[gentoo-user] shorewall configuration

[gentoo-user] shorewall configuration

[Aleksey V. Kunitskiy]

[-- Attachment #1: Type: text/plain, Size: 2767 bytes --]

Hi,

I'm trying to configure snat with shorewall. I read all manual on the official 
site + some Gentoo Wiki topics. I made test configuration, but shorewall 
start didn't start and I can't understand where is the problem.

Thank you for any suggestion

#shorewall show capatibilities:
Shorewall-3.2.9 Chains capatibilities at enigma - Tue Jul 24 16:12:35 EEST 
2007
iptables: No chain/target/match by that name

#shorewall start log:

Compiling...
Determining Zones...
   IPv4 Zones: net loc
   Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   net Zone: ppp0:0.0.0.0/0
   loc Zone: eth1:192.168.3.0/24
Pre-processing Actions...
   Pre-processing /usr/share/shorewall/action.Drop...
   Pre-processing /usr/share/shorewall/action.Reject...
   Pre-processing /usr/share/shorewall/action.Limit...
Deleting user chains...
Compiling /etc/shorewall/routestopped ...
Compiling Accounting...
Creating Interface Chains...
Compiling Proxy ARP
Compiling NAT...
Compiling NETMAP...
Compiling Common Rules
Adding Anti-smurf Rules
Adding rules for DHCP
Enabling RFC1918 Filtering
Compiling TCP Flags checking...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling IP Forwarding...
Compiling /etc/shorewall/rules...
Compiling /etc/shorewall/tunnels...
Compiling Actions...
Compiling /usr/share/shorewall/action.Drop for Chain Drop...
Compiling /usr/share/shorewall/action.Reject for Chain Reject...
Compiling /etc/shorewall/policy...
   WARNING: NAT disabled; masq rule ignored
Compiling /etc/shorewall/tos...
Compiling /etc/shorewall/ecn...
Compiling Traffic Control Rules...
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Compiling Rule Activation...
Compiling Refresh of Black List...
Compiling Refresh of /etc/shorewall/ecn...
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Shorewall configuration compiled to /var/lib/shorewall/.start
Processing /etc/shorewall/params ...
Starting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Clearing Traffic Control/QOS
Deleting user chains...
iptables: No chain/target/match by that name
   ERROR: Command "/sbin/iptables -A FORWARD -m state --state 
ESTABLISHED,RELATED -j ACCEPT" Failed
Processing /etc/shorewall/stop ...
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 529:  9682 Terminated              ${VARDIR}/.start 
$debugging start


-- 
best regards,
Aleksey V. Kunitskiy
my public GPG/PGP key: http://www.alexey-kv.org.ua/pubkey.asc

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] shorewall configuration

[Uwe Thiem]

On 24 July 2007, Aleksey V. Kunitskiy wrote:
> Hi,
>
> I'm trying to configure snat with shorewall. I read all manual on the
> official site + some Gentoo Wiki topics. I made test configuration, but
> shorewall start didn't start and I can't understand where is the problem.
>
> Thank you for any suggestion
>
> #shorewall show capatibilities:
> Shorewall-3.2.9 Chains capatibilities at enigma - Tue Jul 24 16:12:35 EEST
> 2007
> iptables: No chain/target/match by that name
>
> #shorewall start log:

[ snip ]

> Compiling /etc/shorewall/policy...
>    WARNING: NAT disabled; masq rule ignored

[snip ]

I think your trouble starts here. Did you try to put any NAT rule into policy? 
That would be wrong. It belongs to "nat". Would you show us your policy file 
(only the rules in there, *not* all the comments)?

Uwe

-- 
Jethro Tull: Maybe, I am not done yet!
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] shorewall configuration

[Aleksey V. Kunitskiy]

[-- Attachment #1: Type: text/plain, Size: 752 bytes --]

On Tuesday 24 July 2007 17:01, Uwe Thiem wrote:
> I think your trouble starts here. Did you try to put any NAT rule into
> policy? That would be wrong. It belongs to "nat". Would you show us your
> policy file (only the rules in there, *not* all the comments)?
>
> Uwe

I've found where the problem is.

Note the following error:

iptables: No chain/target/match by that name
   ERROR: Command "/sbin/iptables -A FORWARD -m state --state 
ESTABLISHED,RELATED -j ACCEPT" Failed

In 99% cases it's because one of features is missed in the kernel 
configuration. I've turned on 2 modules in kernel and it works.

Anyway, thanks!

-- 
best regards,
Aleksey V. Kunitskiy
my public GPG/PGP key: http://www.alexey-kv.org.ua/pubkey.asc

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-user] Shorewall configuration

[Peter Humphrey]

Hello list,

I use net-firewall/shorewall to protect my machines; it's served me well for 
many years. My ISP gave me a FritzBox modem-router recently, in the hope of 
better media streaming, but it's spamming my LAN server with HTTP requests 
(port 80). The other machines are left alone; just this one is affected.

The many log entries are not a serious problem, just a nuisance, but I'd 
rather not have to put up with them.

AVM, the modem's maker, says I should set shorewall up on this machine to 
accept either port-80 requests or unsolicited packets of type 0x88e1. That 
type is HomePlug Management, apparently, and the FritzBox is looking for any 
such devices on the LAN. I don't know why it's picked on this one machine to 
query, unless it's because it has the lowest IP address.

Questions:
1.  Will I be opening myself to external HTTP attacks if I open that port to 
the modem-router? I assume I will, though no such service is running - at the 
moment.
2.  As far as I can see, shorewall filters only on ports, not packet types. If 
so, how can I specify a packet type to it?
3.   Does anyone here know how to specify HomePlug in shorewall?

Google hasn't helped much, nor has the Shorewall website, so I hope someone 
here has experience of this.

-- 
Regards,
Peter.

Re: [gentoo-user] Shorewall configuration

[Michael]

[-- Attachment #1: Type: text/plain, Size: 1973 bytes --]

On Tuesday, 1 March 2022 12:35:17 GMT Peter Humphrey wrote:
> Hello list,
> 
> I use net-firewall/shorewall to protect my machines; it's served me well for
> many years. My ISP gave me a FritzBox modem-router recently, in the hope of
> better media streaming, but it's spamming my LAN server with HTTP requests
> (port 80). The other machines are left alone; just this one is affected.
> 
> The many log entries are not a serious problem, just a nuisance, but I'd
> rather not have to put up with them.
> 
> AVM, the modem's maker, says I should set shorewall up on this machine to
> accept either port-80 requests or unsolicited packets of type 0x88e1. That
> type is HomePlug Management, apparently, and the FritzBox is looking for any
> such devices on the LAN. I don't know why it's picked on this one machine
> to query, unless it's because it has the lowest IP address.
> 
> Questions:
> 1.  Will I be opening myself to external HTTP attacks if I open that port to
> the modem-router? I assume I will, though no such service is running - at
> the moment.
> 2.  As far as I can see, shorewall filters only on ports, not packet types.
> If so, how can I specify a packet type to it?
> 3.   Does anyone here know how to specify HomePlug in shorewall?
> 
> Google hasn't helped much, nor has the Shorewall website, so I hope someone
> here has experience of this.

Have you seen this regarding the specific ethertypes:

https://superuser.com/questions/1574757/unknown-ethertypes-0x88e1-and-0x8912-from-my-fritz-box

Sadly I don't know anything about Shorewall, but you can look at configuring 
netfilter with some additional hand-crafted rules to drop the above ethertypes 
without logging them.

However, what I would prefer to do in your circumstances is find if your router 
is supported by OpenWRT firmware and configure SQM with FQ-Codel in it to manage 
bufferbloat.  I expect this should improve your streaming better than whatever 
AVM have configured in the box.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Shorewall configuration

[Peter Humphrey]

On Tuesday, 1 March 2022 14:54:24 GMT Michael wrote:

> Have you seen this regarding the specific ethertypes:
> 
> https://superuser.com/questions/1574757/unknown-ethertypes-0x88e1-and-0x8912
> -from-my-fritz-box

Yes, it's from that site and friends that I've learned what little I have 
about Home Plug.

> Sadly I don't know anything about Shorewall, but you can look at configuring
> netfilter with some additional hand-crafted rules to drop the above
> ethertypes without logging them.

Hm. Shorewall seems to be a complete subsystem to accept broad intentions and 
craft iptables rules accordingly. I'll see if it's possible to slip something 
in upstream of it.

> However, what I would prefer to do in your circumstances is find if your
> router is supported by OpenWRT firmware and configure SQM with FQ-Codel in
> it to manage bufferbloat.  I expect this should improve your streaming
> better than whatever AVM have configured in the box.

That route's unlikely to be open to me, though I'll check.

I hope I'm not facing a complete rehash of firewall config. If so, I may return 
the old modem-router to service instead.

-- 
Regards,
Peter.

Re: [gentoo-user] Shorewall configuration

[Michael]

[-- Attachment #1: Type: text/plain, Size: 626 bytes --]

On Tuesday, 1 March 2022 16:40:30 GMT Peter Humphrey wrote:

> I hope I'm not facing a complete rehash of firewall config. If so, I may
> return the old modem-router to service instead.

This page suggests it is simple to achieve, by adding it to your /etc/
nftables.conf file, assuming one is available.  Alternatively, it should be a 
case of finding the right place to add something appropriate in Shorewall's 
configuration or script file, so that Shorewall itself creates the required 
ethertype filter.

https://serverfault.com/questions/1015896/linux-server-dropping-rx-packets-in-netif-receive-skb-core/1016113#1016113

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]