Re: [Shorewall-users] Whitelisting and ipsets
Justin, Thank you for your reply. Bad News followed by Good News! Justin Thanks for the response. By chance I discovered that Gmail had stuffed your reply in Spam :( >> Are you running a cronjob which is messing with it ? I've checked the Cron jobs and I don't see anything that could be causing this issue. (It's an issue that "started a few days ago, and I've not changed anything in Cron for a few months. >> When / how often are the ipsets being changed/added ? This is almost happening on a constant basis. I clear all the ipsets, everything works OK, then in 5 to 15 minutes (searching, google.com, messenger (on Chromebook) , it all stops working and those two IP numbers are right back in the ipsets. And what makes things even more confusing is that Firefox will connect and work perfectly, even when Chrome will not! So I might be barking up the wrong tree. Going to have a look at "psacct" now. *ADDED LATTER *(had to rewrite as the original message had become too large) This makes it stranger but I seem to have become lucky. I did not understand how Firefox worked all OK, but Chrome did not. If ipsets were blocking incoming requests to Chrome, they should also have been blocking everything, including Firefox. So I downloaded and installed Opera to see if that would work. The issue has now magically gone away. So whatever was causing this issue, seems to be related to Chrome and my PC that I work on . . Many Thanks, Stay Safe, Nigel. On Sun, Nov 15, 2020 at 12:36 PM Nigel Aves wrote: > Shorewall version 5.2.3.4 > Ubuntu Server 20.04.1 > Apache web server with mod_security > > I've run into an issue that no matter what I have tried, no success. This > started a few days ago, my internal network keeps getting "cut off" from > Google. Can not search, open google.com, google messenger service ... I > tracked it down to ipsets being created for Google IP addresses, what > really surprised me was that I was also getting (occasionally) their DNS > servers, 8.8.8.8 and 8.8.4.4 - I've spent a couple of days now trying to > find the root cause. > > I needed a bandaid to stop the rest of the family complaining ( :) ) so > this morning I looked at Shorewall Whitelisting using "blrules", and added > this to the blrules file. > > WHITELIST net:172.217.0.0/16 all > WHITELIST net:8.8.4.4 all > WHITELIST net:8.8.8.8 all > > Ran a Shorewall restart but I am still seeing entries when I do "ipset > list SW_DBL4" > > 172.217.3.206 timeout 597 packets 1 bytes 52 > 172.217.14.195 timeout 598 packets 1 bytes 52 > > Any ideas as to what I might have done wrong? > > Kind Regards, Stay Safe, Nigel. > > ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] Whitelisting and ipsets
Are you running a cronjob which is messing with it ? Check sudo crontab -l and /etc/crontab and /etc/cron.d When / how often are the ipsets being changed/added ? Install "psacct" or acct package and enable accounting and see what's running when that happens. Or move ipset out of the way (or replace it with a shellscript to run sleep 999) and see what breaks. On Sun, Nov 15, 2020 at 12:36:43PM -0700, Nigel Aves wrote: > Shorewall version 5.2.3.4 > Ubuntu Server 20.04.1 > Apache web server with mod_security > > I've run into an issue that no matter what I have tried, no success. This > started a few days ago, my internal network keeps getting "cut off" from > Google. Can not search, open google.com, google messenger service ... I > tracked it down to ipsets being created for Google IP addresses, what > really surprised me was that I was also getting (occasionally) their DNS > servers, 8.8.8.8 and 8.8.4.4 - I've spent a couple of days now trying to > find the root cause. > > I needed a bandaid to stop the rest of the family complaining ( :) ) so > this morning I looked at Shorewall Whitelisting using "blrules", and added > this to the blrules file. > > WHITELIST net:172.217.0.0/16 all > WHITELIST net:8.8.4.4 all > WHITELIST net:8.8.8.8 all > > Ran a Shorewall restart but I am still seeing entries when I do "ipset list > SW_DBL4" > > 172.217.3.206 timeout 597 packets 1 bytes 52 > 172.217.14.195 timeout 598 packets 1 bytes 52 > > Any ideas as to what I might have done wrong? > > Kind Regards, Stay Safe, Nigel. > Shorewall 5.2.3.4 Dump at apache-web-server.twin-peaks-video.com - Sun Nov 15 > 12:31:31 MST 2020 > > Shorewall is running > State:Started Sun Nov 15 12:31:21 MST 2020 from /etc/shorewall/ > (/var/lib/shorewall/firewall compiled Sun Nov 15 12:31:21 MST 2020 by > Shorewall version 5.2.3.4) > > Counters reset Sun Nov 15 12:31:21 MST 2020 > > Chain INPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination >29 3117 net-fw all -- enp6s0 * 0.0.0.0/00.0.0.0/0 > >44 5221 loc-fw all -- enp5s0 * 0.0.0.0/00.0.0.0/0 > >10 1146 ACCEPT all -- lo * 0.0.0.0/00.0.0.0/0 > > 0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 >ADDRTYPE match dst-type BROADCAST > 0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 >ADDRTYPE match dst-type ANYCAST > 0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 >ADDRTYPE match dst-type MULTICAST > 0 0 reject all -- * * 0.0.0.0/00.0.0.0/0 > [goto] > > Chain FORWARD (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination > 137 62669 net-locall -- enp6s0 enp5s0 0.0.0.0/00.0.0.0/0 > > 114 35602 loc-netall -- enp5s0 enp6s0 0.0.0.0/00.0.0.0/0 > > 0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 >ADDRTYPE match dst-type BROADCAST > 0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 >ADDRTYPE match dst-type ANYCAST > 0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 >ADDRTYPE match dst-type MULTICAST > 0 0 reject all -- * * 0.0.0.0/00.0.0.0/0 > [goto] > > Chain OUTPUT (policy DROP 0 packets, 0 bytes) > pkts bytes target prot opt in out source > destination >29 24395 ACCEPT all -- * enp6s0 0.0.0.0/00.0.0.0/0 > >50 27119 fw-loc all -- * enp5s0 0.0.0.0/00.0.0.0/0 > >10 1146 ACCEPT all -- * lo 0.0.0.0/00.0.0.0/0 > > 0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 >ADDRTYPE match dst-type BROADCAST > 0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 >ADDRTYPE match dst-type ANYCAST > 0 0 DROP all -- * * 0.0.0.0/00.0.0.0/0 >ADDRTYPE match dst-type MULTICAST > 0 0 reject all -- * * 0.0.0.0/00.0.0.0/0 > [goto] > > Chain dbl_log (4 references) > pkts bytes target prot opt in out source > destination >52 27913 SETall -- * * 0.0.0.0/00.0.0.0/0 >add-set SW_DBL4 src exist timeout 600 >52 27913 DROP all -- * * 0.0.0.0/00.0.0.0/0 > > > Chain fw-loc (1 references) > pkts bytes target prot opt in out source
Re: [Shorewall-users] shorewall restart / compile.pl speed...
On 11/16/2020 2:09 PM, Matt Darfeuille wrote: > On 11/16/2020 12:03 PM, Marko Horn via Shorewall-users wrote: >> >> hello list, >> i use shorewall with large blrules that got updated once a day. >> on 'shorewall restart' it take ages that optimizing ruleset & co got ready. >> i see 'comile.pl' uses just "1" core on the system. >> >> is it possible to make compile.pl use every core from cpu? >> > > Would you by any chance be able/willing to submit patches reflecting > this on the devel list? > Do let me know if you do not agree with me asking for help on Shorewall's behalf. -- Matt Darfeuille Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/ Homepage: https://shorewall.org ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] filtering on lxd bridge
Hi Matt, Many thanks for your reply. Are you using lxd firewall capabilities (1)?: - If yes, This is unlikely to work as Shorewall will probably modify what is created by lxd Firewall in LXD has been disabled: # lxc network show lxdbr0 config: ipv4.address: 10.0.0.1/24 ipv4.firewall: "false" ipv4.nat: "false" ipv6.address: none ipv6.firewall: "false" - If no, have you looked at (2) 2) https://shorewall.org/bridge-Shorewall-perl.html Yes, I've looked at it and - if my understanding is correct - the page talks about separating interfaces connected to the bridge by declaring more zones as bridge ports. In my scenario I am not sure it's feasible since veth interfaces get random names when containers are being started. Anyway, the above can't explain why lxd-lxd (lxd2lxd) policy is set to ACCEPT by default and why Shorewall removes lxd-lxd chain right after created it. Best regards, Łukasz Czerpak ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] shorewall restart / compile.pl speed...
On 11/16/2020 12:03 PM, Marko Horn via Shorewall-users wrote: > > hello list, > i use shorewall with large blrules that got updated once a day. > on 'shorewall restart' it take ages that optimizing ruleset & co got ready. > i see 'comile.pl' uses just "1" core on the system. > > is it possible to make compile.pl use every core from cpu? > Would you by any chance be able/willing to submit patches reflecting this on the devel list? -- Matt Darfeuille Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/ Homepage: https://shorewall.org ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] filtering on lxd bridge
On 11/16/2020 12:34 PM, Łukasz Czerpak wrote: > Hi, > > I've been struggling to setup filtering on a bridge interface. When I > added "routeback=0", shorewall started blocking communication on the > bridge. Then I added rules to allow certain connections and Shorewall > processes them when building iptables script, but it still doesn't work > (connections are blocked). > > Here is my setup: > > **interfaces:** > > net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 > lxd lxdbr0 > dhcp,tcpflags,nosmurfs,routefilter,logmartians,bridge,routeback=0 > > > **policy:** > > lxd net ACCEPT > fw net ACCEPT > fw lxd ACCEPT > net all DROP $LOG_LEVEL > all all REJECT $LOG_LEVEL > > > **relevant fragment from rules:** > > # access to mysql database from containers > ACCEPT lxd lxd:$DB_IP tcp mysql > > **some traces from Shorewall's execution:** > > # shorewall trace restart -c 2>&1 | grep mysql > IN===> ACCEPT lxd lxd:10.0.0.11 tcp mysql > > # shorewall -vv restart -c | grep lxd-lxd > Policy ACCEPT from lxd to lxd using chain lxd-lxd > Chain lxd-lxd deleted > > **Sample log line:** > > kernel: FORWARD REJECT IN=lxdbr0 OUT=lxdbr0 PHYSIN=veth17392b4a > PHYSOUT=veth7e32a5a5 MAC=00:16:3e:24:31:30:00:16:3e:51:d6:59:08:00 > SRC=10.0.0.13 DST=10.0.0.11 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=30577 DF > PROTO=TCP SPT=54706 DPT=3306 WINDOW=64240 RES=0x00 SYN URGP=0 > > > What I do not understand is the following: > - why lxd-lxd policy is ACCEPT (I haven't defined it explicitly anywhere..) > - why lxd-lxd chain is deleted (although have a gut feeling it's > consequence of the above) > > When I add iptables rule manually it all works fine. I have no idea why > I can't get it workin in Shorewall, it's simple setup :( > If anyone have any suggestion on how to troubleshoot further, or how to > fix it, I would very appreciate any such help. > Are you using lxd firewall capabilities (1)?: - If yes, This is unlikely to work as Shorewall will probably modify what is created by lxd - If no, have you looked at (2) 1) https://lxd.readthedocs.io/en/latest/networks/ 2) https://shorewall.org/bridge-Shorewall-perl.html -- Matt Darfeuille Community: https://sourceforge.net/p/shorewall/mailman/message/37107049/ SPC: https://sourceforge.net/p/shorewall/mailman/message/36596609/ Homepage: https://shorewall.org ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] filtering on lxd bridge
Hi, I've been struggling to setup filtering on a bridge interface. When I added "routeback=0", shorewall started blocking communication on the bridge. Then I added rules to allow certain connections and Shorewall processes them when building iptables script, but it still doesn't work (connections are blocked). Here is my setup: **interfaces:** net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 lxd lxdbr0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,bridge,routeback=0 **policy:** lxd net ACCEPT fw net ACCEPT fw lxd ACCEPT net all DROP$LOG_LEVEL all all REJECT $LOG_LEVEL **relevant fragment from rules:** # access to mysql database from containers ACCEPT lxd lxd:$DB_IP tcp mysql **some traces from Shorewall's execution:** # shorewall trace restart -c 2>&1 | grep mysql IN===> ACCEPT lxd lxd:10.0.0.11 tcp mysql # shorewall -vv restart -c | grep lxd-lxd Policy ACCEPT from lxd to lxd using chain lxd-lxd Chain lxd-lxd deleted **Sample log line:** kernel: FORWARD REJECT IN=lxdbr0 OUT=lxdbr0 PHYSIN=veth17392b4a PHYSOUT=veth7e32a5a5 MAC=00:16:3e:24:31:30:00:16:3e:51:d6:59:08:00 SRC=10.0.0.13 DST=10.0.0.11 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=30577 DF PROTO=TCP SPT=54706 DPT=3306 WINDOW=64240 RES=0x00 SYN URGP=0 What I do not understand is the following: - why lxd-lxd policy is ACCEPT (I haven't defined it explicitly anywhere..) - why lxd-lxd chain is deleted (although have a gut feeling it's consequence of the above) When I add iptables rule manually it all works fine. I have no idea why I can't get it workin in Shorewall, it's simple setup :( If anyone have any suggestion on how to troubleshoot further, or how to fix it, I would very appreciate any such help. -- Best regards, Łukasz Czerpak ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] shorewall restart / compile.pl speed...
hello list, i use shorewall with large blrules that got updated once a day. on 'shorewall restart' it take ages that optimizing ruleset & co got ready. i see 'comile.pl' uses just "1" core on the system. is it possible to make compile.pl use every core from cpu? best regards marko -- Mitten drin statt nur Datei! ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users