Discussion:
[Shorewall-users] Shorewall (5.0.4) not starting at boot on Ubuntu 16.04 server
Wouter Deurholt
2016-04-01 11:32:23 UTC
Permalink
Greetings,

I installed Shorewall (5.0.4) on my Ubuntu server 16.04 (currently beta).
It is functioning perfectly fine when started. There is however one
problem. It is not starting at boot-time.
I even tried to add a wait_interface="eno1" and wait_interface="eno2" to
my /etc/default/shorewall.

/etc/default/shorewall
startup=1
[...]
#### ####

/etc/shorewall/shorewall.conf
STARTUP_ENABLED=Yes
[...]
#### ####

I can start it up perfectly fine without any errors with
sudo shorewall start:

I found a solution/workaround somewhere by making a systemd startup script
and that works fine as follows:

/etc/systemd/system/shorewall.service
[Unit]
Description=Shorewall IPv4 firewall
Wants=network-online.target
After=network-online.target
Conflicts=iptables.service firewalld.service

[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=-/etc/default/shorewall
StandardOutput=syslog
ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
ExecStop=/sbin/shorewall $OPTIONS stop
ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS

[Install]
WantedBy=basic.target
#### ####

followed by a
sudo systemctl enable shorewall.service

But the big question is of course: Why is it not (default) starting at boot?

Thanks!

Wouter
Roberto C. Sánchez
2016-04-01 12:11:17 UTC
Permalink
Wouter,

That is a problem that I discovered a few weeks after I uploaded 5.0.4.
I was actually surprised that (a) I overlooked it, and (b) nobody ever
reported it. The problem was corrected with the 5.0.7-1 upload to
Debian unstable last week.

Executing 'systemctl enable shorewall.service' is the appropriate
solution. It is effectively what the package does now after it is
installed. There would not be a need to update to the newer package
unless there was some other more pressing bug fix or new feature that
you required.

Regards,

-Roberto
Post by Wouter Deurholt
Greetings,
I installed Shorewall (5.0.4) on my Ubuntu server 16.04 (currently beta).
It is functioning perfectly fine when started. There is however one
problem. It is not starting at boot-time.
I even tried to add a wait_interface="eno1" and  wait_interface="eno2" to
my /etc/default/shorewall.
    /etc/default/shorewall
startup=1
[...]
#### ####
    /etc/shorewall/shorewall.conf
STARTUP_ENABLED=Yes
[...]
#### ####
I can start it up perfectly fine without any errors with
I found a solution/workaround somewhere by making a systemd startup script
    /etc/systemd/system/shorewall.service
[Unit]
Description=Shorewall IPv4 firewall
Wants=network-online.target
After=network-online.target
Conflicts=iptables.service firewalld.service
[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=-/etc/default/shorewall
StandardOutput=syslog
ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
ExecStop=/sbin/shorewall $OPTIONS stop
ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS
[Install]
WantedBy=basic.target
#### ####
followed by a
    sudo systemctl enable shorewall.service
But the big question is of course: Why is it not (default) starting at boot?
Thanks!
Wouter
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
Wouter Deurholt
2016-04-01 18:57:29 UTC
Permalink
Aha!

I see now (overlooked it before) that the
/etc/systemd/system/shorewall.service I made myself (first post) was not
necessary... and even pointless :).
If you just do a 'sudo systemctl enable shorewall.service' after you
installed shorewall 5.0.4: all is well :).
I recon this is the only change you made in the 5.0.7-1 version, am I right?

Good solution for anyone installing this version until it emerges in the
standard repositories.

Thanks and cheers Roberto!

Wouter
Post by Roberto C. Sánchez
Wouter,
That is a problem that I discovered a few weeks after I uploaded 5.0.4.
I was actually surprised that (a) I overlooked it, and (b) nobody ever
reported it. The problem was corrected with the 5.0.7-1 upload to
Debian unstable last week.
Executing 'systemctl enable shorewall.service' is the appropriate
solution. It is effectively what the package does now after it is
installed. There would not be a need to update to the newer package
unless there was some other more pressing bug fix or new feature that
you required.
Regards,
-Roberto
Post by Wouter Deurholt
Greetings,
I installed Shorewall (5.0.4) on my Ubuntu server 16.04 (currently
beta).
Post by Wouter Deurholt
It is functioning perfectly fine when started. There is however one
problem. It is not starting at boot-time.
I even tried to add a wait_interface="eno1" and
wait_interface="eno2" to
Post by Wouter Deurholt
my /etc/default/shorewall.
/etc/default/shorewall
startup=1
[...]
#### ####
/etc/shorewall/shorewall.conf
STARTUP_ENABLED=Yes
[...]
#### ####
I can start it up perfectly fine without any errors with
I found a solution/workaround somewhere by making a systemd startup
script
Post by Wouter Deurholt
/etc/systemd/system/shorewall.service
[Unit]
Description=Shorewall IPv4 firewall
Wants=network-online.target
After=network-online.target
Conflicts=iptables.service firewalld.service
[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=-/etc/default/shorewall
StandardOutput=syslog
ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
ExecStop=/sbin/shorewall $OPTIONS stop
ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS
[Install]
WantedBy=basic.target
#### ####
followed by a
sudo systemctl enable shorewall.service
But the big question is of course: Why is it not (default) starting at boot?
Thanks!
Wouter
------------------------------------------------------------------------------
Post by Wouter Deurholt
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Wouter Y. Deurholt
phone: +31 (0) 6 46271448
email: ***@gmail.com
Roberto C. Sánchez
2016-04-01 19:07:12 UTC
Permalink
Hi Wouter,

You are correct. The only packaging difference between 5.0.4-1 and
5.0.7-1 is that it now correctly enables the systemd service on
installation and disables it on removal.

Regards,

-Roberto
Post by Wouter Deurholt
Aha!
I see now (overlooked it before) that the
/etc/systemd/system/shorewall.service I made myself (first post) was not
necessary... and even pointless :).
If you just do a 'sudo systemctl enable shorewall.service' after you
installed shorewall 5.0.4:  all is well :).
I recon this is the only change you made in the 5.0.7-1 version, am I right?
Good solution for anyone installing this version until it emerges in the
standard repositories.
Thanks and cheers Roberto!
Wouter
Wouter,
That is a problem that I discovered a few weeks after I uploaded 5.0.4.
I was actually surprised that (a) I overlooked it, and (b) nobody ever
reported it.  The problem was corrected with the 5.0.7-1 upload to
Debian unstable last week.
Executing 'systemctl enable shorewall.service' is the appropriate
solution.  It is effectively what the package does now after it is
installed.  There would not be a need to update to the newer package
unless there was some other more pressing bug fix or new feature that
you required.
Regards,
-Roberto
    Greetings,
    I installed Shorewall (5.0.4) on my Ubuntu server 16.04 (currently
beta).
    It is functioning perfectly fine when started. There is however one
    problem. It is not starting at boot-time.
    I even tried to add a wait_interface="eno1" and 
wait_interface="eno2" to
    my /etc/default/shorewall.
        /etc/default/shorewall
    startup=1
    [...]
    #### ####
        /etc/shorewall/shorewall.conf
    STARTUP_ENABLED=Yes
    [...]
    #### ####
    I can start it up perfectly fine without any errors with
    I found a solution/workaround somewhere by making a systemd startup
script
        /etc/systemd/system/shorewall.service
    [Unit]
    Description=Shorewall IPv4 firewall
    Wants=network-online.target
    After=network-online.target
    Conflicts=iptables.service firewalld.service
    [Service]
    Type=oneshot
    RemainAfterExit=yes
    EnvironmentFile=-/etc/default/shorewall
    StandardOutput=syslog
    ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS
    ExecStop=/sbin/shorewall $OPTIONS stop
    ExecReload=/sbin/shorewall $OPTIONS reload $RELOADOPTIONS
    [Install]
    WantedBy=basic.target
    #### ####
    followed by a
        sudo systemctl enable shorewall.service
    But the big question is of course: Why is it not (default) starting
at
    boot?
    Thanks!
    Wouter
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
[2]http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Shorewall-users mailing list
[4]https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Roberto C. Sánchez
[5]http://people.connexer.com/~roberto
[6]http://www.connexer.com
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
[7]http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Shorewall-users mailing list
[9]https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Wouter Y. Deurholt
phone: +31 (0) 6 46271448
References
Visible links
2. http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
4. https://lists.sourceforge.net/lists/listinfo/shorewall-users
5. http://people.connexer.com/~roberto
6. http://www.connexer.com/
7. http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
9. https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
Florian Piekert
2016-04-01 20:29:58 UTC
Permalink
Dear Shorewall-Users, dear Tom,

for quite some time I am using Shorewall on top of OpenSuse. Over the years my shorewall.conf has been modified to incorporate the new stuff, my rules file has stayed similar most of the time.

I experience multiple things, and I hope you can be of help to root out the cause and help me get it back to working the way I want it to...

I have Shorewall 4.6.13.4 running, taken from
baseurl=http://download.opensuse.org/repositories/security:/netfilter/openSUSE_13.2/
as a repository.

I run kernel 3.16.7-35 desktop.

My local network is 192.168.2.0/255, served by eth1
My dial up into the internet is conducted via dsl over ppp0 bound to eth0

My interfaces file is
loc eth1 detect
net ppp0 detect

My masq file is
ppp0 eth1

zones looks like
fw firewall
net
loc

rules, shorewall.conf are attached.

policy file is
loc all ACCEPT $LOG
fw all ACCEPT $LOG
net all DROP $LOG
net net NONE #ADD THIS
all all REJECT $LOG

Hope I provided all the relevant information.

Now to my problems.
#1) I have a service on a pc in the loc zone where I setup a port redirection from the firewall/gw machine to that machine, via DNAT. What has worked in the past ceased to work (don't know how many weeks, months back, just noticed). I see in the firewall logs that the

Apr 1 21:59:25 bhaal kernel: [963505.929180] Shorewall:mangle:PREROUTING:IN=ppp0 OUT= MAC= SRC=89.15.239.61 DST=89.182.1.68 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=10493 DF PROTO=TCP SPT=24451 DPT=7091 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 1 21:59:25 bhaal kernel: [963505.929196] Shorewall:nat:PREROUTING:IN=ppp0 OUT= MAC= SRC=89.15.239.61 DST=89.182.1.68 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=10493 DF PROTO=TCP SPT=24451 DPT=7091 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 1 21:59:25 bhaal kernel: [963505.929217] Shorewall:mangle:INPUT:IN=ppp0 OUT= MAC= SRC=89.15.239.61 DST=89.182.1.68 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=10493 DF PROTO=TCP SPT=24451 DPT=7091 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 1 21:59:25 bhaal kernel: [963505.929228] Shorewall:filter:INPUT:IN=ppp0 OUT= MAC= SRC=89.15.239.61 DST=89.182.1.68 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=10493 DF PROTO=TCP SPT=24451 DPT=7091 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 1 21:59:25 bhaal kernel: [963505.929253] Shorewall:net2fw:DROP:IN=ppp0 OUT= MAC= SRC=89.15.239.61 DST=89.182.1.68 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=10493 DF PROTO=TCP SPT=24451 DPT=7091 WINDOW=65535 RES=0x00 SYN URGP=0

It gets the package request, but then drops it, instead of forwarding it as per DNAT line
DNAT:$LOG net loc:192.168.2.3:7091 tcp 7091
DNAT:$LOG net loc:192.168.2.3:7091 udp 7091

(this port forwarding is just ONE example, I have multiple services that I can't reach anymore)

#2) I have on the loc LAN a DLINK Wifi Access Point, providing (surprise!) wifi access to the LAN and the internet (via the firewall linux machine). On the firewall I run squid as a proxy, the wifi devices can access web pages, etc. nicely, with or without squid.
But what I can't is e.g. get the samsung phones to connect to the samsung update server, which is done via requests (maybe via http/https, or by using port 5223, didn't really figure that out yet) unfortunately definitely NOT via squid.
These requests then simply fail, network or server error response by the update dialog. When not in wifi it connects to the servers without any issues.
Any ideas around that? I see the requests in the firewall.log though
Apr 1 22:12:36 bhaal kernel: [964296.870561] Shorewall:mangle:PREROUTING:IN=eth1 OUT= MAC=20:cf:30:75:a3:39:c0:bd:d1:85:a5:a5:08:00 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 1 22:12:36 bhaal kernel: [964296.870594] Shorewall:nat:PREROUTING:IN=eth1 OUT= MAC=20:cf:30:75:a3:39:c0:bd:d1:85:a5:a5:08:00 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 1 22:12:36 bhaal kernel: [964296.870623] Shorewall:mangle:FORWARD:IN=eth1 OUT=ppp0 MAC=20:cf:30:75:a3:39:c0:bd:d1:85:a5:a5:08:00 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 1 22:12:36 bhaal kernel: [964296.870640] Shorewall:filter:FORWARD:IN=eth1 OUT=ppp0 MAC=20:cf:30:75:a3:39:c0:bd:d1:85:a5:a5:08:00 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 1 22:12:36 bhaal kernel: [964296.870664] Shorewall:loc2net:ACCEPT:IN=eth1 OUT=ppp0 MAC=20:cf:30:75:a3:39:c0:bd:d1:85:a5:a5:08:00 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 1 22:12:36 bhaal kernel: [964296.870676] Shorewall:mangle:POSTROUTING:IN= OUT=ppp0 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 1 22:12:36 bhaal kernel: [964296.870688] Shorewall:nat:POSTROUTING:IN= OUT=ppp0 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

#3) WhatsApp.
Whatsapp works in my Wifi. Most of the time. If I don't send out OR receive e.g. pictures. Then it somehow freezes communication. I have to switch wifi off, get the picture send or receive the stuff, then I can turn on wifi again. While in "freeze mode", I can't send out any message, no matter how short it is. I get the clock twiddling its counters...

For #2) and #3), I have checked settings of the Wifi access point, there is NO extra firewall, there is no way of setting packet sizes. I have no issues transfering large files via wifi within the loc LAN zone. So I for the time being assume it's working on the wifi access point setting side...

Further, maybe #4) how can I setup Tom's Shorewall update sites in a repository kind of way? Anybody done that?

I appreciate any kind of help you guys can provide, I have waited quite a long time to put my help request here, hopefully some of you have a good idea how to fix things.

If the solution is to go to v5.0(.x), maybe you have a good suggestion how-to in the best non-breaking-the-other-stuff type of way...

Thanks for your help and thanks to Tom for his great work over all the MANY years!

Florian

PS: If I forgot to include some config detail, lmk asap.
--
Florian Piekert ***@floppy.org

===========================================================================
Note: this message was send by me *only* if the eMail message contains a
correct pgp signature corresponding to my address at ***@floppy.org. Do
you need my PGP public key? Check out http://www.floppy.org or send me an
email with the subject "send pgp public key" to this address of mine. Thx!
Tom Eastep
2016-04-01 22:17:03 UTC
Permalink
Post by Florian Piekert
Dear Shorewall-Users, dear Tom,
for quite some time I am using Shorewall on top of OpenSuse. Over the years my shorewall.conf has been modified to incorporate the new stuff, my rules file has stayed similar most of the time.
I experience multiple things, and I hope you can be of help to root out the cause and help me get it back to working the way I want it to...
I have Shorewall 4.6.13.4 running, taken from
baseurl=http://download.opensuse.org/repositories/security:/netfilter/openSUSE_13.2/
as a repository.
I run kernel 3.16.7-35 desktop.
My local network is 192.168.2.0/255, served by eth1
My dial up into the internet is conducted via dsl over ppp0 bound to eth0
My interfaces file is
loc eth1 detect
net ppp0 detect
My masq file is
ppp0 eth1
zones looks like
fw firewall
net
loc
rules, shorewall.conf are attached.
policy file is
loc all ACCEPT $LOG
fw all ACCEPT $LOG
net all DROP $LOG
net net NONE #ADD THIS
all all REJECT $LOG
Hope I provided all the relevant information.
Now to my problems.
#1) I have a service on a pc in the loc zone where I setup a port redirection from the firewall/gw machine to that machine, via DNAT. What has worked in the past ceased to work (don't know how many weeks, months back, just noticed). I see in the firewall logs that the
Apr 1 21:59:25 bhaal kernel: [963505.929180] Shorewall:mangle:PREROUTING:IN=ppp0 OUT= MAC= SRC=89.15.239.61 DST=89.182.1.68 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=10493 DF PROTO=TCP SPT=24451 DPT=7091 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 1 21:59:25 bhaal kernel: [963505.929196] Shorewall:nat:PREROUTING:IN=ppp0 OUT= MAC= SRC=89.15.239.61 DST=89.182.1.68 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=10493 DF PROTO=TCP SPT=24451 DPT=7091 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 1 21:59:25 bhaal kernel: [963505.929217] Shorewall:mangle:INPUT:IN=ppp0 OUT= MAC= SRC=89.15.239.61 DST=89.182.1.68 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=10493 DF PROTO=TCP SPT=24451 DPT=7091 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 1 21:59:25 bhaal kernel: [963505.929228] Shorewall:filter:INPUT:IN=ppp0 OUT= MAC= SRC=89.15.239.61 DST=89.182.1.68 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=10493 DF PROTO=TCP SPT=24451 DPT=7091 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 1 21:59:25 bhaal kernel: [963505.929253] Shorewall:net2fw:DROP:IN=ppp0 OUT= MAC= SRC=89.15.239.61 DST=89.182.1.68 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=10493 DF PROTO=TCP SPT=24451 DPT=7091 WINDOW=65535 RES=0x00 SYN URGP=0
It gets the package request, but then drops it, instead of forwarding it as per DNAT line
DNAT:$LOG net loc:192.168.2.3:7091 tcp 7091
DNAT:$LOG net loc:192.168.2.3:7091 udp 7091
(this port forwarding is just ONE example, I have multiple services that I can't reach anymore)
Have you followed the port forwarding diagnostic steps detailed in
Shorewall FAQs 1a and 1b? If so, please forward the output of 'shorewall
dump' collected by following the instructions at
http://www.shorewall.net/support.htm#Guidelines.
Post by Florian Piekert
#2) I have on the loc LAN a DLINK Wifi Access Point, providing (surprise!) wifi access to the LAN and the internet (via the firewall linux machine). On the firewall I run squid as a proxy, the wifi devices can access web pages, etc. nicely, with or without squid.
But what I can't is e.g. get the samsung phones to connect to the samsung update server, which is done via requests (maybe via http/https, or by using port 5223, didn't really figure that out yet) unfortunately definitely NOT via squid.
These requests then simply fail, network or server error response by the update dialog. When not in wifi it connects to the servers without any issues.
Any ideas around that? I see the requests in the firewall.log though
Apr 1 22:12:36 bhaal kernel: [964296.870561] Shorewall:mangle:PREROUTING:IN=eth1 OUT= MAC=20:cf:30:75:a3:39:c0:bd:d1:85:a5:a5:08:00 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 1 22:12:36 bhaal kernel: [964296.870594] Shorewall:nat:PREROUTING:IN=eth1 OUT= MAC=20:cf:30:75:a3:39:c0:bd:d1:85:a5:a5:08:00 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 1 22:12:36 bhaal kernel: [964296.870623] Shorewall:mangle:FORWARD:IN=eth1 OUT=ppp0 MAC=20:cf:30:75:a3:39:c0:bd:d1:85:a5:a5:08:00 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 1 22:12:36 bhaal kernel: [964296.870640] Shorewall:filter:FORWARD:IN=eth1 OUT=ppp0 MAC=20:cf:30:75:a3:39:c0:bd:d1:85:a5:a5:08:00 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 1 22:12:36 bhaal kernel: [964296.870664] Shorewall:loc2net:ACCEPT:IN=eth1 OUT=ppp0 MAC=20:cf:30:75:a3:39:c0:bd:d1:85:a5:a5:08:00 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 1 22:12:36 bhaal kernel: [964296.870676] Shorewall:mangle:POSTROUTING:IN= OUT=ppp0 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Apr 1 22:12:36 bhaal kernel: [964296.870688] Shorewall:nat:POSTROUTING:IN= OUT=ppp0 SRC=192.168.2.33 DST=54.77.92.8 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=53682 DF PROTO=TCP SPT=53637 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Try setting CLAMPMSS=Yes in shorewall.conf.
Post by Florian Piekert
#3) WhatsApp.
Whatsapp works in my Wifi. Most of the time. If I don't send out OR
receive e.g. pictures. Then it somehow freezes communication. I have to
switch wifi off, get the picture send or receive the stuff, then I can
turn on wifi again. While in "freeze mode", I can't send out any
message, no matter how short it is. I get the clock twiddling its
counters...
For #2) and #3), I have checked settings of the Wifi access point,
there is NO extra firewall, there is no way of setting packet sizes. I
have no issues transfering large files via wifi within the loc LAN zone.
So I for the time being assume it's working on the wifi access point
setting side...
Again, see if CLAMPMSS=Yes doesn't help you...
Post by Florian Piekert
Further, maybe #4) how can I setup Tom's Shorewall update sites in a repository kind of way? Anybody done that?
I appreciate any kind of help you guys can provide, I have waited quite a long time to put my help request here, hopefully some of you have a good idea how to fix things.
If the solution is to go to v5.0(.x), maybe you have a good suggestion how-to in the best non-breaking-the-other-stuff type of way...
Thanks for your help and thanks to Tom for his great work over all the MANY years!
Florian
PS: If I forgot to include some config detail, lmk asap.
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Florian Piekert
2016-04-02 19:54:47 UTC
Permalink
Am 02.04.2016 um 00:17 schrieb Tom Eastep:

Dear Tom, dear users,
Post by Tom Eastep
Post by Florian Piekert
It gets the package request, but then drops it, instead of forwarding it as per DNAT line
DNAT:$LOG net loc:192.168.2.3:7091 tcp 7091
DNAT:$LOG net loc:192.168.2.3:7091 udp 7091
(this port forwarding is just ONE example, I have multiple services that I can't reach anymore)
Have you followed the port forwarding diagnostic steps detailed in
Shorewall FAQs 1a and 1b? If so, please forward the output of 'shorewall
dump' collected by following the instructions at
http://www.shorewall.net/support.htm#Guidelines.
Well, I was about to follow that with the trace, but the fix for #2 & #3 solved this as well!

Btw, the faq shows to run
/sbin/shorewall trace start 2> /tmp/trace
which results in an empty file with a lot of output on my ssh window. Not sure if that is the expected result? Or should it be more "...start 1> /tmp/trace 2>&1" for the full picture?
Post by Tom Eastep
Post by Florian Piekert
#2) I have on the loc LAN a DLINK Wifi Access Point, providing (surprise!) wifi access to the LAN and the internet (via the firewall linux machine). On the firewall I run squid as a proxy, the wifi devices can access web pages, etc. nicely, with or without squid.
...
Post by Tom Eastep
Try setting CLAMPMSS=Yes in shorewall.conf.
Gosh, such a simple fix to a bugging problem. That's awesome!
Post by Tom Eastep
Post by Florian Piekert
#3) WhatsApp.
...
Post by Tom Eastep
Again, see if CLAMPMSS=Yes doesn't help you...
It did!

Tom, thank you very much once again!

So the only thing that now remains is whether or not to go to V5 and how to include your devel archive as a repo? Did anybody do that yet?

Thanks a bunch, you really made my weekend a very sunny one!!

Florian
--
Florian Piekert ***@floppy.org

===========================================================================
Note: this message was send by me *only* if the eMail message contains a
correct pgp signature corresponding to my address at ***@floppy.org. Do
you need my PGP public key? Check out http://www.floppy.org or send me an
email with the subject "send pgp public key" to this address of mine. Thx!
Tom Eastep
2016-04-03 19:06:31 UTC
Permalink
Post by Florian Piekert
Well, I was about to follow that with the trace, but the fix for #2 & #3 solved this as well!
Btw, the faq shows to run
/sbin/shorewall trace start 2> /tmp/trace
which results in an empty file with a lot of output on my ssh window. Not sure if that is the expected result? Or should it be more "...start 1> /tmp/trace 2>&1" for the full picture?
Yes -- I've updated the support document. Thanks!

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Loading...