Following is my environment. Attached is the output from the shorewall dump
OS: Ubuntu 15.10 64bit Desktop on Laptop
Shorewall version: 4.6.4.3
llist@LeosGameLaptop:~$ sudo ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast
state DOWN group default qlen 1000
link/ether 80:fa:5b:13:29:be brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
link/ether 80:19:34:b8:c8:e2 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.208/24 brd 192.168.1.255 scope global dynamic wlan0
valid_lft 2782sec preferred_lft 2782sec
inet6 fe80::8219:34ff:feb8:c8e2/64 scope link
valid_lft forever preferred_lft forever
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
state DOWN group default
link/ether 52:54:00:68:a4:11 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master
virbr0 state DOWN group default qlen 500
link/ether 52:54:00:68:a4:11 brd ff:ff:ff:ff:ff:ff
20: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 172.20.17.184/22 brd 172.20.19.255 scope global tun0
valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master
virbr0 state DOWN group default qlen 500
link/ether 52:54:00:68:a4:11 brd ff:ff:ff:ff:ff:ff
llist@LeosGameLaptop:~$ sudo ip route show
default via 172.20.16.1 dev tun0 proto static metric 50
default via 192.168.1.1 dev wlan0 proto static metric 600
169.254.0.0/16 dev virbr0 scope link metric 1000
172.20.16.0/22 dev tun0 proto kernel scope link src 172.20.17.184
metric 50
173.245.209.129 via 192.168.1.1 dev wlan0 proto static metric 600
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.208
metric 600
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
I've been running shorewall for a few years now, but have run into the
following problem recently.
My shorewall files were created from the single interface example and are:
---------zones ----------------
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
ovpn ipv4
--------------------------------
----------- interfaces ----------------
###############################################################################
?FORMAT 2
###############################################################################
#ZONE INTERFACE OPTIONS
net eth0
dhcp,optional,tcpflags,logmartians,nosmurfs,sourceroute=0
net wlan0
dhcp,optional,tcpflags,logmartians,nosmurfs,sourceroute=0
ovpn tun0 dhcp,optional
---------------------------------------------
----------- policy -----------------------------------------------
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
fw net ACCEPT
ovpn net ACCEPT
net all DROP info
ovpn all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
------------------------------------------------------------------
------------ rules ---------------------------
#ACTION SOURCE DEST PROTO DEST
SOURCE ORIGINAL RATE USER/ MARK
CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT
PORT(S) DEST LIMIT GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
# Drop packets in the INVALID state
Invalid(DROP) net fw tcp
# Drop Ping from the "bad" net zone.. and prevent your log from being
flooded..
Ping(DROP) net fw
# Permit all ICMP traffic FROM the firewall TO the net zone
ACCEPT fw net icmp
#
# Permit openvpn
ACCEPT:info ovpn fw udp - 1194
ACCEPT:info fw ovpn udp 1194
--------------------------------------------------------------------------------------
I've set up a new laptop and found that when using the Openvpn client,
shorewall rejects packets for destination port 53.
================================================================================
Feb 20 13:32:54 LeosGameLaptop kernel: [11141.270388]
Shorewall:fw-ovpn:REJECT:IN= OUT=tun0 SRC=172.20.17.184 DST=198.18.0.2
LEN=77 TOS=0x00 PREC=0x00 TTL=64 ID=1421 DF PROTO=UDP SPT=13415 DPT=53
LEN=57
Feb 20 13:32:54 LeosGameLaptop kernel: [11141.270396]
Shorewall:fw-ovpn:REJECT:IN= OUT=tun0 SRC=172.20.17.184 DST=61.9.194.49
LEN=77 TOS=0x00 PREC=0x00 TTL=64 ID=42653 DF PROTO=UDP SPT=13415 DPT=53
LEN=57
Feb 20 13:32:54 LeosGameLaptop kernel: [11141.270405]
Shorewall:fw-ovpn:REJECT:IN= OUT=tun0 SRC=172.20.17.184 DST=61.9.195.193
LEN=77 TOS=0x00 PREC=0x00 TTL=64 ID=47650 DF PROTO=UDP SPT=13415 DPT=53
LEN=57
================================================================================
Openvpn is listening on 1194, so I'm not sure where port 53 gets
involved. Suspected the Ubuntu dnsmasq, but after disabling this, the
problem remains. Have posted this question on the Ubuntu network forum,
but found no takers.
netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 127.0.0.1:1194 0.0.0.0:*
LISTEN 15776/openvpn
tcp 0 0 127.0.1.1:53 0.0.0.0:*
LISTEN 1759/dnsmasq
tcp 0 0 192.168.122.1:53 0.0.0.0:*
LISTEN 1452/dnsmasq
tcp 0 0 127.0.0.1:631 0.0.0.0:*
LISTEN 6607/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:*
LISTEN 2247/master
tcp6 0 0 ::1:631 :::*
LISTEN 6607/cupsd
tcp6 0 0 ::1:25 :::*
LISTEN 2247/master
udp 0 0 0.0.0.0:59475
0.0.0.0:* 1093/avahi-daemon:
udp 0 0 0.0.0.0:44297
0.0.0.0:* 15776/openvpn
udp 0 0 0.0.0.0:5353
0.0.0.0:* 1093/avahi-daemon:
udp 0 0 0.0.0.0:24280
0.0.0.0:* 7767/dhclient
udp 0 0 127.0.1.1:53
0.0.0.0:* 1759/dnsmasq
udp 0 0 192.168.122.1:53
0.0.0.0:* 1452/dnsmasq
udp 0 0 0.0.0.0:67
0.0.0.0:* 1452/dnsmasq
udp 0 0 0.0.0.0:68
0.0.0.0:* 7767/dhclient
udp 0 0 0.0.0.0:631
0.0.0.0:* 1224/cups-browsed
udp6 0 0 :::2277
:::* 7767/dhclient
udp6 0 0 :::5353
:::* 1093/avahi-daemon:
udp6 0 0 :::58274
:::* 1093/avahi-daemon:
Thanks
dump.txt.gz
Description: application/gzip
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
