2002-08-13 22:45:21 +02:00
|
|
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
|
|
|
<html>
|
|
|
|
|
<head>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<meta http-equiv="Content-Type"
|
|
|
|
|
content="text/html; charset=windows-1252">
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<title>Shorewall Troubleshooting</title>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
2003-07-16 20:59:33 +02:00
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<meta name="ProgId" content="FrontPage.Editor.Document">
|
2002-11-09 19:06:34 +01:00
|
|
|
|
</head>
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<body>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<table border="0" cellpadding="0" cellspacing="0"
|
|
|
|
|
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
2003-07-16 20:59:33 +02:00
|
|
|
|
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
|
|
|
|
<tbody>
|
|
|
|
|
<tr>
|
|
|
|
|
<td width="100%">
|
2002-12-28 16:38:03 +01:00
|
|
|
|
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
|
|
|
|
|
src="images/obrasinf.gif" alt="Beating head on table" width="90"
|
|
|
|
|
height="90" align="middle">
|
2003-07-16 20:59:33 +02:00
|
|
|
|
</font></h1>
|
|
|
|
|
</td>
|
|
|
|
|
</tr>
|
|
|
|
|
|
|
|
|
|
</tbody>
|
2002-11-09 19:06:34 +01:00
|
|
|
|
</table>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<h3 align="left">Check the Errata</h3>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
|
|
|
|
|
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be
|
|
|
|
|
sure that there isn't an update that you are missing for your version
|
|
|
|
|
of the firewall.</p>
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<h3 align="left">Check the FAQs</h3>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
|
|
|
|
|
<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common
|
|
|
|
|
problems.</p>
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<h3 align="left">If the firewall fails to start</h3>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
If you receive an error message when starting or restarting
|
|
|
|
|
the firewall and you can't determine the cause, then do the following:
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<ul>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
<li>Make a note of the error message that you see.<br>
|
|
|
|
|
</li>
|
|
|
|
|
<li>shorewall debug start 2> /tmp/trace</li>
|
|
|
|
|
<li>Look at the /tmp/trace file and see if that helps you
|
|
|
|
|
determine what the problem is. Be sure you find the place in the log
|
|
|
|
|
where the error message you saw is generated -- If you are using Shorewall
|
2003-05-15 21:39:23 +02:00
|
|
|
|
1.4.0 or later, you should find the message near the end of the log.</li>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
<li>If you still can't determine what's wrong then see the
|
|
|
|
|
<a href="support.htm">support page</a>.</li>
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
</ul>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
Here's an example. During startup, a user sees the following:<br>
|
|
|
|
|
|
|
|
|
|
<blockquote>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
<pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
</blockquote>
|
|
|
|
|
A search through the trace for "No chain/target/match by that name"
|
|
|
|
|
turned up the following:<3A>
|
|
|
|
|
<blockquote>
|
2002-12-28 16:38:03 +01:00
|
|
|
|
<pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
</blockquote>
|
|
|
|
|
The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
|
|
|
|
|
tcp-reset". In this case, the user had compiled his own kernel and had
|
|
|
|
|
forgotten to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
|
|
|
|
|
|
2003-02-21 23:22:19 +01:00
|
|
|
|
<h3>Your network environment</h3>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
|
|
|
|
|
<p>Many times when people have problems with Shorewall, the problem is actually
|
2003-05-15 21:39:23 +02:00
|
|
|
|
an ill-conceived network setup. Here are several popular snafus: </p>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<ul>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
<li>Port Forwarding where client and server are
|
2003-05-15 21:39:23 +02:00
|
|
|
|
in the same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
<li>Changing the IP address of a local system to be in the
|
|
|
|
|
external subnet, thinking that Shorewall will suddenly believe
|
|
|
|
|
that the system is in the 'net' zone.</li>
|
|
|
|
|
<li>Multiple interfaces connected to the same HUB or Switch.
|
|
|
|
|
Given the way that the Linux kernel respond to ARP "who-has" requests,
|
|
|
|
|
this type of setup does NOT work the way that you expect it to.</li>
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
</ul>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
|
2003-02-21 23:22:19 +01:00
|
|
|
|
<h3 align="left">If you are having connection problems:</h3>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
|
|
|
|
|
<p align="left">If the appropriate policy for the connection that you are
|
|
|
|
|
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES
|
|
|
|
|
TRYING TO MAKE IT WORK. Such additional rules will NEVER make it work,
|
|
|
|
|
they add clutter to your rule set and they represent a big security hole
|
|
|
|
|
in the event that you forget to remove them later.</p>
|
|
|
|
|
|
|
|
|
|
<p align="left">I also recommend against setting all of your policies to
|
|
|
|
|
ACCEPT in an effort to make something work. That robs you of one of
|
|
|
|
|
your best diagnostic tools - the "Shorewall" messages that Netfilter
|
|
|
|
|
will generate when you try to connect in a way that isn't permitted
|
|
|
|
|
by your rule set.</p>
|
|
|
|
|
|
|
|
|
|
<p align="left">Check your log ("/sbin/shorewall show log"). If you don't
|
|
|
|
|
see Shorewall messages, then your problem is probably NOT a Shorewall
|
|
|
|
|
problem. If you DO see packet messages, it may be an indication that
|
|
|
|
|
you are missing one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
|
|
|
|
|
|
|
|
|
|
<p align="left">While you are troubleshooting, it is a good idea to clear
|
|
|
|
|
two variables in /etc/shorewall/shorewall.conf:</p>
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p align="left">LOGRATE=""<br>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
LOGBURST=""</p>
|
|
|
|
|
|
|
|
|
|
<p align="left">This way, you will see all of the log messages being generated
|
2003-05-15 21:39:23 +02:00
|
|
|
|
(be sure to restart shorewall after clearing these variables).</p>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p align="left">Example:</p>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
<font face="Century Gothic, Arial, Helvetica">
|
|
|
|
|
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel: Shorewall:all2all:REJECT:IN=eth2
|
|
|
|
|
OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63
|
2003-05-15 21:39:23 +02:00
|
|
|
|
ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
</font>
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p align="left">Let's look at the important parts of this message:</p>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<ul>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
<li>all2all:REJECT - This packet was REJECTed out of the
|
|
|
|
|
all2all chain -- the packet was rejected under the "all"->"all"
|
|
|
|
|
REJECT policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
|
|
|
|
|
<li>IN=eth2 - the packet entered the firewall via eth2</li>
|
|
|
|
|
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
|
|
|
|
|
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
|
|
|
|
|
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
|
|
|
|
|
<li>PROTO=UDP - UDP Protocol</li>
|
|
|
|
|
<li>DPT=53 - DNS</li>
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
</ul>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
|
|
|
|
|
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3
|
|
|
|
|
is in the "loc" zone. I was missing the rule:</p>
|
|
|
|
|
|
2002-11-24 21:08:19 +01:00
|
|
|
|
<p align="left">ACCEPT<EFBFBD><EFBFBD><EFBFBD> dmz<6D><7A><EFBFBD> loc<6F><63><EFBFBD> udp<64><70><EFBFBD> 53<br>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information
|
|
|
|
|
about how to interpret the chain name appearing in a Shorewall log message.<br>
|
|
|
|
|
</p>
|
|
|
|
|
|
2003-01-14 18:18:42 +01:00
|
|
|
|
<h3 align="left">'Ping' Problems?</h3>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
Either can't ping when you think you should be able to or are able to
|
2003-05-15 21:39:23 +02:00
|
|
|
|
ping when you think that you shouldn't be allowed? Shorewall's 'Ping' Management<a
|
2003-01-14 18:18:42 +01:00
|
|
|
|
href="ping.html"> is described here</a>.<br>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<h3 align="left">Other Gotchas</h3>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<ul>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
<li>Seeing rejected/dropped packets logged out of the INPUT
|
|
|
|
|
or FORWARD chains? This means that:
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<ol>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
<li>your zone definitions are screwed up and the host that
|
|
|
|
|
is sending the packets or the destination host isn't in any zone
|
|
|
|
|
(using an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>
|
|
|
|
|
file are you?); or</li>
|
|
|
|
|
<li>the source and destination hosts are both connected
|
|
|
|
|
to the same interface and you don't have a policy or rule for the
|
|
|
|
|
source zone to or from the destination zone.</li>
|
|
|
|
|
|
2002-09-16 19:13:10 +02:00
|
|
|
|
</ol>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
</li>
|
|
|
|
|
<li>Remember that Shorewall doesn't automatically allow ICMP
|
|
|
|
|
type 8 ("ping") requests to be sent between zones. If you want pings
|
2003-05-15 21:39:23 +02:00
|
|
|
|
to be allowed between zones, you need a rule of the form:<br>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
<br>
|
|
|
|
|
<20><><EFBFBD> ACCEPT<50><54><EFBFBD> <source zone><EFBFBD><EFBFBD><EFBFBD> <destination
|
2003-05-15 21:39:23 +02:00
|
|
|
|
zone><EFBFBD><EFBFBD><EFBFBD> icmp<6D><70><EFBFBD> echo-request<br>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
<br>
|
|
|
|
|
The ramifications of this can be subtle. For example, if
|
2003-05-15 21:39:23 +02:00
|
|
|
|
you have the following in /etc/shorewall/nat:<br>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
<br>
|
|
|
|
|
<20><><EFBFBD> 10.1.1.2<EFBFBD><EFBFBD><EFBFBD> eth0<68><30><EFBFBD> 130.252.100.18<br>
|
|
|
|
|
<br>
|
|
|
|
|
and you ping 130.252.100.18, unless you have allowed icmp
|
|
|
|
|
type 8 between the zone containing the system you are pinging from
|
|
|
|
|
and the zone containing 10.1.1.2, the ping requests will be dropped.<2E></li>
|
|
|
|
|
<li>If you specify "routefilter" for an interface, that
|
|
|
|
|
interface must be up prior to starting the firewall.</li>
|
|
|
|
|
<li>Is your routing correct? For example, internal systems
|
|
|
|
|
usually need to be configured with their default gateway set to
|
|
|
|
|
the IP address of their nearest firewall interface. One often overlooked
|
|
|
|
|
aspect of routing is that in order for two hosts to communicate,
|
|
|
|
|
the routing between them must be set up <u>in both directions.</u>
|
|
|
|
|
So when setting up routing between <b>A</b> and<b> B</b>, be sure
|
|
|
|
|
to verify that the route from <b>B</b> back to <b>A</b> is defined.</li>
|
|
|
|
|
<li>Some versions of LRP (EigerStein2Beta for example) have
|
|
|
|
|
a shell with broken variable expansion. <a
|
|
|
|
|
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
|
|
|
|
|
shell from the Shorewall Errata download site.</a> </li>
|
|
|
|
|
<li>Do you have your kernel properly configured? <a
|
2002-11-09 19:06:34 +01:00
|
|
|
|
href="kernel.htm">Click here to see my kernel configuration.</a> </li>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
<li>Shorewall requires the "ip" program. That program
|
|
|
|
|
is generally included in the "iproute" package which should be included
|
|
|
|
|
with your distribution (though many distributions don't install iproute
|
|
|
|
|
by default). You may also download the latest source tarball from
|
|
|
|
|
<a href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
|
|
|
|
|
.</li>
|
|
|
|
|
<li>Problems with NAT? Be sure that you let
|
|
|
|
|
Shorewall add all external addresses to be use with NAT unless you
|
|
|
|
|
have set <a href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No
|
|
|
|
|
in /etc/shorewall/shorewall.conf.</li>
|
|
|
|
|
|
2002-11-24 21:08:19 +01:00
|
|
|
|
</ul>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<h3>Still Having Problems?</h3>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
|
2003-01-14 18:18:42 +01:00
|
|
|
|
<p>See the<a href="support.htm"> support page.<br>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
</a></p>
|
|
|
|
|
<font face="Century Gothic, Arial, Helvetica">
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<blockquote> </blockquote>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
</font>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
<p><font size="2">Last updated 4/29/2003 - Tom Eastep</font> </p>
|
2003-07-16 20:59:33 +02:00
|
|
|
|
|
|
|
|
|
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
|
|
|
|
<20> <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
|
|
|
|
</p>
|
|
|
|
|
<br>
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</body>
|
2002-11-09 19:06:34 +01:00
|
|
|
|
</html>
|