On 04/01/2016 01:29 PM, Florian Piekert wrote: > Dear Shorewall-Users, dear Tom, > > for quite some time I am using Shorewall on top of OpenSuse. Over the years > my shorewall.conf has been modified to incorporate the new stuff, my rules > file has stayed similar most of the time. > > I experience multiple things, and I hope you can be of help to root out the > cause and help me get it back to working the way I want it to... > > I have Shorewall 4.6.13.4 running, taken from > baseurl=http://download.opensuse.org/repositories/security:/netfilter/openSUSE_13.2/ > as a repository. > > I run kernel 3.16.7-35 desktop. > > My local network is 192.168.2.0/255, served by eth1 > My dial up into the internet is conducted via dsl over ppp0 bound to eth0 > > My interfaces file is > loc eth1 detect > net ppp0 detect > > My masq file is > ppp0 eth1 > > zones looks like > fw firewall > net > loc > > rules, shorewall.conf are attached. > > policy file is > loc all ACCEPT $LOG > fw all ACCEPT $LOG > net all DROP $LOG > net net NONE #ADD THIS > all all REJECT $LOG > > Hope I provided all the relevant information. > > Now to my problems. > #1) I have a service on a pc in the loc zone where I setup a port redirection > from the firewall/gw machine to that machine, via DNAT. What has worked in > the past ceased to work (don't know how many weeks, months back, just > noticed). I see in the firewall logs that the > > Apr 1 21:59:25 bhaal kernel: [963505.929180] > Shorewall:mangle:PREROUTING:IN=ppp0 OUT= MAC= SRC=89.15.239.61 > DST=89.182.1.68 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=10493 DF PROTO=TCP > SPT=24451 DPT=7091 WINDOW=65535 RES=0x00 SYN URGP=0 > Apr 1 21:59:25 bhaal kernel: [963505.929196] > Shorewall:nat:PREROUTING:IN=ppp0 OUT= MAC= SRC=89.15.239.61 DST=89.182.1.68 > LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=10493 DF PROTO=TCP SPT=24451 DPT=7091 > WINDOW=65535 RES=0x00 SYN URGP=0 > Apr 1 21:59:25 bhaal kernel: [963505.929217] Shorewall:mangle:INPUT:IN=ppp0 > OUT= MAC= SRC=89.15.239.61 DST=89.182.1.68 LEN=60 TOS=0x00 PREC=0x00 TTL=54 > ID=10493 DF PROTO=TCP SPT=24451 DPT=7091 WINDOW=65535 RES=0x00 SYN URGP=0 > Apr 1 21:59:25 bhaal kernel: [963505.929228] Shorewall:filter:INPUT:IN=ppp0 > OUT= MAC= SRC=89.15.239.61 DST=89.182.1.68 LEN=60 TOS=0x00 PREC=0x00 TTL=54 > ID=10493 DF PROTO=TCP SPT=24451 DPT=7091 WINDOW=65535 RES=0x00 SYN URGP=0 > Apr 1 21:59:25 bhaal kernel: [963505.929253] Shorewall:net2fw:DROP:IN=ppp0 > OUT= MAC= SRC=89.15.239.61 DST=89.182.1.68 LEN=60 TOS=0x00 PREC=0x00 TTL=54 > ID=10493 DF PROTO=TCP SPT=24451 DPT=7091 WINDOW=65535 RES=0x00 SYN URGP=0 > > It gets the package request, but then drops it, instead of forwarding it as > per DNAT line > DNAT:$LOG net loc:192.168.2.3:7091 tcp 7091 > DNAT:$LOG net loc:192.168.2.3:7091 udp 7091 > > (this port forwarding is just ONE example, I have multiple services that I > can't reach anymore)
Have you followed the port forwarding diagnostic steps detailed in Shorewall FAQs 1a and 1b? If so, please forward the output of 'shorewall dump' collected by following the instructions at http://www.shorewall.net/support.htm#Guidelines. > > #2) I have on the loc LAN a DLINK Wifi Access Point, providing (surprise!) > wifi access to the LAN and the internet (via the firewall linux machine). On > the firewall I run squid as a proxy, the wifi devices can access web pages, > etc. nicely, with or without squid. > But what I can't is e.g. get the samsung phones to connect to the samsung > update server, which is done via requests (maybe via http/https, or by using > port 5223, didn't really figure that out yet) unfortunately definitely NOT > via squid. > These requests then simply fail, network or server error response by the > update dialog. When not in wifi it connects to the servers without any issues. > Any ideas around that? I see the requests in the firewall.log though > Apr 1 22:12:36 bhaal kernel: [964296.870561] > Shorewall:mangle:PREROUTING:IN=eth1 OUT= > MAC=20:cf:30:75:a3:39:c0:bd:d1:85:a5:a5:08:00 SRC=192.168.2.33 DST=54.77.92.8 > LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 > WINDOW=65535 RES=0x00 SYN URGP=0 > Apr 1 22:12:36 bhaal kernel: [964296.870594] > Shorewall:nat:PREROUTING:IN=eth1 OUT= > MAC=20:cf:30:75:a3:39:c0:bd:d1:85:a5:a5:08:00 SRC=192.168.2.33 DST=54.77.92.8 > LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 > WINDOW=65535 RES=0x00 SYN URGP=0 > Apr 1 22:12:36 bhaal kernel: [964296.870623] > Shorewall:mangle:FORWARD:IN=eth1 OUT=ppp0 > MAC=20:cf:30:75:a3:39:c0:bd:d1:85:a5:a5:08:00 SRC=192.168.2.33 DST=54.77.92.8 > LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 > WINDOW=65535 RES=0x00 SYN URGP=0 > Apr 1 22:12:36 bhaal kernel: [964296.870640] > Shorewall:filter:FORWARD:IN=eth1 OUT=ppp0 > MAC=20:cf:30:75:a3:39:c0:bd:d1:85:a5:a5:08:00 SRC=192.168.2.33 DST=54.77.92.8 > LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 > WINDOW=65535 RES=0x00 SYN URGP=0 > Apr 1 22:12:36 bhaal kernel: [964296.870664] > Shorewall:loc2net:ACCEPT:IN=eth1 OUT=ppp0 > MAC=20:cf:30:75:a3:39:c0:bd:d1:85:a5:a5:08:00 SRC=192.168.2.33 DST=54.77.92.8 > LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 > WINDOW=65535 RES=0x00 SYN URGP=0 > Apr 1 22:12:36 bhaal kernel: [964296.870676] > Shorewall:mangle:POSTROUTING:IN= OUT=ppp0 SRC=192.168.2.33 DST=54.77.92.8 > LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 > WINDOW=65535 RES=0x00 SYN URGP=0 > Apr 1 22:12:36 bhaal kernel: [964296.870688] Shorewall:nat:POSTROUTING:IN= > OUT=ppp0 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 > ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 Try setting CLAMPMSS=Yes in shorewall.conf. > > #3) WhatsApp. > Whatsapp works in my Wifi. Most of the time. If I don't send out OR > receive e.g. pictures. Then it somehow freezes communication. I have to > switch wifi off, get the picture send or receive the stuff, then I can > turn on wifi again. While in "freeze mode", I can't send out any > message, no matter how short it is. I get the clock twiddling its > counters... > > For #2) and #3), I have checked settings of the Wifi access point, > there is NO extra firewall, there is no way of setting packet sizes. I > have no issues transfering large files via wifi within the loc LAN zone. > So I for the time being assume it's working on the wifi access point > setting side... Again, see if CLAMPMSS=Yes doesn't help you... > > Further, maybe #4) how can I setup Tom's Shorewall update sites in a > repository kind of way? Anybody done that? > > I appreciate any kind of help you guys can provide, I have waited quite a > long time to put my help request here, hopefully some of you have a good idea > how to fix things. > > If the solution is to go to v5.0(.x), maybe you have a good suggestion how-to > in the best non-breaking-the-other-stuff type of way... > > Thanks for your help and thanks to Tom for his great work over all the MANY > years! > > Florian > > PS: If I forgot to include some config detail, lmk asap. > > > > ------------------------------------------------------------------------------ > Transform Data into Opportunity. > Accelerate data analysis in your applications with > Intel Data Analytics Acceleration Library. > Click to learn more. > http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140 > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
