[gentoo-user] Shorewall config problem

[gentoo-user] Shorewall config problem

[Peter Humphrey]

[-- Attachment #1: Type: text/plain, Size: 2604 bytes --]

Hello list,

I've recently installed a new ADSL modem, and now I'm trying to get it to log 
to my LAN server. The modem seems to be sending log messages but Shorewall is 
dropping them at the server.

I have the following:

# grep Syslog /etc/shorewall/rules                          
Syslog(ACCEPT)  net:192.168.1.1 $FW

192.168.1.1 is the ADSL modem, the syslog-ng client.

# cat /usr/share/shorewall/macro.Syslog
?FORMAT 2
PARAM   -       -       udp     514
PARAM   -       -       tcp     514
<snipped comments>

And yet:

# shorewall show log
Shorewall 4.6.6.2 Log (/var/log/messages) at serv - Wed  6 May 15:52:43 BST 
2015

Counters reset Wed  6 May 14:39:52 BST 2015

May  6 15:34:52 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 
LEN=57 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 
DPT=514 LEN=37 
May  6 15:35:37 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 
LEN=121 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 
DPT=514 LEN=101 
May  6 15:36:57 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 
LEN=57 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 
DPT=514 LEN=37 
May  6 15:38:10 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 
LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 
DPT=514 LEN=63 
May  6 15:38:11 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 
LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 
DPT=514 LEN=63 
May  6 15:38:11 net-fw:DROP:IN=eth0 OUT= SRC=192.168.1.1 DST=192.168.1.2 
LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32964 
DPT=514 LEN=63 
<snipped more similar entries>

Serv is the name of the syslog-ng server.

# grep Shorewall /var/log/messages
--->8
May  6 15:38:11 serv kernel: Shorewall:net-fw:DROP:IN=eth0 OUT= 
MAC=70:71:bc:94:ee:71:bc:ee:7b:61:8b:60:08:00 SRC=192.168.1.1 
DST=192.168.1.2 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP 
SPT=32964 DPT=514 LEN=63 
--->8

Ifconfig shows 70:71:bc:94:ee:71 as the MAC address of the server's one 
Ethernet interface.

/etc/shorewall/rules has several more rules, all of which do their jobs, e.g:

Squid(ACCEPT)   net:192.168.1.3 $FW
Squid(ACCEPT)   net:192.168.1.6 $FW
SSH(ACCEPT)     net:192.168.1.3 $FW
SSH(ACCEPT)     net:192.168.1.6 $FW

Where's the inconsistency? If the Squid and SSH rules work, why doesn't the 
Syslog rule?

Or are the extra 8 bytes in the MAC address the problem? Of course I can't 
change the format of the modem's output, so in that case I'll need to tell 
Shorewall to ignore them - is that possible?

Can someone shed some light on this, please?

-- 
Rgds
Peter

[-- Attachment #2: Type: text/html, Size: 11368 bytes --]

Re: [gentoo-user] Shorewall config problem [SOLVED]

[Peter Humphrey]

[-- Attachment #1: Type: text/plain, Size: 1417 bytes --]

On Wednesday 06 May 2015 16:20:19 I wrote:
> I've recently installed a new ADSL modem, and now I'm trying to get it to
> log to my LAN server. The modem seems to be sending log messages but
> Shorewall is dropping them at the server.

--->8

It seems I had missed something in the kernel configuration. I can't say what 
exactly because I added several options (life's too short to go through all 
the network options one at a time).

So now, Shorewall is not dropping syslog packets, and syslog-ng is logging 
correctly. This is my /etc/syslog-ng/syslog-ng.conf:

----------------
@version: 3.6
@include "scl.conf"
options { 
        threaded(yes);
        chain_hostnames(no); 
        stats_freq(43200); 
        mark_freq(0); 
};

source src { system(); internal(); };
source s_remote { udp (ip(192.168.1.2) port(514) ); };

filter f_cron { facility (cron); };
filter f_ncron { not facility (cron); };

destination d_remote { file("/var/log/remote"); };
destination d_cron { file("/var/log/cron"); };
destination messages { file("/var/log/messages"); };
destination console_all { file("/dev/tty12"); };

log { source(src); filter(f_cron); destination(d_cron); };
log { source(src); filter(f_ncron); destination(messages); };
log { source(src); filter(f_ncron); destination(console_all); };
log { source(s_remote); destination(d_remote); };
----------------

I hope that will be useful to someone.

-- 
Rgds
Peter

[-- Attachment #2: Type: text/html, Size: 8158 bytes --]

[gentoo-user] Shorewall config problem

[Peter Humphrey]

Morning all,

When emerging shorewall-5.2.1.1 I get an error from the kernel settings check:

CONFIG_NF_CONNTRACK_IPV4:   is not set when it should be.

This is with gentoo-sources-4.19.1. And indeed there is no such kernel 
parameter:

$ grep CONFIG_NF_CONNTRACK /usr/src/linux/.config     
CONFIG_NF_CONNTRACK=m		<<< Note
# CONFIG_NF_CONNTRACK_MARK is not set
CONFIG_NF_CONNTRACK_SECMARK=y
# CONFIG_NF_CONNTRACK_ZONES is not set
CONFIG_NF_CONNTRACK_PROCFS=y
# CONFIG_NF_CONNTRACK_EVENTS is not set
# CONFIG_NF_CONNTRACK_TIMEOUT is not set
# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
# CONFIG_NF_CONNTRACK_LABELS is not set
# CONFIG_NF_CONNTRACK_AMANDA is not set
CONFIG_NF_CONNTRACK_FTP=m
# CONFIG_NF_CONNTRACK_H323 is not set
CONFIG_NF_CONNTRACK_IRC=m
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
# CONFIG_NF_CONNTRACK_SNMP is not set
# CONFIG_NF_CONNTRACK_PPTP is not set
# CONFIG_NF_CONNTRACK_SANE is not set
CONFIG_NF_CONNTRACK_SIP=m
# CONFIG_NF_CONNTRACK_TFTP is not set

On another box with gentoo sources 4.14.78 I get this:

$ grep CONFIG_NF_CONNTRACK_IP /usr/src/linux/.config
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_IPV6=y

So far I've been ignoring the error, assuming that the entry I've noted above 
now combines IPV4 and IPV6.

Does the panel think this is worth a bug report against shorewall?

-- 
Regards,
Peter.

Re: [gentoo-user] Shorewall config problem

[J. Roeleveld]

On Monday, November 12, 2018 11:11:52 AM CET Peter Humphrey wrote:
> Morning all,
> 
> When emerging shorewall-5.2.1.1 I get an error from the kernel settings
> check:
> 
> CONFIG_NF_CONNTRACK_IPV4:   is not set when it should be.
> 
> This is with gentoo-sources-4.19.1. And indeed there is no such kernel
> parameter:
> 
> $ grep CONFIG_NF_CONNTRACK /usr/src/linux/.config
> CONFIG_NF_CONNTRACK=m		<<< Note
> # CONFIG_NF_CONNTRACK_MARK is not set
> CONFIG_NF_CONNTRACK_SECMARK=y
> # CONFIG_NF_CONNTRACK_ZONES is not set
> CONFIG_NF_CONNTRACK_PROCFS=y
> # CONFIG_NF_CONNTRACK_EVENTS is not set
> # CONFIG_NF_CONNTRACK_TIMEOUT is not set
> # CONFIG_NF_CONNTRACK_TIMESTAMP is not set
> # CONFIG_NF_CONNTRACK_LABELS is not set
> # CONFIG_NF_CONNTRACK_AMANDA is not set
> CONFIG_NF_CONNTRACK_FTP=m
> # CONFIG_NF_CONNTRACK_H323 is not set
> CONFIG_NF_CONNTRACK_IRC=m
> # CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
> # CONFIG_NF_CONNTRACK_SNMP is not set
> # CONFIG_NF_CONNTRACK_PPTP is not set
> # CONFIG_NF_CONNTRACK_SANE is not set
> CONFIG_NF_CONNTRACK_SIP=m
> # CONFIG_NF_CONNTRACK_TFTP is not set
> 
> On another box with gentoo sources 4.14.78 I get this:
> 
> $ grep CONFIG_NF_CONNTRACK_IP /usr/src/linux/.config
> CONFIG_NF_CONNTRACK_IPV4=y
> CONFIG_NF_CONNTRACK_IPV6=y
> 
> So far I've been ignoring the error, assuming that the entry I've noted
> above now combines IPV4 and IPV6.
> 
> Does the panel think this is worth a bug report against shorewall?

Does it show up when you search for that config-item from within "make 
menuconfig"?
Not all config-items end up in the config-file, especially if pre-requisites are 
disabled themselves.

--
Joost

Re: [gentoo-user] Shorewall config problem

[Peter Humphrey]

On Monday, 12 November 2018 10:19:24 GMT J. Roeleveld wrote:
> On Monday, November 12, 2018 11:11:52 AM CET Peter Humphrey wrote:
> > Morning all,
> > 
> > When emerging shorewall-5.2.1.1 I get an error from the kernel settings
> > check:
> > 
> > CONFIG_NF_CONNTRACK_IPV4:   is not set when it should be.
> > 
> > This is with gentoo-sources-4.19.1. And indeed there is no such kernel
> > parameter:
> > 
> > $ grep CONFIG_NF_CONNTRACK /usr/src/linux/.config
> > CONFIG_NF_CONNTRACK=m		<<< Note
> > # CONFIG_NF_CONNTRACK_MARK is not set
> > CONFIG_NF_CONNTRACK_SECMARK=y
> > # CONFIG_NF_CONNTRACK_ZONES is not set
> > CONFIG_NF_CONNTRACK_PROCFS=y
> > # CONFIG_NF_CONNTRACK_EVENTS is not set
> > # CONFIG_NF_CONNTRACK_TIMEOUT is not set
> > # CONFIG_NF_CONNTRACK_TIMESTAMP is not set
> > # CONFIG_NF_CONNTRACK_LABELS is not set
> > # CONFIG_NF_CONNTRACK_AMANDA is not set
> > CONFIG_NF_CONNTRACK_FTP=m
> > # CONFIG_NF_CONNTRACK_H323 is not set
> > CONFIG_NF_CONNTRACK_IRC=m
> > # CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
> > # CONFIG_NF_CONNTRACK_SNMP is not set
> > # CONFIG_NF_CONNTRACK_PPTP is not set
> > # CONFIG_NF_CONNTRACK_SANE is not set
> > CONFIG_NF_CONNTRACK_SIP=m
> > # CONFIG_NF_CONNTRACK_TFTP is not set
> > 
> > On another box with gentoo sources 4.14.78 I get this:
> > 
> > $ grep CONFIG_NF_CONNTRACK_IP /usr/src/linux/.config
> > CONFIG_NF_CONNTRACK_IPV4=y
> > CONFIG_NF_CONNTRACK_IPV6=y
> > 
> > So far I've been ignoring the error, assuming that the entry I've noted
> > above now combines IPV4 and IPV6.
> > 
> > Does the panel think this is worth a bug report against shorewall?
> 
> Does it show up when you search for that config-item from within "make
> menuconfig"?
> Not all config-items end up in the config-file, especially if pre-requisites
> are disabled themselves.

Nope.

-- 
Regards,
Peter.

Re: [gentoo-user] Shorewall config problem

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 460 bytes --]

On Mon, Nov 12, 2018 at 9:11 PM Peter Humphrey <peter@prh.myzen.co.uk>
wrote:

> Morning all,
>
> When emerging shorewall-5.2.1.1 I get an error from the kernel settings
> check:
>
> CONFIG_NF_CONNTRACK_IPV4:   is not set when it should be.
>
> This is with gentoo-sources-4.19.1. And indeed there is no such kernel
> parameter:
>

 Yep, grepped my .config archive and its gone in 4.19 so the shorewall
ebuild (at least) will need an update. Checked bugzilla?

[-- Attachment #2: Type: text/html, Size: 754 bytes --]

Re: [gentoo-user] Shorewall config problem

[Bill Kenworthy]

On 13/11/18 12:09 pm, Adam Carter wrote:
> On Mon, Nov 12, 2018 at 9:11 PM Peter Humphrey <peter@prh.myzen.co.uk
> <mailto:peter@prh.myzen.co.uk>> wrote:
>
>     Morning all,
>
>     When emerging shorewall-5.2.1.1 I get an error from the kernel
>     settings check:
>
>     CONFIG_NF_CONNTRACK_IPV4:   is not set when it should be.
>
>     This is with gentoo-sources-4.19.1. And indeed there is no such
>     kernel
>     parameter:
>
>
>  Yep, grepped my .config archive and its gone in 4.19 so the shorewall
> ebuild (at least) will need an update. Checked bugzilla?


Grepping .config will only work sometimes - If its enabled it will be
there, if not it "may or may not be"

Only sure way that I am aware of is to use the search function "\" from
within make menuconfig.


Bill K.

Re: [gentoo-user] Shorewall config problem

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 842 bytes --]

>
> >  Yep, grepped my .config archive and its gone in 4.19 so the shorewall
> > ebuild (at least) will need an update. Checked bugzilla?
>
>
> Grepping .config will only work sometimes - If its enabled it will be
> there, if not it "may or may not be"
>

My .config hasnt changed, other than from setting the new options via make
oldconfig;

/usr/src/configs # grep CONFIG_NF_CONNTRACK_IP config-2018-10-29
config-2018-11-13
config-2018-10-29:CONFIG_NF_CONNTRACK_IPV4=y
config-2018-10-29:CONFIG_NF_CONNTRACK_IPV6=y

/usr/src/configs # head -n3 config-2018-10-29 config-2018-11-13
==> config-2018-10-29 <==
#
# Automatically generated file; DO NOT EDIT.
# Linux/x86 4.18.16-gentoo Kernel Configuration

==> config-2018-11-13 <==
#
# Automatically generated file; DO NOT EDIT.
# Linux/x86 4.19.0-gentoo Kernel Configuration
/usr/src/configs #

[-- Attachment #2: Type: text/html, Size: 1243 bytes --]

Re: [gentoo-user] Shorewall config problem

[Peter Humphrey]

On Tuesday, 13 November 2018 08:06:03 GMT Adam Carter wrote:

> My .config hasnt changed, other than from setting the new options via make
> oldconfig;
> 
> /usr/src/configs # grep CONFIG_NF_CONNTRACK_IP config-2018-10-29
> config-2018-11-13
> config-2018-10-29:CONFIG_NF_CONNTRACK_IPV4=y
> config-2018-10-29:CONFIG_NF_CONNTRACK_IPV6=y
> 
> /usr/src/configs # head -n3 config-2018-10-29 config-2018-11-13
> ==> config-2018-10-29 <==
> #
> # Automatically generated file; DO NOT EDIT.
> # Linux/x86 4.18.16-gentoo Kernel Configuration
> 
> ==> config-2018-11-13 <==
> #
> # Automatically generated file; DO NOT EDIT.
> # Linux/x86 4.19.0-gentoo Kernel Configuration
> /usr/src/configs #

That is odd. I tried inserting the IPV[4,6] .config entries by hand, but 
oldconfig removed them again.

The help text in kernel 4.14.78 says:

   Defined at net/ipv4/netfilter/Kconfig:12                                        
   Depends on: NET [=y] && INET [=y] && NETFILTER [=y] && NF_CONNTRACK [=y]
   Selects: NF_DEFRAG_IPV4 [=y]

None of those dependencies look likely to hide the IPV[4,6] options.

I also tried copying in the old config file from 4.14.78 and running it 
through oldconfig again, this time including all the new netfilter options. 
Again there was no sign of the IPV[4,6] options.

-- 
Regards,
Peter.

Re: [gentoo-user] Shorewall config problem

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 226 bytes --]

>
> That is odd. I tried inserting the IPV[4,6] .config entries by hand, but
> oldconfig removed them again.
>

I'd say those entries are deprecated and that shorewall will just need an
update to make it compatible with 4.19.

[-- Attachment #2: Type: text/html, Size: 458 bytes --]

Re: [gentoo-user] Shorewall config problem

[Peter Humphrey]

On Wednesday, 14 November 2018 22:03:36 GMT Adam Carter wrote:
> > That is odd. I tried inserting the IPV[4,6] .config entries by hand, but
> > oldconfig removed them again.
> 
> I'd say those entries are deprecated and that shorewall will just need an
> update to make it compatible with 4.19.

https://bugs.gentoo.org/671176 submitted.

-- 
Regards,
Peter.