On 01/09/2018 02:04 PM, Thomas wrote: > Hi, > > after enabling Shorewall I cannot update the OS of any server running in > LOC and DMZ, means fetching packages from repository fail. > > For example, this is the output of a server running in DMZ: > vm102-haproxy:~# apk update > fetch http://dl-cdn.alpinelinux.org/alpine/v3.6/main/x86_64/APKINDEX.tar.gz > ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.6/main: network error > (check Internet connection and firewall) > fetch > http://dl-cdn.alpinelinux.org/alpine/v3.6/community/x86_64/APKINDEX.tar.gz > ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.6/community: network > error (check Internet connection and firewall) > fetch http://alpine.mirror.wearetriple.com/v3.6/main/x86_64/APKINDEX.tar.gz > v3.6.2-227-g41e842fa63 [http://dl-cdn.alpinelinux.org/alpine/v3.6/main] > v3.6.2-225-g9aec1deda8 [http://dl-cdn.alpinelinux.org/alpine/v3.6/community] > v3.6.2-240-geb8d8205d9 [http://alpine.mirror.wearetriple.com/v3.6/main] > 2 errors; 8526 distinct packages available > > For debugging I started shorewall debug start. > This output is shown; I think the relevant configuration parameter is > not required anymore. > Processing /etc/shorewall/shorewall.conf... > WARNING: Unknown configuration option (FORWARDING) ignored > /etc/shorewall/shorewall.conf (line 178)
That should be IP_FORWARDING, not FORWARDING./
> WARNING: Unknown configuration option (BALANCE_PROVIDERS) ignored
> /etc/shorewall/shorewall.conf (line 250)
BALANCE_PROVIDERS wasn't added until Shorewall 5.1.1 - you are running
5.0.16.6.
>
> shorewall is starting w/o errors.
> shorewall status
> Shorewall-5.0.15.6 Status at pc4-svp - Di 9. Jan 22:41:17 CET 2018
>
> Shorewall is running correctly.
> State:Started Di 9. Jan 22:39:23 CET 2018 from /etc/shorewall/
> (/var/lib/shorewall/firewall compiled Di 9. Jan 22:39:22 CET 2018 by
> Shorewall version 5.0.15.6)
>
> After completing tests on server (Alpine 3.6.2) in DMZ (updating
> repositories with /apk update/) I stopped shorewall
> shorewall dump > /tmp/shorewall_dump.txt
> grep: /proc/net/nf_conntrack: Datei oder Verzeichnis nicht gefunden
>
> For your reference I have attached the dump file.
> And this is the output of /ip addr show/ and /ip route show/:
> ip addr show
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
> group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> valid_lft forever preferred_lft forever
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
> 2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP group default qlen 1000
> link/ether 74:d4:35:1a:f6:0f brd ff:ff:ff:ff:ff:ff
> inet 78.94.230.158/30 brd 78.94.230.159 scope global eno1
> valid_lft forever preferred_lft forever
> inet6 fe80::76d4:35ff:fe1a:f60f/64 scope link
> valid_lft forever preferred_lft forever
> 3: enp1s0f0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc
> pfifo_fast master bond0 state UP group default qlen 1000
> link/ether 00:15:17:91:9c:b8 brd ff:ff:ff:ff:ff:ff
> 4: enp1s0f1: <NO-CARRIER,BROADCAST,MULTICAST,SLAVE,UP> mtu 1500 qdisc
> pfifo_fast master bond0 state DOWN group default qlen 1000
> link/ether 00:15:17:91:9c:b8 brd ff:ff:ff:ff:ff:ff
> 5: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc
> noqueue master vmbr0 state UP group default qlen 1000
> link/ether 00:15:17:91:9c:b8 brd ff:ff:ff:ff:ff:ff
> 6: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
> UP group default qlen 1000
> link/ether 00:15:17:91:9c:b8 brd ff:ff:ff:ff:ff:ff
> inet 192.168.1.14/24 brd 192.168.1.255 scope global vmbr0
> valid_lft forever preferred_lft forever
> inet6 fe80::215:17ff:fe91:9cb8/64 scope link
> valid_lft forever preferred_lft forever
> 7: vmbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
> UP group default qlen 1000
> link/ether fe:e9:6b:ad:b6:2d brd ff:ff:ff:ff:ff:ff
> inet 192.168.100.1/24 brd 192.168.100.255 scope global vmbr1
> valid_lft forever preferred_lft forever
> inet6 fe80::cc6a:68ff:fef0:483d/64 scope link
> valid_lft forever preferred_lft forever
> 8: vmbr2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
> UP group default qlen 1000
> link/ether fe:aa:20:0a:61:85 brd ff:ff:ff:ff:ff:ff
> inet 10.0.0.1/24 brd 10.0.0.255 scope global vmbr2
> valid_lft forever preferred_lft forever
> inet6 fe80::58c9:8aff:fe1b:e2a5/64 scope link
> valid_lft forever preferred_lft forever
> 10: veth102i0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue master vmbr2 state UP group default qlen 1000
> link/ether fe:aa:20:0a:61:85 brd ff:ff:ff:ff:ff:ff link-netnsid 0
> 12: veth109i0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue master vmbr1 state UP group default qlen 1000
> link/ether fe:e9:6b:ad:b6:2d brd ff:ff:ff:ff:ff:ff link-netnsid 1
> 14: veth103i0@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue master vmbr2 state UP group default qlen 1000
> link/ether fe:64:3e:2a:fd:a1 brd ff:ff:ff:ff:ff:ff link-netnsid 2
> 16: veth104i0@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue master vmbr2 state UP group default qlen 1000
> link/ether fe:bd:82:89:13:8b brd ff:ff:ff:ff:ff:ff link-netnsid 3
> 18: veth108i0@if17: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue master vmbr2 state UP group default qlen 1000
> link/ether fe:19:a3:72:68:3d brd ff:ff:ff:ff:ff:ff link-netnsid 4
> 19: tap123i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc
> pfifo_fast master vmbr0 state UNKNOWN group default qlen 1000
> link/ether ba:92:ed:9d:de:96 brd ff:ff:ff:ff:ff:ff
>
>
> ip route show
> 10.0.0.0/24 dev vmbr2 proto kernel scope link src 10.0.0.1
> blackhole 10.0.0.0/8
> 78.94.230.156/30 dev eno1 proto kernel scope link src 78.94.230.158
> 78.94.230.157 dev eno1 scope link src 78.94.230.158
> blackhole 172.16.0.0/12
> blackhole 192.168.0.0/16
> 192.168.1.0/24 dev vmbr0 proto kernel scope link src 192.168.1.14
> 192.168.1.1 dev vmbr0 scope link src 192.168.1.14
> 192.168.100.0/24 dev vmbr1 proto kernel scope link src 192.168.100.1
>
>
> What is generating the lines "blackhole [...]" in route output?
>
NULL_ROUTE_RFC1918=Yes.
I see that you attached a dump, but there is no explanation of what you
tried to do. The last step of the instructions that I pointed you to reads:
Describe where you are trying to make the connection from (IP
address) and what host (IP address) you are trying to connect to.
I can see DNS requests from both the DMZ and local LAN to the net zone.
Unfortunately, the conntrack table isn't being printed correctly for
some reason, so I can't see what the state of connections is. Possibly,
installing the 'conntrack' package will correct that.
Off-hand, I don't see anything in the dump that would result in no
traffic from LOC and DMZ. I do think, however, that you need to
masquerade traffic out of vmbr0 if it comes from the LAN or DMZ, as the
router in front of the Shorewall box probably doesn't know how to route
to those networks.
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
