Hi,
Well, I'm back...
This time, I tried replacing my old internal shorewall firewall with a new one
(host name "inf-fw2" with IP addr. 10.215.144.91).
This router controls access to several zones, and most of the traffic was
allowed as expected. However, traffic through the "wan" interface is failing or
misbehaving.
The "wan" interface on "inf-fw2" is connected to a switch, and from there to a
Shorewall gateway ("inf-gw1" -- the one that was described in my previous
thread with a different host name).
This morning I took special care to make sure that there wouldn't be any ARP
cache issues by connecting to every single switch, and making sure to set low
timeouts.
First off, when I replaced the shorewall firewall I noticed that the "shorewall
start" or "restart" commands would take much longer to run than on the old
firewall. I admit there are a few more rules than on the old system, but it
starteled me when I noticed that the process took about 30 seconds to run on
powerful hardware while it takes around 10-12 seconds on the older system.
Anyway, it's just an observation, and I'll need to dig into this.
Now for the detailed failing connections...
ICMP traffic is OK from 10.215.144.91 (inf-fw2) to any host's IP address in all
zones, including "wan". However, even if the pings reply with low latency from
10.215.144.92 in "wan" zone (inf-gw1), I had trouble connecting via SSH. It
took way too long to log in.
inf-fw2 ~ # ssh 10.215.144.92
Password:
No logon servers
inf-gw1 ~ #
The connection finally succeeded. I suspect it took so long because inf-gw1's
sshd also uses PAM with SAMBA-winbind configured with a PDC in inf-fw2's "lan"
zone. If there are traffic issues between lan and wan then surely this could
explain the long wait and the "No logon servers" message (even if I used a
local root account).
So, in short, ping from 10.215.144.91 (inf-fw2) to all: OK.
ICMP traffic from a host in the "lan" zone with IP address 10.215.144.48 to:
- host with IP address 10.215.134.196 in "ibs" zone is OK
- host with IP address 10.215.9.172 in "caib" zone is OK
- $FW with IP address 10.215.144.91 (inf-fw2) is OK
- host with IP address 10.215.144.92 (inf-gw1) in "wan" zone is FAILING
- host with IP address 8.8.8.8 in "wan" zone and beyond inf-gw1 is FAILING
A tcpdump on inf-fw2's "lan" interface shows that the ICMP requests come in, so
it doesn't seem to be an ARP cache issue. Besides, if it were, I suspect pings
to IP addresses of hosts in the other zones would also fail.
For testing purposes I added this line right at the top of the rules file in
inf-fw2:
ACCEPT lan:10.215.144.48 $FW,wan,dmz all
I'm attaching the shorewall dumps of both inf-gw1 and inf-fw2 while trying to
ping from the host in "lan" zone with IP addr. 10.215.144.48 to 8.8.8.8 and
10.215.144.92.
I'm attaching links instead of files due to ML limitations:
inf-fw2's dump - https://drive.google.com/open?id=0B-tpkY1LkI67ZkdDTGE3bkZwY2c
inf-gw1's dump - https://drive.google.com/open?id=0B-tpkY1LkI67X0ViTU9OU0FUejA
An ICMP tcpdump on inf-gw1's "loc" interface (connected to inf-fw2's "wan"
interface) does not show requests coming from 10.215.144.48.
It did not occur to me to run a tcpdump on inf-fw2's wan interface.
I'm expecting inf-gw1 to reply to ICMP requests from 10.215.144.48 because of
this rule (in inf-gw1):
Ping/ACCEPT loc $FW
I'm also expecting internet hosts such as the one with IP addr. 8.8.8.8 to
reply to ICMP requests because of these rules:
ACCEPT loc:10.215.144.0/22,10.215.246.0/23,10.215.248.0/24
net1:^[${OUT_COUNTRIES_1}],^[${OUT_COUNTRIES_2}],+OUT_WL,+OUT_MANUAL_WL all
ACCEPT loc:10.215.144.0/22,10.215.246.0/23,10.215.248.0/24
net2:^[${OUT_COUNTRIES_1}],^[${OUT_COUNTRIES_2}],+OUT_WL,+OUT_MANUAL_WL all
ACCEPT loc:10.215.144.0/22,10.215.246.0/23,10.215.248.0/24
net3:^[${OUT_COUNTRIES_1}],^[${OUT_COUNTRIES_2}],+OUT_WL,+OUT_MANUAL_WL all
ACCEPT loc:10.215.144.0/22,10.215.246.0/23,10.215.248.0/24
net4:^[${OUT_COUNTRIES_1}],^[${OUT_COUNTRIES_2}],+OUT_WL,+OUT_MANUAL_WL all
where OUT_COUNTRIES_1 contains "US".
# shorewall show capabilities | grep -i geo
Geo IP Match (GEOIP_MATCH): Available
I also forgot to re-enable info logging for loc-net* policies during the dumps.
However, replacing the new inf-fw2 with the old system restores ICMP traffic as
expected. So, I suspect the issue must be in inf-fw2.
The interfaces file in inf-fw2 contains:
lan $IF_LAN routeback
wan $IF_WAN routeback,arp_filter=1
caib $IF_CAIB arp_filter=1
ibs $IF_IBS arp_filter=1
dmz $IF_DMZ routeback,dhcp
- lo -
I hope you don't mind me sending you privately both /var/lib/shorewall/firewall
and sh -x /var/lib/shorewall/firewall reload > trace 2>&1 (inf-fw2) as they
might be of use as in my previous thread.
Thanks,
Vieri
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
