Hi, Well, I'm back...
This time, I tried replacing my old internal shorewall firewall with a new one (host name "inf-fw2" with IP addr. 10.215.144.91). This router controls access to several zones, and most of the traffic was allowed as expected. However, traffic through the "wan" interface is failing or misbehaving. The "wan" interface on "inf-fw2" is connected to a switch, and from there to a Shorewall gateway ("inf-gw1" -- the one that was described in my previous thread with a different host name). This morning I took special care to make sure that there wouldn't be any ARP cache issues by connecting to every single switch, and making sure to set low timeouts. First off, when I replaced the shorewall firewall I noticed that the "shorewall start" or "restart" commands would take much longer to run than on the old firewall. I admit there are a few more rules than on the old system, but it starteled me when I noticed that the process took about 30 seconds to run on powerful hardware while it takes around 10-12 seconds on the older system. Anyway, it's just an observation, and I'll need to dig into this. Now for the detailed failing connections... ICMP traffic is OK from 10.215.144.91 (inf-fw2) to any host's IP address in all zones, including "wan". However, even if the pings reply with low latency from 10.215.144.92 in "wan" zone (inf-gw1), I had trouble connecting via SSH. It took way too long to log in. inf-fw2 ~ # ssh 10.215.144.92 Password: No logon servers inf-gw1 ~ # The connection finally succeeded. I suspect it took so long because inf-gw1's sshd also uses PAM with SAMBA-winbind configured with a PDC in inf-fw2's "lan" zone. If there are traffic issues between lan and wan then surely this could explain the long wait and the "No logon servers" message (even if I used a local root account). So, in short, ping from 10.215.144.91 (inf-fw2) to all: OK. ICMP traffic from a host in the "lan" zone with IP address 10.215.144.48 to: - host with IP address 10.215.134.196 in "ibs" zone is OK - host with IP address 10.215.9.172 in "caib" zone is OK - $FW with IP address 10.215.144.91 (inf-fw2) is OK - host with IP address 10.215.144.92 (inf-gw1) in "wan" zone is FAILING - host with IP address 8.8.8.8 in "wan" zone and beyond inf-gw1 is FAILING A tcpdump on inf-fw2's "lan" interface shows that the ICMP requests come in, so it doesn't seem to be an ARP cache issue. Besides, if it were, I suspect pings to IP addresses of hosts in the other zones would also fail. For testing purposes I added this line right at the top of the rules file in inf-fw2: ACCEPT lan:10.215.144.48 $FW,wan,dmz all I'm attaching the shorewall dumps of both inf-gw1 and inf-fw2 while trying to ping from the host in "lan" zone with IP addr. 10.215.144.48 to 8.8.8.8 and 10.215.144.92. I'm attaching links instead of files due to ML limitations: inf-fw2's dump - https://drive.google.com/open?id=0B-tpkY1LkI67ZkdDTGE3bkZwY2c inf-gw1's dump - https://drive.google.com/open?id=0B-tpkY1LkI67X0ViTU9OU0FUejA An ICMP tcpdump on inf-gw1's "loc" interface (connected to inf-fw2's "wan" interface) does not show requests coming from 10.215.144.48. It did not occur to me to run a tcpdump on inf-fw2's wan interface. I'm expecting inf-gw1 to reply to ICMP requests from 10.215.144.48 because of this rule (in inf-gw1): Ping/ACCEPT loc $FW I'm also expecting internet hosts such as the one with IP addr. 8.8.8.8 to reply to ICMP requests because of these rules: ACCEPT loc:10.215.144.0/22,10.215.246.0/23,10.215.248.0/24 net1:^[${OUT_COUNTRIES_1}],^[${OUT_COUNTRIES_2}],+OUT_WL,+OUT_MANUAL_WL all ACCEPT loc:10.215.144.0/22,10.215.246.0/23,10.215.248.0/24 net2:^[${OUT_COUNTRIES_1}],^[${OUT_COUNTRIES_2}],+OUT_WL,+OUT_MANUAL_WL all ACCEPT loc:10.215.144.0/22,10.215.246.0/23,10.215.248.0/24 net3:^[${OUT_COUNTRIES_1}],^[${OUT_COUNTRIES_2}],+OUT_WL,+OUT_MANUAL_WL all ACCEPT loc:10.215.144.0/22,10.215.246.0/23,10.215.248.0/24 net4:^[${OUT_COUNTRIES_1}],^[${OUT_COUNTRIES_2}],+OUT_WL,+OUT_MANUAL_WL all where OUT_COUNTRIES_1 contains "US". # shorewall show capabilities | grep -i geo Geo IP Match (GEOIP_MATCH): Available I also forgot to re-enable info logging for loc-net* policies during the dumps. However, replacing the new inf-fw2 with the old system restores ICMP traffic as expected. So, I suspect the issue must be in inf-fw2. The interfaces file in inf-fw2 contains: lan $IF_LAN routeback wan $IF_WAN routeback,arp_filter=1 caib $IF_CAIB arp_filter=1 ibs $IF_IBS arp_filter=1 dmz $IF_DMZ routeback,dhcp - lo - I hope you don't mind me sending you privately both /var/lib/shorewall/firewall and sh -x /var/lib/shorewall/firewall reload > trace 2>&1 (inf-fw2) as they might be of use as in my previous thread. Thanks, Vieri ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users