''m not totally certain this is entirely a >> shorewall issue but I am lost for place to look other than dropping to >> ubuntu 10.04 and getting it setup there where I know it works. > As I indicated in my earlier post, there is information that you could > provide that might help us help you. If you don''t want to give us that > information, then falling back to 10.04 is your only option. > > -Tom > > > ------------------------------------------------------------------------------ > Got visibility? > Most devs has no idea what their production app looks like. > Find out how fast your code is with AppDynamics Lite. > http://ad.doubleclick.net/clk;262219671;13503038;y? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/2/12 3:03 PM, "Nathan Kennedy" <nethinim@flidais.net> wrote:> > > Here is the dump file, one thing that was interesting was that when I ran the > dump command with the redirect it came up with a message saying command line > incomplete, though this message did not appear when running it normally. > In this dump I am simply trying to get out to the www.freshmeat.net > <http://www.freshmeat.net> from my internal host 192.168.30.4. > > Thank you for your assistance and patience.Just to be clear: From a host in the loc zone, ''ping www.freshmeat.net'' works but you can''t access the web site using a browser, is that correct? Also, from the dump I see that there are existing loc->net http connections. For example: tcp 6 382462 ESTABLISHED src=192.168.30.4 dst=173.194.33.57 sport=57624 dport=80 src=173.194.33.57 dst=98.225.53.236 sport=80 dport=57624 [ASSURED] mark=0 use=2 So this doesn''t seem to be a general problem of http from loc->net. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/2/12 3:03 PM, "Nathan Kennedy" <nethinim@flidais.net> wrote:> > > Here is the dump file, one thing that was interesting was that when I ran the > dump command with the redirect it came up with a message saying command line > incomplete, though this message did not appear when running it normally.There are known issues with 4.4 Versions of Shorewall with the 3.2 kernel; for example, the dump you provided doesn''t show the routing table. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/02/2012 04:23 PM, Tom Eastep wrote:> On 10/2/12 3:03 PM, "Nathan Kennedy" <nethinim@flidais.net > <mailto:nethinim@flidais.net>> wrote: > > Here is the dump file, one thing that was interesting was that > when I ran the dump command with the redirect it came up with a > message saying command line incomplete, though this message did > not appear when running it normally. > In this dump I am simply trying to get out to the > www.freshmeat.net from my internal host 192.168.30.4. > > Thank you for your assistance and patience. > > > Just to be clear: From a host in the loc zone, ''ping > www.freshmeat.net'' works but you can''t access the web site using a > browser, is that correct? >Correct, and on my last test I also noticed that I could not connect via IMAP either.> Also, from the dump I see that there are existing loc->net http > connections. For example: > > tcp 6 382462 ESTABLISHED src=192.168.30.4 dst=173.194.33.57 > sport=57624 dport=80 src=173.194.33.57 dst=98.225.53.236 sport=80 > dport=57624 [ASSURED] mark=0 use=2 >I had my browser up but for the test I opened a new tab and attempted the connection, I have also done this with a completely fresh web browser and had the same result.> So this doesn''t seem to be a general problem of http from loc->net. >Right, it''s anything but ping.> -Tom > You do not need a parachute to skydive. You only need a parachute to > skydive twice. > > > > ------------------------------------------------------------------------------ > Don''t let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/02/2012 09:01 PM, Nathan Kennedy wrote:> On 10/02/2012 04:23 PM, Tom Eastep wrote: >> On 10/2/12 3:03 PM, "Nathan Kennedy" <nethinim@flidais.net >> <mailto:nethinim@flidais.net>> wrote: >> >> Here is the dump file, one thing that was interesting was that >> when I ran the dump command with the redirect it came up with a >> message saying command line incomplete, though this message did >> not appear when running it normally. >> In this dump I am simply trying to get out to the >> www.freshmeat.net from my internal host 192.168.30.4. >> >> Thank you for your assistance and patience. >> >> >> Just to be clear: From a host in the loc zone, ''ping >> www.freshmeat.net'' works but you can''t access the web site using a >> browser, is that correct? >> > Correct, and on my last test I also noticed that I could not connect via > IMAP either. >> Also, from the dump I see that there are existing loc->net http >> connections. For example: >> >> tcp 6 382462 ESTABLISHED src=192.168.30.4 dst=173.194.33.57 >> sport=57624 dport=80 src=173.194.33.57 dst=98.225.53.236 sport=80 >> dport=57624 [ASSURED] mark=0 use=2 >> > I had my browser up but for the test I opened a new tab and attempted > the connection, I have also done this with a completely fresh web > browser and had the same result. >> So this doesn''t seem to be a general problem of http from loc->net. >> > Right, it''s anything but ping.My point was that HTTP connections are being established. So what exactly do you see on your browser? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/03/2012 08:38 AM, Tom Eastep wrote:> On 10/02/2012 09:01 PM, Nathan Kennedy wrote: >> On 10/02/2012 04:23 PM, Tom Eastep wrote: >>> On 10/2/12 3:03 PM, "Nathan Kennedy" <nethinim@flidais.net >>> <mailto:nethinim@flidais.net>> wrote: >>> >>> Here is the dump file, one thing that was interesting was that >>> when I ran the dump command with the redirect it came up with a >>> message saying command line incomplete, though this message did >>> not appear when running it normally. >>> In this dump I am simply trying to get out to the >>> www.freshmeat.net from my internal host 192.168.30.4. >>> >>> Thank you for your assistance and patience. >>> >>> >>> Just to be clear: From a host in the loc zone, ''ping >>> www.freshmeat.net'' works but you can''t access the web site using a >>> browser, is that correct? >>> >> Correct, and on my last test I also noticed that I could not connect via >> IMAP either. >>> Also, from the dump I see that there are existing loc->net http >>> connections. For example: >>> >>> tcp 6 382462 ESTABLISHED src=192.168.30.4 dst=173.194.33.57 >>> sport=57624 dport=80 src=173.194.33.57 dst=98.225.53.236 sport=80 >>> dport=57624 [ASSURED] mark=0 use=2 >>> >> I had my browser up but for the test I opened a new tab and attempted >> the connection, I have also done this with a completely fresh web >> browser and had the same result. >>> So this doesn''t seem to be a general problem of http from loc->net. >>> >> Right, it''s anything but ping. > My point was that HTTP connections are being established. So what > exactly do you see on your browser? > > -TomHi Tom, The browser times out. Nathan ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/03/2012 08:48 AM, Nathan Kennedy wrote:> Hi Tom, > > The browser times out. >Hi Nathan, Have you looked at the traffic on the external interface using Wireshark or tcpdump? Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/03/2012 08:59 AM, Tom Eastep wrote:> On 10/03/2012 08:48 AM, Nathan Kennedy wrote: > >> Hi Tom, >> >> The browser times out. >> > Hi Nathan, > > Have you looked at the traffic on the external interface using Wireshark > or tcpdump? > > Thanks, > -TomI have not as of yet, I will get tcpdump on there and test it later today ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/03/2012 09:08 AM, Nathan Kennedy wrote:> On 10/03/2012 08:59 AM, Tom Eastep wrote:>> Have you looked at the traffic on the external interface using Wireshark >> or tcpdump?> I have not as of yet, I will get tcpdump on there and test it later todayThanks. You might also install the conntrack utility so we can see the packet and byte counts on the connections. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/03/2012 09:08 AM, Nathan Kennedy wrote:> On 10/03/2012 08:59 AM, Tom Eastep wrote: >> On 10/03/2012 08:48 AM, Nathan Kennedy wrote: >> >>> Hi Tom, >>> >>> The browser times out. >>> >> Hi Nathan, >> >> Have you looked at the traffic on the external interface using Wireshark >> or tcpdump? >> >> Thanks, >> -Tom > I have not as of yet, I will get tcpdump on there and test it later todayAny luck? FWIW, I just installed Ubuntu 12.04 on a two-interface VM. A second VM host connected to the virtualized internal network can access the Internet through the first VM without an issue. I have Shorewall version 4.4.26.1 on the Ubuntu box with a minimally-modified two-interface Sample configuration. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
On 10/05/2012 10:10 AM, Tom Eastep wrote:> Any luck? > > FWIW, I just installed Ubuntu 12.04 on a two-interface VM. A second VM > host connected to the virtualized internal network can access the > Internet through the first VM without an issue. I have Shorewall version > 4.4.26.1 on the Ubuntu box with a minimally-modified two-interface > Sample configuration.Hi Nathan, I just took another look at the dump you posted and I notice that you are getting a very significant error rate on eth0: 2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 576 qdisc mq state DOWN qlen 1000 link/ether 00:50:45:5d:4e:50 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 5018753 32017 2319 3 0 23 TX: bytes packets errors dropped carrier collsns 961625 10154 0 0 0 0 I wonder if your problem might be related to these errors (such as small packets get passed okay but large ones generating errors). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Don''t let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev
Just wanted to follow up on this really quick. I decided to mess about with Debian a bit more so I installed Debian today and had the exact same setup as the Ubuntu box only this time everything worked without a hitch. I am curious if there may have been a module issue with the ethernet controllers since the system is using broadcom ethernet controllers which require the non-free modules. Nathan On 10/05/2012 10:10 AM, Tom Eastep wrote:> On 10/03/2012 09:08 AM, Nathan Kennedy wrote: >> On 10/03/2012 08:59 AM, Tom Eastep wrote: >>> On 10/03/2012 08:48 AM, Nathan Kennedy wrote: >>> >>>> Hi Tom, >>>> >>>> The browser times out. >>>> >>> Hi Nathan, >>> >>> Have you looked at the traffic on the external interface using Wireshark >>> or tcpdump? >>> >>> Thanks, >>> -Tom >> I have not as of yet, I will get tcpdump on there and test it later today > Any luck? > > FWIW, I just installed Ubuntu 12.04 on a two-interface VM. A second VM > host connected to the virtualized internal network can access the > Internet through the first VM without an issue. I have Shorewall version > 4.4.26.1 on the Ubuntu box with a minimally-modified two-interface > Sample configuration. > > -Tom------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_nov
On 11/7/12 4:29 PM, "Nathan Kennedy" <nethinim@flidais.net> wrote:>Just wanted to follow up on this really quick. I decided to mess about >with Debian a bit more so I installed Debian today and had the exact >same setup as the Ubuntu box only this time everything worked without a >hitch. >I am curious if there may have been a module issue with the ethernet >controllers since the system is using broadcom ethernet controllers >which require the non-free modules.Hard to say. In any event, glad to hear that you got it running. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_nov