Shorewall users - Sep 2013 - Rsync rules for Shorewall

Hi folks,

I''m having an issue with rsync between my firewall and an internal
box.   It seems to be a shorewall issue (or correctly speaking, an
issue with my shorewall config) because if I disable shorewall my
rsync works fine.

And I just can''t find it documented anywhere what I need to do.

I have rules like this :

root@userver:/etc/shorewall# grep -i Rsync rules
Rsync(ACCEPT) $FW loc
Rsync(ACCEPT) loc $FW

But still when I do an rsync basically the destination end is able to
create the directory tree as rsync always does first, but then the
first file it tries to xfer gets stuck a zero file size.

If I disable shorewall and retry it works.

What am I doing wrong?

thanks,
-Alan

-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk

Well it seems to be more than rsync ... scp gets throttled pretty
severely too until I disable shorewall.

I''m not sure what the heck I''m doing wrong.  Will start
looking into
it.  I''m guessing maybe my VOIP traffic shaping must be the cause but
we shall see..

I started an scp of an 18G file and it was clipping along nicely with
shorewall disabled, and as soon as I enabled shorewall it dropped
right down to near nothing.

-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk

Hi,

Edit policy and add info to the loc record:
loc        $FW        DROP        info

Then you can check your logs to see if the firewall is dropping it, and why
it''s dropping it.

Is your rsync connection trying files over ssh? Do you have ssh open?


On Mon, Sep 16, 2013 at 12:43 PM, Alan McKay <alan.mckay@gmail.com> wrote:
> Hi folks,
>
> I''m having an issue with rsync between my firewall and an internal
> box.   It seems to be a shorewall issue (or correctly speaking, an
> issue with my shorewall config) because if I disable shorewall my
> rsync works fine.
>
> And I just can''t find it documented anywhere what I need to do.
>
> I have rules like this :
>
> root@userver:/etc/shorewall# grep -i Rsync rules
> Rsync(ACCEPT) $FW loc
> Rsync(ACCEPT) loc $FW
>
> But still when I do an rsync basically the destination end is able to
> create the directory tree as rsync always does first, but then the
> first file it tries to xfer gets stuck a zero file size.
>
> If I disable shorewall and retry it works.
>
> What am I doing wrong?
>
> thanks,
> -Alan
>
> --
> “Don''t eat anything you''ve ever seen advertised on TV”
>          - Michael Pollan, author of "In Defense of Food"
>
>
>
------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
> SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
>
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk

On Mon, Sep 16, 2013 at 3:56 PM, Alan McKay <alan.mckay@gmail.com>
wrote:
>  I''m guessing maybe my VOIP traffic shaping must be the cause but
> we shall see..
Yup, I disable traffic shaping in shorewall.conf and rsync works fine.

I did have this :

TC_ENABLED=Internal

so that uses tcrules, tcclasses, tcdevices

eth0 is my external interface and eth2 is internal


tcrules

FORMAT 2
###################################################################################################################
#######################
#     #ACTION   SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER
TEST LENGTH TOS CONNBYTES HELPER
# 4:T       0.0.0.0/0 0.0.0.0/0 TCP     -          -       -    -    -
     -   -         ftp
1        0.0.0.0/0 0.0.0.0/0 TCP     -          -       -    -    -
  -   -         sip
1        172.30.99.5/32  0.0.0.0/0
1        0.0.0.0/0       172.30.99.5/32
1        199.21.149.36/32  0.0.0.0/0
1        0.0.0.0/0       199.21.149.36/32

tcdevices
#NUMBER: IN-BANDWITH OUT-BANDWIDTH OPTIONS REDIRECTED
#INTERFACE INTERFACES
1:eth0        -              1Mbit
2:eth2      1000Mbit       1000Mbit

tcclasses:
###############################################################################
#INTERFACE:CLASS MARK RATE: CEIL PRIORITY OPTIONS
#                               DMAX:UMAX
eth0        1     100kbit 180kbit   1           tos=0x68/0xfc,tos=0xb8/0xfc
eth0        2     full/2  full      2           tcp-ack,tos-minimize-delay
eth0        3     full/2  full      3           default
eth0        4     full/4  full/2      4
eth2        1     100kbit 180kbit   1           tos=0x68/0xfc,tos=0xb8/0xfc
eth2        2     full/2  full      2           tcp-ack,tos-minimize-delay
eth2        3     full/2  full      3           default
eth2        4     full/4  full/2      4





-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk

On 9/16/2013 1:08 PM, Alan McKay wrote:
> On Mon, Sep 16, 2013 at 3:56 PM, Alan McKay <alan.mckay@gmail.com>
wrote:
>>  I''m guessing maybe my VOIP traffic shaping must be the cause
but
>> we shall see..
> 
> Yup, I disable traffic shaping in shorewall.conf and rsync works fine.
> 
> I did have this :
> 
> TC_ENABLED=Internal
> 
> so that uses tcrules, tcclasses, tcdevices
> 
> eth0 is my external interface and eth2 is internal
Alan,

This is a FAQ. Look at the traffic control section of
http://www.shorewall.net/FAQ.html

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk

On Mon, Sep 16, 2013 at 5:29 PM, Tom Eastep <teastep@shorewall.net>
wrote:
> This is a FAQ. Look at the traffic control section of
> http://www.shorewall.net/FAQ.html
Thanks but I am not sure what section you are talking about ... I
don''t see a Traffic Control section.

I see a Traffic Shaping section but it only has one FAQ that does not
seem to apply to me since shorewall starts fine for me.

http://www.shorewall.net/FAQ.html#faq67

And searching I find only one instance in the whole FAQ of any of
"tcrules", "tcinterfaces" or "tcdevices"

So I then read through the entire table of contents and the only other
FAQ I can see that might apply is

http://www.shorewall.net/FAQ.html#faq17

In which case you are telling me to check through the logs (OK, I
should have done that anyway)

Am I missing something obvious?


-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk

On Mon, Sep 16, 2013 at 7:15 PM, Alan McKay <alan.mckay@gmail.com>
wrote:
> Am I missing something obvious?
OK I guess you meant this one

http://www.shorewall.net/FAQ.htm#faq97

Seems to work now.  Thanks!


-- 
“Don''t eat anything you''ve ever seen advertised on TV”
         - Michael Pollan, author of "In Defense of Food"

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk

On 9/16/2013 4:20 PM, Alan McKay wrote:
> On Mon, Sep 16, 2013 at 7:15 PM, Alan McKay <alan.mckay@gmail.com>
wrote:
>> Am I missing something obvious?
> 
> OK I guess you meant this one
> 
> http://www.shorewall.net/FAQ.htm#faq97
> 
> Seems to work now.  Thanks!
> 
> 
Sorry about that -- the first URL was a very old version that I''ve
removed from the main site. It will be removed from the mirrors (like
www.shorewall.net) at the next rsync.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk