Re: [Shorewall-users] Routing traceroute through an unfiltered Internet connection

[Tom Eastep]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 01/12/2017 08:28 AM, Philip Le Riche wrote:
> Slightly off-topic, but in case anyone picked up on my problem with
> the mobile data dongle, if it doesn't connect by itself the trick
> seems to be to eject the CDROM that it throws at you. It then
> presents the GSM modem and connects. Whether or not shorewall is
> started, stopped or clear is irrelevant but it needs to be
> restarted after ppp0 has come up.
> 

If ppp0 is defined as 'optional' in the interfaces file, all that is
required with recent versions is 'shorewall enable ppp0'.

- -Tom
- -- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJYd7TJAAoJEJbms/JCOk0QvqAQALc/EQdNbfW3KUrbWFbD7eRl
2LjTUeZ5EWflIoczQGlJmAuTpqSdYFMXLri1l8LlFCt7W1Qd16Gl/gNTyGHw3GdB
joj2SmYi2jJa1D6zNi/2NfgzWBl9yHe47fplCRmyC+TMfqhaFeX2d8qHndO+7Esw
MiICD7TT5QW0UdBeQI8C1Gv+grVvJMw5eXRlbRS52h4LN4XL74/lZZ99zUKnqyvf
8uZ6IT+LNyRB4djslgHy2hjJFdFOeeQQWpoT3eRy5JNhqISUzuB9Dslq37XMzDOL
+EihLIw/wA3O7geJsFxalUMBfbdOpaiVzV8ZucKCoDJDNr/I8PvPumxnXjxkJjyt
+oT/pAtjvURpGAoHKtD4NxmRwzjAMc7VAkKxJ4ohGz23EMmeXgbibNZBHoiJnOE1
YSJJN32kk6XsYcHLsQFJBPB1ZM8tUsdzHfOooOKtRX9/YiXcZIkMCU1rpmXqtO/g
7LlrLgS9MgVfCMMNYrbHad3n6MtU8v6NVdAsxNj/qAoBwdTjLRflAIKgJPXuOf58
fBJnA0a5G4ydVmxAjOy/peq3Uea6Jb0c3Z8GYtOoW9byeRDOs6M3ugKGyDojKmGP
qlfJmKxxRiCfcAaxIQHe8G5ecpBfkRPJfQkY0UriLMiiMWUPWpgMN8ToGnhzLEdZ
iw5NaziTlw+vNW/FtRBN
=Lanr
-END PGP SIGNATURE-

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Routing traceroute through an unfiltered Internet connection

[Philip Le Riche]

Slightly off-topic, but in case anyone picked up on my problem with the
mobile data dongle, if it doesn't connect by itself the trick seems to
be to eject the CDROM that it throws at you. It then presents the GSM
modem and connects. Whether or not shorewall is started, stopped or
clear is irrelevant but it needs to be restarted after ppp0 has come up.

Regards - Philip

On 11/01/2017 22:53, Tom Eastep wrote:
> On 01/11/2017 01:31 PM, Philip Le Riche wrote:
> > Great - thanks Tom! Removing routefilter from the 2 outbound
> > interfaces did the trick. I can now do both traceroute and http
> > from the Pi, and the -i option fixed traceroute on the firewall
> > itself. I would have given up long before stumbling across
> > routefilter.
>
> > I haven't seen the dhcpd startup problem again so I assume that's
> > gone away. However the mobile dongle startup seems to be getting
> > more unreliable but that seems to be USB problem not a shorewall
> > one assuming the kernel USB and networking stacks are completely
> > disjoint. (/var/log/messages shows it sometimes recognising the
> > mass storeage device and/or the CDROM on the dongle but not the GSM
> > modem, or detecting it as a serial device but not doing anything
> > with it).
>
> > Thanks again for excellent support.
>
> Glad to hear that it is working.
>
> -Tom
> >
--
> Developer Access Program for Intel Xeon Phi Processors > Access to
Intel Xeon Phi processor-based developer platforms. > With one year of
Intel Parallel Studio XE. > Training and support from Colfax. > Order
your platform today. http://sdm.link/xeonphi >
___ > Shorewall-users
mailing list > Shorewall-users@lists.sourceforge.net >
https://lists.sourceforge.net/lists/listinfo/shorewall-users >


--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Routing traceroute through an unfiltered Internet connection

[Tom Eastep]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 01/11/2017 01:31 PM, Philip Le Riche wrote:
> Great - thanks Tom! Removing routefilter from the 2 outbound
> interfaces did the trick. I can now do both traceroute and http
> from the Pi, and the -i option fixed traceroute on the firewall
> itself. I would have given up long before stumbling across
> routefilter.
> 
> I haven't seen the dhcpd startup problem again so I assume that's
> gone away. However the mobile dongle startup seems to be getting
> more unreliable but that seems to be USB problem not a shorewall
> one assuming the kernel USB and networking stacks are completely
> disjoint. (/var/log/messages shows it sometimes recognising the
> mass storeage device and/or the CDROM on the dongle but not the GSM
> modem, or detecting it as a serial device but not doing anything
> with it).
> 
> Thanks again for excellent support.

Glad to hear that it is working.

- -Tom
- -- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJYdrdgAAoJEJbms/JCOk0Q1sAQAKOfPhntlJR5V2rqHeYhU0h/
NR5O6tQyr4LVUOWCmiD7SbujCy68WwZqKXxs+n3HBo4R3W4TSizK/f1+OEAAymq0
ZYWOhFB+0n2Pf3/kVY+29A0tZmgGLaAIvCj623JJ5EP0HbdOF6e3eRtcriDAvfax
r3j1kN477UzaThurV7ogh4cOl9/l2TmHeaUMq7YmhhM/yzI5Zav4fyzYwhL0tHil
X+54WwaLCfZWDudsh1TDp27Lh6yKsKGn94HHSpMJopDp9PvkYynTJ7yAd0d48adf
SsHUWFHd3ET9HpBuvCs+4bJuQYMpYgXESHNxqwrI9qYFgqCuywI8PwRwDPcvogV4
9ms/4Hn/lWaKaEYLa/JvIbTAO8mEPnEYFyXdyGF6kEDaH3OrNHnyBriPlfs9kMeb
vVPzdmZpFimvXGV64WnXCIqHQ33LGxiKCBxQpjvAHGdLZl5g/e2FWosNt30j/e1/
nfS4X3UkO14dlkWY3zRnCwsri4LmXZZo0AdznXsfcHC9Oe9HKBD5WxT8itRT9hBg
SZRygrXlHA3QvP44cNitcx3hYBA+C8onWHed4wzfYP6Xcz8hfyRVM9GYR8teoky8
+zvL5eACbBq1s0IaQJVxJpB8ssOlrvs9C2bzmkdufAZELHzi84IYExlJU939A9Ye
nkYMhI5JNS6J2MtF7BGp
=fGsA
-END PGP SIGNATURE-

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Routing traceroute through an unfiltered Internet connection

[Philip Le Riche]

Great - thanks Tom! Removing routefilter from the 2 outbound interfaces
did the trick. I can now do both traceroute and http from the Pi, and
the -i option fixed traceroute on the firewall itself. I would have
given up long before stumbling across routefilter.

I haven't seen the dhcpd startup problem again so I assume that's gone
away. However the mobile dongle startup seems to be getting more
unreliable but that seems to be USB problem not a shorewall one assuming
the kernel USB and networking stacks are completely disjoint.
(/var/log/messages shows it sometimes recognising the mass storeage
device and/or the CDROM on the dongle but not the GSM modem, or
detecting it as a serial device but not doing anything with it).

Thanks again for excellent support.

Best regards - Philip

On 11/01/2017 19:46, Tom Eastep wrote:
> On 01/11/2017 03:21 AM, Philip Le Riche wrote:
> > Hi Tom -
>
> > Several other problems which may or may not be related: 1.
> > traceroute getting send: operation not permitted when run from the
> > firewall itself.
>
> As pointed out in http://www.shorewall.org/MultiISP.html, packet
> marking is unreliable when applied to connections originating from the
> firewall. Try using the '-i' option of traceroute from the firewall.
>
> > 2. Mobile data dongle not starting with shorewall running -
> > possibly the same problem as 1.
>
> No clue -- are there any 'Shorewall' messages logged when this occurs?
>
> > 3. dhcpd not starting reliably - possibly a startup sequence
> > problem - it's worked the last twice and I didn't record the
> > message but was something about no available NICs to serve on.
>
> Sounds like a startup sequencing issue. Can't tell without seeing the
> messages.
>
> -Tom
> >
--
> Developer Access Program for Intel Xeon Phi Processors > Access to
Intel Xeon Phi processor-based developer platforms. > With one year of
Intel Parallel Studio XE. > Training and support from Colfax. > Order
your platform today. http://sdm.link/xeonphi >
___ > Shorewall-users
mailing list > Shorewall-users@lists.sourceforge.net >
https://lists.sourceforge.net/lists/listinfo/shorewall-users >


--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Routing traceroute through an unfiltered Internet connection

[Tom Eastep]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 01/11/2017 03:21 AM, Philip Le Riche wrote:
> Hi Tom -

> Several other problems which may or may not be related: 1.
> traceroute getting send: operation not permitted when run from the 
> firewall itself.

As pointed out in http://www.shorewall.org/MultiISP.html, packet
marking is unreliable when applied to connections originating from the
firewall. Try using the '-i' option of traceroute from the firewall.

> 2. Mobile data dongle not starting with shorewall running -
> possibly the same problem as 1.

No clue -- are there any 'Shorewall' messages logged when this occurs?

> 3. dhcpd not starting reliably - possibly a startup sequence
> problem - it's worked the last twice and I didn't record the
> message but was something about no available NICs to serve on.

Sounds like a startup sequencing issue. Can't tell without seeing the
messages.

- -Tom
- -- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJYdouOAAoJEJbms/JCOk0Q1/kP/jvsVyUj7b60kJafHQ/9Iqaz
NUbHO5kZP/6Wvk0WeRIywTmKdwXsRLnMEKsfqw8bPa2wOLBGFQA/W6N9EajW7EAY
T2ts9geYSnTjQ62EyiRCahcuVndMU5RP2NzGiy2zqzgfaFfqsgrhl2QRYFYumkOy
Sm37K9gPk1EWqB6tE0m4wo8SjhpT4/l0YJd2FfrocwxrnkHwLqRjGzhadgr6h4Jg
/hOJ4ytyh18oFK1iHVgmrSQjrDWwVHR7SuX3TkRMIFTnsjRb+6KdR8h/WognoYfH
JBRL2yHcStXHXfUp4ZvYJHNuGrwrNq4vxHR4II+cYCWnvYieQPoX4eF7D7zLSh9M
bM7DE90ymhQ1shQ197I+Z7dK9aK2BfgegA185q2Z8RD5YZwexp3aBBUY0GLVARsR
0qTcTVqgV+cv/GSmygA2Uoz9G5sgpUVe7aNGW8PZBeYBaH4ABw67UHJBXeffdZhR
OWPCqS37wpzkiLQSKV9t7bHIpMiNW3vny1TujeQRbe+OyUbCME0oh4xQECVYkdqi
na13RfoLedlhWvD5Em8ZYRbOGsFoxBzOMMOX7FJyXygArL46j0ZJc8lkDNfY9LBJ
23BYhtphrLWIXJJt4mVRQPedY/OT1o/+sfg5nA3S6rPUzFPI4kjWAyxp2EeZZ5aP
A7ptTrME8+ewamvsPELY
=f27B
-END PGP SIGNATURE-

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Routing traceroute through an unfiltered Internet connection

[Tom Eastep]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 01/11/2017 03:21 AM, Philip Le Riche wrote:
> Hi Tom -
> 
> Here are a couple of pcaps on ppp0 from wireshark, one with ppp0
> as fallback (traceroute from the Pi doesn't work but web does) and
> with ppp0 with no options (traceroute works but web doesn't).
> 
> In both cases you can see the udp packets going out and icmp
> timeouts coming back but with fallback they don't seem to make it
> back to the Pi. It looks like shorewall isn't opening the reverse
> path. Hopefully the inconsistent web behaviour is another
> consequence of the same problem.
> 
> Several other problems which may or may not be related: 1.
> traceroute getting send: operation not permitted when run from the 
> firewall itself. 2. Mobile data dongle not starting with shorewall
> running - possibly the same problem as 1. 3. dhcpd not starting
> reliably - possibly a startup sequence problem - it's worked the
> last twice and I didn't record the message but was something about
> no available NICs to serve on.
> 

Turn off route filtering. From the dump:

/proc
...
   /proc/sys/net/ipv4/conf/eno1/rp_filter = 1
   /proc/sys/net/ipv4/conf/ppp0/rp_filter = 1


You have 'routefilter' specified on both provider interfaces. From
shorewall-interfaces(5):

Note
There are certain cases where routefilter cannot be used on an interface:

If USE_DEFAULT_RT=Yes in shorewall.conf[12](5) and the interface is
listed in shorewall-providers[18](5).

If there is an entry for the interface in shorewall-providers[18](5)
that doesn't specify the balance option.

...

Set 'routefilter=0' for both interfaces.

- -Tom

- -- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJYdmHYAAoJEJbms/JCOk0QzwMP/2rGXX/LAPadXWujdCvzGNEJ
RXx/+kTBjIGT3XIbI6oU34jIgNEEmoxbsBUG5xPYT+9pWmryQ8eb5kv1N+AAmFnb
L9TiukV7q92c4vHFXdW3doJ/7qrNdnuNtDK8th7qiRRYhDSkf+G5R4dEiZmcuK0C
OVlt/DemVoHyDjmaxcZb8lmmyrMeuACpJ0BJq2bJqjsPiEsL5TacVXbCBwKQY7Xq
NAn5rTeo3x4u/l2IxNQQtaH6a38jeehfei1xLx7Lx/Blh/pTTRkkyOJkq3RMMXNR
i3izCyyEUibawwdkq1LlxnAgumYmsKqbyXYgZW+cjmpn3UIbEf8lkZ/wDZ9t3L6g
6E20gkClYLYDTYAbngDfKBGwPQM6Aceb/cp8mfWZ7T/hVUZWFy/Ni3zPlZetEiHt
5lSflBvOV/X3SxAhh8JRg7xxkQKGF5jQ5ShkSb9SRMOqH2cn0f/NQxc8M5k/RZus
8GzhNMZkMdAyCMa30YFQ8u5Yda4ForMmtI5M3AtZthwORUFdXfxUSuMyl/SmtfaP
CsdmGc8ejqTENPk8Lhp/EndmMA7WB/dcK0CEAEneHJyXkoOtt352IXBtmon31+vh
uSlacsl3L/h5egEbNph2SySlE9+gEbGuQK+gtF8KZ3FnsJReyyoV/1X1h93u5g03
g4PU7IhZP8AT5lbD7Agb
=10yC
-END PGP SIGNATURE-

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Routing traceroute through an unfiltered Internet connection

[Philip Le Riche]

Hi Tom -

Here are a couple of pcaps on ppp0 from wireshark, one with ppp0 as
fallback (traceroute from the Pi doesn't work but web does) and with
ppp0 with no options (traceroute works but web doesn't).

In both cases you can see the udp packets going out and icmp timeouts
coming back but with fallback they don't seem to make it back to the Pi.
It looks like shorewall isn't opening the reverse path. Hopefully the
inconsistent web behaviour is another consequence of the same problem.

Several other problems which may or may not be related:
1. traceroute getting send: operation not permitted when run from the
firewall itself.
2. Mobile data dongle not starting with shorewall running - possibly the
same problem as 1.
3. dhcpd not starting reliably - possibly a startup sequence problem -
it's worked the last twice and I didn't record the message but was
something about no available NICs to serve on.

Thanks again - Philip


On 11/01/2017 00:38, Tom Eastep wrote:
> On 01/10/2017 01:55 PM, Philip Le Riche wrote:
> > Hi Tom -
>
> > Thanks for the greased-lightning response again, and here's the
> > dump.
>
>
> It looks to me like the traceroute packets are going out of ppp0 but
> that there are no responses. Can you confirm that using tcpdump?
>
> Thanks,
> -Tom
> >
--
> Developer Access Program for Intel Xeon Phi Processors > Access to
Intel Xeon Phi processor-based developer platforms. > With one year of
Intel Parallel Studio XE. > Training and support from Colfax. > Order
your platform today. http://sdm.link/xeonphi >
___ > Shorewall-users
mailing list > Shorewall-users@lists.sourceforge.net >
https://lists.sourceforge.net/lists/listinfo/shorewall-users >




ppp0-fallback.pcapng
Description: Binary data


ppp0-nofallback.pcapng
Description: Binary data
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Routing traceroute through an unfiltered Internet connection

[Tom Eastep]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 01/10/2017 01:55 PM, Philip Le Riche wrote:
> Hi Tom -
> 
> Thanks for the greased-lightning response again, and here's the
> dump.
> 

It looks to me like the traceroute packets are going out of ppp0 but
that there are no responses. Can you confirm that using tcpdump?

Thanks,
- -Tom
- -- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJYdX6TAAoJEJbms/JCOk0QdtwP/jSOAsLcSPOp51ts/djmb1+s
y3futx+JOVKSBJdUEU78Y2v2tm6mUrJNX8qrO2yB+L+P6Gm86tGCFW5er1a3GXLw
ZFEXyXvOQBMGhOY5Zua8ZljYlmu7iCvC/7qS2iLvCtSmwlmpWz5El8KNr5ooV2cQ
t1wNj/ItHAlaMYNutt4BOZRriDyE/2ZEdob0shWKykfMaWDnPMgZmlKbNzLCuVJm
0SdT0IQJheaJ8U31oXvjJFD75ElWDpEfjxSI0fjr8IX9NWzSfqJWMFdouJo9JfcL
FzQ8qX9/k2BVx4h8yJsJuB41QLCE8ljyCswPfQKvhv/MfBFXmUgi6saMA1w7BhJO
+ZlGaeISC8w+qUfRqpP8YwIShFOfrZE+rbUj9xufQCtlgakdBwPQSptkbCqDDzvq
TvipMepoH/hkDBKXquiAT0QjW9kWJckdrCEEG2TrTxw9tqyhUQ/E+W4HRqb86bQN
3TYRL+AeVzHXC4kzPGaWCx8bcA+qMKPtKm56xDRT9LTfgZ7HvE8NfKbZ+R4+W8cd
jNLKEV5WvdvFR/LBfElqXjR2X3AoLE8zHa+yYZpB3T4zqY0lHFDWRMe7VdTDT7wt
uNbo/Khg1aTLNYI6ro0xVp9gfu+dsp9R1+vLU2UjiL44sopDTTozwrlxBoyX006o
yg5Dvy/g3VoWPxmPpeyj
=5W1E
-END PGP SIGNATURE-

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Routing traceroute through an unfiltered Internet connection

[Philip Le Riche]

Hi Tom -

Thanks for the greased-lightning response again, and here's the dump.

Many thanks - Philip

On 10/01/2017 21:05, Tom Eastep wrote:
> On 01/10/2017 12:50 PM, Philip Le Riche wrote:
> > I'm afraid I'm still struggling with this, though I made a minor
> > breakthrough when I realised I hadn't added a masq rule for the
> > raw interface, and the ppp0 not useable problem has gone away. (It
> > seems I have to connect it with shorewall clear then start
> > shorewall.) Anyway, my home test setup now seems to be working like
> > the school firewall.
>
> > (To recap, Raspberry Pis on zone pinet are accessed by PCs in zone
> > schl using ssh and vnc, and access the Internet via schl and the
> > school gateway. Traceroute traffic (only) from Pis and the firewall
> > is to be routed to a 3rd zone containing a mobile data dongle to
> > give unfiltered Internet access.)
>
> > Traceroute is now routed correctly from the Pis, but on the
> > firewall traceroute reports Send: Operation not permitted. (I have
> > the same rules with pinet and $FW as source to allow traceroute.)
> > Also, web access from both the Pis and the firewall is now broken.
> > However a PC on schl can still access a Pi.
>
> > My providers file is now: #NAMENUMBERMARKDUPLICATE
> > INTERFACEGATEWAYOPTIONS raw11-ppp0
> > - school2--eno1192.168.1.1 primary
>
> > If I add option fallback to provider raw, that fixes web from both
> > the Pis and the firewall but breaks traceroute. (I didn't think it
> > was a good idea but tried it anyway.)
>
> > I've read providers(5) and Multiple Internet Connections several
> > times and spent a good few hours trying to get it to work but there
> > seems to be something that I still haven't correctly understood.
> > Any help would be greatly appreciated.
>
> > For reference, my other relevant shorewall files are: mangle:
> > #ACTIONSOURCEDESTPROTOPORT(S)SOURCEUSER
> > TEST #PORT(S) MARK(1)enx00e04c534458-
> > udp33434:33523--- MARK(1) enx00e04c534458-
> > 253---- MARK(1)$FW-udp33434:33523
> > --- MARK(1) $FW-253----
>
> > rtrules: #SOURCEDESTPROVIDERPRIORITYMARK
> > enx00e04c534458-raw110001 lo-raw
> > 110001
>
> > zones: fwfirewall schlipv4 pinetipv4 inetipv4
>
> > interfaces: schleno1
> > tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 pinet
> > enx00e04c534458 tcpflags,nosmurfs,routefilter,logmartians inet
> > ppp0
> > tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,optional
>
> Philip,
>
> Please:
>
> a) Set fallback on the raw provider.
> b) Shorewall reload
> c) Try a traceroute from a Pi
> d) 'shorewall dump > dump'
> e) Send me the 'dump' file.
>
> Thanks,
> -Tom
>
> >
--
> Developer Access Program for Intel Xeon Phi Processors > Access to
Intel Xeon Phi processor-based developer platforms. > With one year of
Intel Parallel Studio XE. > Training and support from Colfax. > Order
your platform today. http://sdm.link/xeonphi >
___ > Shorewall-users
mailing list > Shorewall-users@lists.sourceforge.net >
https://lists.sourceforge.net/lists/listinfo/shorewall-users >


Shorewall 5.0.4 Dump at Philip-Desktop - Tue 10 Jan 21:48:24 GMT 2017

Shorewall is running
State:Started (Tue 10 Jan 21:47:05 GMT 2017) from /etc/shorewall/ 
(/var/lib/shorewall/firewall compiled by Shorewall version 5.0.4)

Counters reset Tue 10 Jan 21:47:05 GMT 2017

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination 

   65  4500 schl-fwall  --  eno1   *   0.0.0.0/00.0.0.0/0   

   36  3680 pinet-fw   all  --  enx00e04c534458 *   0.0.0.0/0
0.0.0.0/0   
0 0 inet-fwall  --  ppp0   *   0.0.0.0/00.0.0.0/0   

5   404 ACCEPT all  --  lo *   0.0.0.0/00.0.0.0/0   

0 0 Reject all  --  *  *   0.0.0.0/00.0.0.0/0   

0 0 LOGall  --  *  *   0.0.0.0/00.0.0.0/0   
 LOG flags 0 level 6 prefix "Shorewall:INPUT:REJECT:"
0 0 reject all  --  *  *   0.0.0.0/00.0.0.0/0   
[goto] 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   destination 

0 0 TCPMSS tcp  --  *  *   0.0.0.0/00.0.0.0/0   
 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
6   612 schl_frwd  all  --  eno1   *   0.0.0.0/00.0.0.0/0   

   55  3374 pinet_frwd  all  --  enx00e04c534458 *   0.0.0.0/0
0.0.0.0/0

Re: [Shorewall-users] Routing traceroute through an unfiltered Internet connection

[Tom Eastep]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 01/10/2017 12:50 PM, Philip Le Riche wrote:
> I'm afraid I'm still struggling with this, though I made a minor 
> breakthrough when I realised I hadn't added a masq rule for the
> raw interface, and the ppp0 not useable problem has gone away. (It
> seems I have to connect it with shorewall clear then start
> shorewall.) Anyway, my home test setup now seems to be working like
> the school firewall.
> 
> (To recap, Raspberry Pis on zone pinet are accessed by PCs in zone
> schl using ssh and vnc, and access the Internet via schl and the
> school gateway. Traceroute traffic (only) from Pis and the firewall
> is to be routed to a 3rd zone containing a mobile data dongle to
> give unfiltered Internet access.)
> 
> Traceroute is now routed correctly from the Pis, but on the
> firewall traceroute reports Send: Operation not permitted. (I have
> the same rules with pinet and $FW as source to allow traceroute.)
> Also, web access from both the Pis and the firewall is now broken.
> However a PC on schl can still access a Pi.
> 
> My providers file is now: #NAMENUMBERMARKDUPLICATE
> INTERFACEGATEWAYOPTIONS raw11-ppp0
> - school2--eno1192.168.1.1 primary
> 
> If I add option fallback to provider raw, that fixes web from both
> the Pis and the firewall but breaks traceroute. (I didn't think it
> was a good idea but tried it anyway.)
> 
> I've read providers(5) and Multiple Internet Connections several
> times and spent a good few hours trying to get it to work but there
> seems to be something that I still haven't correctly understood.
> Any help would be greatly appreciated.
> 
> For reference, my other relevant shorewall files are: mangle: 
> #ACTIONSOURCEDESTPROTOPORT(S)SOURCEUSER
> TEST #PORT(S) MARK(1)enx00e04c534458-
> udp33434:33523--- MARK(1) enx00e04c534458-
> 253---- MARK(1)$FW-udp33434:33523
> --- MARK(1) $FW-253----
> 
> rtrules: #SOURCEDESTPROVIDERPRIORITYMARK 
> enx00e04c534458-raw110001 lo-raw
> 110001
> 
> zones: fwfirewall schlipv4 pinetipv4 inetipv4
> 
> interfaces: schleno1 
> tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 pinet
> enx00e04c534458 tcpflags,nosmurfs,routefilter,logmartians inet
> ppp0 
> tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,optional
> 
Philip,

Please:

a) Set fallback on the raw provider.
b) Shorewall reload
c) Try a traceroute from a Pi
d) 'shorewall dump > dump'
e) Send me the 'dump' file.

Thanks,
- -Tom

- -- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJYdUyjAAoJEJbms/JCOk0Qn6YP/3W0mR7r0vPSXzHXX5OR46La
FskEkO1IIky4Q05WAd3NzRLrxmHLc+X1BBY/eAfXjKhsWeTvHOTOBXPuc06NWjAU
J103rLyiwHMHAyZUvxSEz+LMEDEdsCfgZJwDSiqNekVz194TPZ5xM0BP7x6A0Cjd
HTCRnCgTqPO/UsySYGaofwtQcyON1RcvLL+uXcj2N1OJ7aUmnfdksN88IW1+9c3V
xwQ7Rz16Tr2tZN8XleI46nBtnsHTL6NlrY2JNOWRfBYEXosaLMn7sRmbB3rzxJD6
jT0jBVPDqPajpUztFsUk3BZWna1mA4MQropn1baNFd/BtTaW3Ifh0GKSG0HahCSa
njRKg50Y0vQol3b+Gj3GbjS3VZXj1pQHwY2kR0S4ZnHxzr1GuwpCMTY47foWWJBk
E14HFQA8LabIuOjDE5mUVnUQ86DgW/QAFitkQHU6n9zRfQQdyWZKPIaGnPimUqTN
NbCuds1QFC7brP23zIJduxijUisUoi/tF3k10zltd4OIAnFQP3cETcu8IXb3EklH
3HYLsjU7ayjUbEpYBa5trPCuodN90jWc0W5gnATgBhSKg9skOy7Jf5WA3GRlzfG2
oTbA0lePnLCXNz0pF7zL41iBaZo4d2EbI19WCjxkJwtwOWMQCKWih0iH+L7vvKMs
PfcOlYxZk42klDznwf9P
=3vOF
-END PGP SIGNATURE-

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Routing traceroute through an unfiltered Internet connection

[Philip Le Riche]

I'm afraid I'm still struggling with this, though I made a minor
breakthrough when I realised I hadn't added a masq rule for the raw
interface, and the ppp0 not useable problem has gone away. (It seems I
have to connect it with shorewall clear then start shorewall.) Anyway,
my home test setup now seems to be working like the school firewall.

(To recap, Raspberry Pis on zone pinet are accessed by PCs in zone schl
using ssh and vnc, and access the Internet via schl and the school
gateway. Traceroute traffic (only) from Pis and the firewall is to be
routed to a 3rd zone containing a mobile data dongle to give unfiltered
Internet access.)

Traceroute is now routed correctly from the Pis, but on the firewall
traceroute reports Send: Operation not permitted. (I have the same rules
with pinet and $FW as source to allow traceroute.) Also, web access from
both the Pis and the firewall is now broken. However a PC on schl can
still access a Pi.

My providers file is now:
#NAMENUMBERMARKDUPLICATEINTERFACEGATEWAYOPTIONS
raw11-ppp0-
school2--eno1192.168.1.1 primary

If I add option fallback to provider raw, that fixes web from both the
Pis and the firewall but breaks traceroute. (I didn't think it was a
good idea but tried it anyway.)

I've read providers(5) and Multiple Internet Connections several times
and spent a good few hours trying to get it to work but there seems to
be something that I still haven't correctly understood. Any help would
be greatly appreciated.

For reference, my other relevant shorewall files are:
mangle:
#ACTIONSOURCEDESTPROTOPORT(S)SOURCEUSERTEST
#PORT(S)
MARK(1)enx00e04c534458-udp33434:33523---
MARK(1) enx00e04c534458-253----
MARK(1)$FW-udp33434:33523---
MARK(1) $FW-253----

rtrules:
#SOURCEDESTPROVIDERPRIORITYMARK
enx00e04c534458-raw110001
lo-raw110001

zones:
fwfirewall
schlipv4
pinetipv4
inetipv4

interfaces:
schleno1   
tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
pinet   enx00e04c534458 tcpflags,nosmurfs,routefilter,logmartians
inetppp0   
tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,optional

Regards - Philip

On 06/01/2017 11:52, Philip Le Riche wrote:
> Thanks, Tom, for the rapid response.
>
> I don't have easy access to the firewall in question so I've set up an
> equivalent network at home. In the providers file I've added the
> primary option to the school network and fallback to the mobile data,
> though I don't actually want it to fall back.

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] Routing traceroute through an unfiltered Internet connection

[Philip Le Riche]

Thanks, Tom, for the rapid response.

I don't have easy access to the firewall in question so I've set up an
equivalent network at home. In the providers file I've added the primary
option to the school network and fallback to the mobile data, though I
don't actually want it to fall back.

Now, on starting Shorewall, I get WARNING: interface ppp0 is not useable.

Is ther a log file which will shed a little more light on that?

In fact Linux won't start the ppp0 session unless I do shorewall clear
before plugging the dongle in - I'm not sure I got that at school, but
with shorewall clear and if I set eno1 down (the "school" network) I can
browse the net through the dongle.

I now have interfaces:
schleno1   
tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
pinet   enx00e04c534458 tcpflags,nosmurfs,routefilter,logmartians
inetppp0   
tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,optional

providers:
#NAMENUMBERMARKDUPLICATEINTERFACEGATEWAYOPTIONS
raw11-ppp0detectfallback
school2--eno1192.168.1.1 primary

mangle:
#ACTIONSOURCEDESTPROTOPORT(S)SOURCEUSERTEST
#PORT(S)
MARK(1)enx00e04c534458-udp33434:33523---
MARK(1) enx00e04c534458-253----
MARK(1)lo-udp33434:33523---
MARK(1) lo-253----

rtrules:
#SOURCEDESTPROVIDERPRIORITYMARK
enx00e04c534458-raw110001
lo-raw110001

masq:
#INTERFACE:DESTSOURCEADDRESSPROTOPORT(S)   
IPSECMARKUSER/SWITCHORIGINAL
#GROUPDEST
eno1192.168.2.0/24192.168.1.2

and in rules I simply modified the DNAT rules for the Pis to reflect the
different IP addressing scheme (I didn't mention that before).

Best regards - Philip


On 03/01/2017 17:22, Tom Eastep wrote:
> On 01/03/2017 06:51 AM, Philip Le Riche wrote:
> > I've been trying without success on and off for some while to
> > modify an existing Shorewall configuration for the purposes of a
> > school lesson on Internet routing, using traceroute.
>
> > I originally set up the firewall to protect the school network from
> > a bunch of Raspberry Pis, operated "headless" from school PCs using
> > VNC or ssh, thus we had 3 zones:
>
> > #ZONETYPEOPTIONSINOUT fw
> > firewall schlipv4 pinetipv4
>
> > The idea is to run traceroute from the Pis, but since since
> > traceroute is blocked by the school firewall/proxy I've added a
> > mobile data dongle and a new zone giving me unfiltered Internet
> > access: inetipv4
>
> > My interfaces file now looks like this: schleno1
> > tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 pinet
> > enp2s0  tcpflags,nosmurfs,routefilter,logmartians inet
> > ppp0
> > tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,optional
>
> > In my providers file I've defined a provider "raw" for the
> > unfiltered mobile data interface: #NAMENUMBERMARK
> > DUPLICATEINTERFACEGATEWAYOPTIONS raw  1 1
> > -ppp0
>
> > I've been trying both regular traceroute (udp/33434-33523) and
> > traceroute -P 253 (protocol 253), and so I'm using mangle to mark
> > all such packets coming from the Pi network (and from the firewall
> > while I'm at it, for testing purposes): #ACTIONSOURCEDEST
> > PROTOPORT(S)SOURCEUSERTEST #
> > PORT(S) MARK(1)enp2s0-   udp33434:33523--
> > - MARK(1)enp2s0-   253---- MARK(1)
> > $FW   -   udp33434:33523--- MARK(1)$FW
> > -   253----
>
> > And in rtrules I'm directing marked packets at provider raw: SOURCE
> > DESTPROVIDERPRIORITYMARK enp2s0-   raw
> > 11000   1 lo-   raw 11000   1
>
> > In my rules file I've allowed traceroute from pinet and $FW to
> > inet: # # pinet -> inet # Allow traceroute only # ACCEPT
> > pinetinetudp33434:33523 ACCEPTpinet
> > inet253
>
> > # # $FW -> inet # #ACTION SOURCE  DESTPROTO   DEST
> > SOURCE  RATEUSER/ #
> > PORT(S) PORT(S) LIMIT   GROUP ACCEPT$FWinetudp
> > 33434:33523 ACCEPT$FWinet253
>
> > Since the mobile data dongle hasn't connected by the time
> > Shorewall starts on a reboot, I have to do a shorewall restart, and
> > also if I plug in the dongle at any time after booting.
>
> > However, there still seems to be an error or omission in my logic
> > as traceroute on the firewall Pi still shows it routing through the
> > school network, as evidenced by the ip addresses reported (as far
> > as they go), and traceroute on a Pi shows nothing beyond the pinet
> > firewall 

Re: [Shorewall-users] Routing traceroute through an unfiltered Internet connection

[Tom Eastep]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 01/03/2017 06:51 AM, Philip Le Riche wrote:
> I've been trying without success on and off for some while to
> modify an existing Shorewall configuration for the purposes of a
> school lesson on Internet routing, using traceroute.
> 
> I originally set up the firewall to protect the school network from
> a bunch of Raspberry Pis, operated "headless" from school PCs using
> VNC or ssh, thus we had 3 zones:
> 
> #ZONETYPEOPTIONSINOUT fw
> firewall schlipv4 pinetipv4
> 
> The idea is to run traceroute from the Pis, but since since
> traceroute is blocked by the school firewall/proxy I've added a
> mobile data dongle and a new zone giving me unfiltered Internet
> access: inetipv4
> 
> My interfaces file now looks like this: schleno1 
> tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 pinet
> enp2s0  tcpflags,nosmurfs,routefilter,logmartians inet
> ppp0 
> tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,optional
> 
> In my providers file I've defined a provider "raw" for the
> unfiltered mobile data interface: #NAMENUMBERMARK
> DUPLICATEINTERFACEGATEWAYOPTIONS raw  1 1
> -ppp0
> 
> I've been trying both regular traceroute (udp/33434-33523) and 
> traceroute -P 253 (protocol 253), and so I'm using mangle to mark
> all such packets coming from the Pi network (and from the firewall
> while I'm at it, for testing purposes): #ACTIONSOURCEDEST
> PROTOPORT(S)SOURCEUSERTEST #
> PORT(S) MARK(1)enp2s0-   udp33434:33523--
> - MARK(1)enp2s0-   253---- MARK(1)
> $FW   -   udp33434:33523--- MARK(1)$FW
> -   253----
> 
> And in rtrules I'm directing marked packets at provider raw: SOURCE
> DESTPROVIDERPRIORITYMARK enp2s0-   raw
> 11000   1 lo-   raw 11000   1
> 
> In my rules file I've allowed traceroute from pinet and $FW to
> inet: # # pinet -> inet # Allow traceroute only # ACCEPT
> pinetinetudp33434:33523 ACCEPTpinet
> inet253
> 
> # # $FW -> inet # #ACTION SOURCE  DESTPROTO   DEST
> SOURCE  RATEUSER/ #
> PORT(S) PORT(S) LIMIT   GROUP ACCEPT$FWinetudp
> 33434:33523 ACCEPT$FWinet253
> 
> Since the mobile data dongle hasn't connected by the time
> Shorewall starts on a reboot, I have to do a shorewall restart, and
> also if I plug in the dongle at any time after booting.
> 
> However, there still seems to be an error or omission in my logic
> as traceroute on the firewall Pi still shows it routing through the
> school network, as evidenced by the ip addresses reported (as far
> as they go), and traceroute on a Pi shows nothing beyond the pinet
> firewall interface. Perhaps you can provide me with that lightbulb
> moment which seems to be evading me.
> 

You need en01 to be the primary provider and ppp0 to be the fallback
provider.

- -Tom
- -- 
Tom Eastep\ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJYa93HAAoJEJbms/JCOk0QKjMP/i6HqWorZqzrltfZi7DX2KaP
qGV55dzPnxhwZnKR/hu6nGo+X/9gdZ/QVePJfWdONaQjLb2TfQNZApsZBe+idGHF
/uzs2OOS0f+GX25m8H15cngn0H1xTT5py1i2l6PX/aXKJANzFm/MlLKM3JxtcYv3
DXYu7zypcqAwF4rokq4YEFSFuo5T+TfZnnoGx+DbR0nrCy6y3YiSGBVDinZLrBX7
x/WlcsuGWLV93wuWomb/gRhRQnLN58vWBs8c3FWwG93mnEY8U82J1kwoeGgWC5e4
GCfyflsoiA8bitCpH0rQkW7hE33zeHQ1Q5+B5m8z474AdDX9CzhReCf3P75hQkHI
kDFIFkWeoqShEB8mC0hhWKu8EF6XytTHqzDJBsQtobvmCWtu4gDlWP/Pbb3xKIpO
FV+aSRox0xtVhuc/oi4bPxWnqDEWYXed3P4rsRx8NesA2FzU/qBlfWR0o3c3wFhs
+w+dG5QJAEQvfpN2K5DQF1+mIY4deQsye51g6MKp75iSCMcA9Jh5n3SDO3tKyl1v
bq1cpkDiGHWL51Y6eoEsf4zNY+ef6c0MjrfxObAbCr93ieBI3akK1jeCVwZa5yLB
dn/2atDp+m1Kfbb9SfPdLw5zJ4cDyfCU0y6cD5lvTQs/ddG8x4YFXFbGO6S1EcWo
1LX/8BMqLD+wsi0PD7Iv
=bMiK
-END PGP SIGNATURE-

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] Routing traceroute through an unfiltered Internet connection

[Philip Le Riche]

I've been trying without success on and off for some while to modify an
existing Shorewall configuration for the purposes of a school lesson on
Internet routing, using traceroute.

I originally set up the firewall to protect the school network from a
bunch of Raspberry Pis, operated "headless" from school PCs using VNC or
ssh, thus we had 3 zones:

#ZONETYPEOPTIONSINOUT
fwfirewall
schlipv4
pinetipv4

The idea is to run traceroute from the Pis, but since since traceroute
is blocked by the school firewall/proxy I've added a mobile data dongle
and a new zone giving me unfiltered Internet access:
inetipv4

My interfaces file now looks like this:
schleno1   
tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
pinet   enp2s0  tcpflags,nosmurfs,routefilter,logmartians
inetppp0   
tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,optional

In my providers file I've defined a provider "raw" for the unfiltered
mobile data interface:
#NAMENUMBERMARKDUPLICATEINTERFACEGATEWAYOPTIONS
raw  1 1   -ppp0

I've been trying both regular traceroute (udp/33434-33523) and
traceroute -P 253 (protocol 253), and so I'm using mangle to mark all
such packets coming from the Pi network (and from the firewall while I'm
at it, for testing purposes):
#ACTIONSOURCEDESTPROTOPORT(S)SOURCEUSERTEST
#PORT(S)
MARK(1)enp2s0-   udp33434:33523---
MARK(1)enp2s0-   253----
MARK(1)$FW   -   udp33434:33523---
MARK(1)$FW   -   253----

And in rtrules I'm directing marked packets at provider raw:
SOURCEDESTPROVIDERPRIORITYMARK
enp2s0-   raw 11000   1
lo-   raw 11000   1

In my rules file I've allowed traceroute from pinet and $FW to inet:
#
# pinet -> inet
# Allow traceroute only
#
ACCEPTpinetinetudp33434:33523
ACCEPTpinetinet253

#
# $FW -> inet
#
#ACTION SOURCE  DESTPROTO   DESTSOURCE  RATEUSER/
#   PORT(S) PORT(S) LIMIT   GROUP
ACCEPT$FWinetudp33434:33523
ACCEPT$FWinet253

Since the mobile data dongle hasn't connected by the time Shorewall
starts on a reboot, I have to do a shorewall restart, and also if I plug
in the dongle at any time after booting.

However, there still seems to be an error or omission in my logic as
traceroute on the firewall Pi still shows it routing through the school
network, as evidenced by the ip addresses reported (as far as they go),
and traceroute on a Pi shows nothing beyond the pinet firewall interface.
Perhaps you can provide me with that lightbulb moment which seems to be
evading me.

Regards - Philip

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users