I managed to get multi ISPs firewall running with 4 zones: - net (internet) - loc - dmz - road (openvpn rwarrior)
Browsing from loc to internet, vpn to dmz, vpn to loc are working fine with reasonable response. However, loc to dmz traffic is having issue. I found when browsing from a workstation in the LAN (loc) zone to a web server hosted in DMZ zone takes a very long time. I did packet analyzer using wireshark. I found that the data traffic from the web server is being fragmented and eventually experience out-of-order fragmented packets. This results in slow speed and the data from the web server eventually not delivered completely to the browser (e.g. only partial data). wireshark reports "TCP segment of a reassembled PDU" for many times until the "out-of-order segment" trace. Google around about fragmentation, the first thing to look at is MTU. However, when I move a LAN workstation to dmz zone, by just changing the IP address to suit the dmz subnet (not playing with the MTU setup), I have no problem browsing the web server. So that eliminates MTU as the cause. The firewall, workstation, and web server runs on VMWare. So no physical switch involved (yet). I doubt it is the virtual switch causing the problem because when workstation and web server are connected to the same virtual switch, it's working fine. When I do "shorewall dump", I can only tell that the traffic between loc and dmz, in fact, was established. tcp 6 431994 ESTABLISHED src=10.35.249.53 dst=192.168.168.11 sport=1295 dport=80 packets=3 bytes=132 src=192.168.168.11 dst =10.35.249.53 sport=80 dport=1295 packets=1 bytes=52 [ASSURED] mark=0 secmark=0 use=1 where 10.35.249.53 = LAN workstation, 192.168.168.11 = web server dmz. I did however suspect the marking in tcrules might play along with this problem (however, not being an expert in traffic shapping, I can comment further). As displayed from the dump (above) the mark is "0" for this packet which shall be default and processed normally in shorewall without packet mark redirection. When i comment out all the tcrules, this problem still persists, so is it because of the providers entries? Anyone who has seen this issue or have some hints would be appreciated. Thank you. /etc/shorewall/interfaces: #ZONE INTERFACE OPTIONS net eth0 detect net eth1 detect dmz eth2 detect loc eth3 detect road tun+ /etc/shorewall/zones: fw firewall net ipv4 loc ipv4 dmz ipv4 road ipv4 /etc/shorewall/policy: net net DROP info # traffic to internet loc net ACCEPT dmz net REJECT info # traffic to dmz loc dmz ACCEPT # traffic from roadwarrior road loc ACCEPT road dmz ACCEPT # traffic to firewall loc $FW REJECT info # traffic from firewall $FW all ACCEPT # traffic from internet net all DROP info # catch all all all DROP info /etc/shorewall/providers: ISPIIN 1 1 main eth1 218.206.228.101 track,balance=100 eth2,eth3,tun0 ISPAC3 2 2 main eth0 218.202.139.222 track,balance=50 eth2,eth3 /etc/shorewall/tcrules: # redirect service from LAN to (1) iinet or (2) ac3 1:P 10.35.249.0/24 0.0.0.0/0 tcp 80 2:P 10.35.249.0/24 0.0.0.0/0 tcp 3389 # redirect service from DMZ to (1) iinet or (2) ac3 1:P 192.168.168.0/24 0.0.0.0/0 tcp 80 1:P 192.168.168.0/24 0.0.0.0/0 tcp 443 1:P 192.168.168.0/24 0.0.0.0/0 tcp 53 1:P 192.168.168.0/24 0.0.0.0/0 udp 53 1:P 192.168.168.0/24 0.0.0.0/0 udp 123 1:P 192.168.168.0/24 0.0.0.0/0 icmp 8 1:P 192.168.168.0/24 0.0.0.0/0 tcp 21 #2:P 192.168.168.0/24 0.0.0.0/0 icmp 8 /etc/shorewall/rtrules: #here not using USE_DEFAULT_RT - 172.16.1.0/24 main 1000 /etc/shorewall/tunnels: openvpnserver:tcp:443 net 0.0.0.0/0 # Internet to ALL -- drop NewNotSyn packets dropNotSyn net fw tcp dropNotSyn net loc tcp dropNotSyn net dmz tcp #---FROM LAN--- SSH(ACCEPT) loc $FW - - - - s:1/min:3 #---FROM DMZ--- HTTP(ACCEPT) dmz net HTTPS(ACCEPT) dmz net DNS(ACCEPT) dmz net NTP(ACCEPT) dmz net Ping(ACCEPT) dmz net FTP(ACCEPT) dmz net #---DNAT Rules--- DNAT net:eth1 dmz:192.168.168.10:80 tcp 8080 - 218.206.228.102 DNAT net:eth1 loc:10.35.249.53:80 tcp 8081 - 218.206.228.102 #---Services within Firewall--- # openvpn - tcp 443 ACCEPT net $FW tcp 443 - 218.202.228.102 #---Temporary Rules--- ACCEPT net:124.149.32.217 $FW tcp 22 - 218.206.228.102 #Block stealth Auth port 113 (must be at the end) Auth(DROP) net $FW /etc/shorewall/shorewall.conf (diff from the original setting): < STARTUP_ENABLED=Yes < LOGLIMIT=s:5/sec < STARTUP_LOG=/var/log/firewall/shorewall-init.log < MARK_IN_FORWARD_CHAIN=Yes /etc/shorewall/masq: eth0 192.168.168.15 218.202.139.210 tcp 80 eth1 192.168.168.10 218.206.228.102 tcp 8080 eth1 10.35.249.53 218.206.228.102 tcp 8081 eth0 0.0.0.0/0 218.202.139.210 eth1 0.0.0.0/0 218.206.228.102
dump.txt.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
