Re: [Shorewall-users] IP address change not surviving reboot
Hello Philip, I suggest that you go back and review your network setup to double check where your IP address and routes are defined. On many Debian based Linux distributions interface setup is typically defined at /etc/network/interfaces. This file may sometimes be used to define routes for an interface. There is a man page that may be of use, try the command: man interfaces. This /etc/network/interfaces file is what is typically used by Linux to allocate your IP address at boot time. If you’re getting different IP addresses at boot, it may be because your server is configured to use DHCP to request the allocation of an IP address from a pool of available addresses. Shorewall uses the network and routing settings that you define for your server in your server configuration files, like /etc/network/interfaces. Shorewall does not define IP addresses and routes for you. Some other useful commands are (assuming a modern linux distribution which I expect that you have noting your interface name of enps20): ip address show ip route show If you are unfamiliar with these commands view the relevant man page. Kind regards, Bruce > On 17 Aug 2023, at 19:07, Philip Le Riche via Shorewall-users > wrote: > > Not getting very far with this on the Linux Mint forums - it seems like an IP > address change most certainly should survive a reboot, and it seems > implausible that such a blatant bug would go unnoticed on a standard set-up. > > But Shorewall isn't a standard set-up (quite). A germ of an idea is forming. > > I'm using rules in /etc/shorewall/nat to do 2-way natting between Raspberry > Pi local addresses and external addresses on the school network, and I set > ADD_IP_ALIASES=Yes in shorewall.conf. > > I suspect what's happening is that I'm getting into a situation where enp2s0 > has an IP address on one subnet and enps20:0-16 created by Shorewall are on a > different subnet, and that the confusion is causing a new enp2s0 to be > created on rebooting. > > The solution would seem to be to turn off the start-on-boot option in > shorewall.conf, reboot, do everything needful with the IP configuration, > reboot to make sure it sticks, and only then allow Shorewall to start. > > I won't be able to try it until Monday at the earliest, but it sounds like > there's a subtle mantrap here that could perhaps be highlighted in the docs. > > But why does it seem to take 25 seconds to create the NAT aliases? Is this to > be expected? > > > > On 15/08/2023 22:02, Philip Le Riche wrote: >> Thaks Matt - >> >> On 15/08/2023 15:56, Matt Darfeuille wrote: >>> On 8/15/23 15:44, Philip Le Riche via Shorewall-users wrote: We have a Shorewall firewall at the school where I volunteer, protecting the school network from a Raspberry >> snip... by Shorewall for NAT rules. Meanwhile, a new enp2s0 has appeared with an IP address I didn't recognise. >>> >>> This is a wild guess, to me you have a static network at home and a DHCP >>> set up at school. :) >> But that wouldn't be representative of the school environment, and I'm not >> sure how the NAT addresses could be made dynamic. You only need to be clever >> enough to avoid the DHCP pool to allocate a static address. And I was >> fortunate that I could use the same 4th octet in both environments and hence >> capture the Shorewall dependencies in my params file. >>> ifconfig shows the base enp2s0 with no IP address, plus the 16 expected >>> >>> With a new set up, I would familierize myself with the iptools PKG! ;^) >> ifconfig has served me well since SysV. Hey ho. Maybe I have to move with >> the times. >>> shorewall stop and shorewall clear before reapplying the config made no improvement. >>> >>> Most likely because it has nothing to do with SW! >> Most likely. >>> Maybe I should be using the CUI commands, but I'll need to read a man page or two first, and I'm not sure whether the GUI tool maintains any of its own data. Anyway, a bit of insight from round here would be appreciated. >>> >>> To me , headless mode is the way to go (Webmin comes to mind). >>> >> For a server shut away in the basement that sounds like a good option. Must >> check it out. Except that I'd have had to successfully change the IP address >> before I could access Webmin (to change the IP address). And for a firewall, >> it'd add significantly to the attack surface. A quick search for "webmin >> cve" listed 81 vulnerabilities. > > ___ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] IP address change not surviving reboot
Not getting very far with this on the Linux Mint forums - it seems like an IP address change most certainly should survive a reboot, and it seems implausible that such a blatant bug would go unnoticed on a standard set-up. But Shorewall isn't a standard set-up (quite). A germ of an idea is forming. I'm using rules in /etc/shorewall/nat to do 2-way natting between Raspberry Pi local addresses and external addresses on the school network, and I setADD_IP_ALIASES=Yes in shorewall.conf. I suspect what's happening is that I'm getting into a situation where enp2s0 has an IP address on one subnet and enps20:0-16 created by Shorewall are on a different subnet, and that the confusion is causing a new enp2s0 to be created on rebooting. The solution would seem to be to turn off the start-on-boot option in shorewall.conf, reboot, do everything needful with the IP configuration, reboot to make sure it sticks, and only then allow Shorewall to start. I won't be able to try it until Monday at the earliest, but it sounds like there's a subtle mantrap here that could perhaps be highlighted in the docs. But why does it seem to take 25 seconds to create the NAT aliases? Is this to be expected? On 15/08/2023 22:02, Philip Le Riche wrote: Thaks Matt - On 15/08/2023 15:56, Matt Darfeuille wrote: On 8/15/23 15:44, Philip Le Riche via Shorewall-users wrote: We have a Shorewall firewall at the school where I volunteer, protecting the school network from a Raspberry snip... by Shorewall for NAT rules. Meanwhile, a new enp2s0 has appeared with an IP address I didn't recognise. This is a wild guess, to me you have a static network at home and a DHCP set up at school. :) But that wouldn't be representative of the school environment, and I'm not sure how the NAT addresses could be made dynamic. You only need to be clever enough to avoid the DHCP pool to allocate a static address. And I was fortunate that I could use the same 4th octet in both environments and hence capture the Shorewall dependencies in my params file. ifconfig shows the base enp2s0 with no IP address, plus the 16 expected With a new set up, I would familierize myself with the iptools PKG! ;^) ifconfig has served me well since SysV. Hey ho. Maybe I have to move with the times. shorewall stop and shorewall clear before reapplying the config made no improvement. Most likely because it has nothing to do with SW! Most likely. Maybe I should be using the CUI commands, but I'll need to read a man page or two first, and I'm not sure whether the GUI tool maintains any of its own data. Anyway, a bit of insight from round here would be appreciated. To me , headless mode is the way to go (Webmin comes to mind). For a server shut away in the basement that sounds like a good option. Must check it out. Except that I'd have had to successfully change the IP address before I could access Webmin (to change the IP address). And for a firewall, it'd add significantly to the attack surface. A quick search for "webmin cve" listed 81 vulnerabilities. ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] IP address change not surviving reboot
On 8/15/23 15:44, Philip Le Riche via Shorewall-users wrote: We have a Shorewall firewall at the school where I volunteer, protecting the school network from a Raspberry Pi farm on which students necessarily have root privileges. I rebuilt it at home on newer hardware with the outside interface IP address reflecting my home 192.168 network instead of the school 172. network. I took it in to school today and attempted to reconfigure the outside interface IP. Using the GUI (Linux Mint XFCE), I changed the outside NIC IP address, netmask, def g/w and DNS server. In the GUI, the outside NIC (enp2s0) has the label SchlNet. Shorewall IP address dependencies are encapsulated in /etc/shorewall/params, and I changed those. After a reboot, the GUI shows SchlNet has lost its configured IP address but gained 16 alias addresses added by Shorewall for NAT rules. Meanwhile, a new enp2s0 has appeared with an IP address I didn't recognise. This is a wild guess, to me you have a static network at home and a DHCP set up at school. :) ifconfig shows the base enp2s0 with no IP address, plus the 16 expected With a new set up, I would familierize myself with the iptools PKG! ;^) shorewall stop and shorewall clear before reapplying the config made no improvement. Most likely because it has nothing to do with SW! Maybe I should be using the CUI commands, but I'll need to read a man page or two first, and I'm not sure whether the GUI tool maintains any of its own data. Anyway, a bit of insight from round here would be appreciated. To me , headless mode is the way to go (Webmin comes to mind). -- Matt Darfeuille Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/ Homepage: https://shorewall.org ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] IP address change not surviving reboot
Hi Philip, > This may be an underlying Linux problem but I first of all need to run > it past you guys and gals here as few people on Linux forums will be > familiar with Shorewall. > > We have a Shorewall firewall at the school where I volunteer, protecting > the school network from a Raspberry Pi farm on which students > necessarily have root privileges. I rebuilt it at home on newer hardware > with the outside interface IP address reflecting my home 192.168 network > instead of the school 172. network. I took it in to school today and > attempted to reconfigure the outside interface IP. > > Using the GUI (Linux Mint XFCE), I changed the outside NIC IP address, > netmask, def g/w and DNS server. In the GUI, the outside NIC (enp2s0) > has the label SchlNet. Shorewall IP address dependencies are > encapsulated in /etc/shorewall/params, and I changed those. > > After a reboot, the GUI shows SchlNet has lost its configured IP address > but gained 16 alias addresses added by Shorewall for NAT rules. > Meanwhile, a new enp2s0 has appeared with an IP address I didn't > recognise. > > ifconfig shows the base enp2s0 with no IP address, plus the 16 expected > NAT addresses on enp2s0:0:15 (or 1-16 - I forget). > > I tried deleting the spurious enp2s0 and reapplying the IP config to > SchlNet, but the same happed after a reboot. > > I also tried deleting SchlNet, configuring the new enp2s0 and renaming > it SchlNet, with exactly the same result after a reboot. > > shorewall stop and shorewall clear before reapplying the config made no > improvement. > > Maybe I should be using the CUI commands, but I'll need to read a man > page or two first, and I'm not sure whether the GUI tool maintains any > of its own data. Anyway, a bit of insight from round here would be > appreciated. Unfortunately you seem to have more problems with your Linux distribution than with Shorewall itself. There are half a dozen of possible ways how your interfaces can get configured these days. Could be some script or NetworkManager or systemd-networkd or something else. You should investigate this and then you may get an idea on how to configure it properly. These modern tools have advantages but they can also be terrible beasts :) Regards, Simon ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] IP address change not surviving reboot
This may be an underlying Linux problem but I first of all need to run it past you guys and gals here as few people on Linux forums will be familiar with Shorewall. We have a Shorewall firewall at the school where I volunteer, protecting the school network from a Raspberry Pi farm on which students necessarily have root privileges. I rebuilt it at home on newer hardware with the outside interface IP address reflecting my home 192.168 network instead of the school 172. network. I took it in to school today and attempted to reconfigure the outside interface IP. Using the GUI (Linux Mint XFCE), I changed the outside NIC IP address, netmask, def g/w and DNS server. In the GUI, the outside NIC (enp2s0) has the label SchlNet. Shorewall IP address dependencies are encapsulated in /etc/shorewall/params, and I changed those. After a reboot, the GUI shows SchlNet has lost its configured IP address but gained 16 alias addresses added by Shorewall for NAT rules. Meanwhile, a new enp2s0 has appeared with an IP address I didn't recognise. ifconfig shows the base enp2s0 with no IP address, plus the 16 expected NAT addresses on enp2s0:0:15 (or 1-16 - I forget). I tried deleting the spurious enp2s0 and reapplying the IP config to SchlNet, but the same happed after a reboot. I also tried deleting SchlNet, configuring the new enp2s0 and renaming it SchlNet, with exactly the same result after a reboot. shorewall stop and shorewall clear before reapplying the config made no improvement. Maybe I should be using the CUI commands, but I'll need to read a man page or two first, and I'm not sure whether the GUI tool maintains any of its own data. Anyway, a bit of insight from round here would be appreciated. Regards - Philip ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users