Shoreline Firewall (Shorewall)

On Thursday 23 February 2006 13:39, Richard Houston wrote:
> Hi all
>
> Questions for the experts here. I have a Shorewall 3.0.5 firewall with 3
> Ethernet cards. One connects to a high speed radio service(8 mbit eth0)
> the second to a broadband cable provider (1.5 mbit eth2) and the other
> into our dmz (eth1) I have the two external lines balanced , both set at
> default weight.
>
> The issue I run into is the the cable providers ip addresses have been
> added to several RLB on the net so if the mail server, situated in the
> dmz, tries to send mail to gov addresses the mail gets bounce.
>
> What I would like to do is send all traffic for port 25 out on the 8 mbit
> eth0 line only. If it helps we can send all the traffic for a specific
> machine out via the 8 mbit eth0 interface, that works for me.
>
> Thanks all and appreciate your help.

The example in the Shorewall multiISP documentaiton describes *exactly* how to 
do this (it even uses tcp port 25 as the example application!!!)

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@...
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

>
> The example in the Shorewall multiISP documentaiton describes *exactly*
> how to do this (it even uses tcp port 25 as the example application!!!)
>
> -Tom
Thanks Tom,

I have been working from that document and still having issues. Here is
what I have:
IN TCRULES:
2:P             10.10.10.0      0.0.0.0         tcp
1:P             10.10.10.11     0.0.0.0         tcp     25

Now I still see port 25 traffic going out eth2 or P:2 in this case. 1:P is
the eth1 line which I want to see it go out.

This is the content of my PROVIDERS file:
tgo     1       1       main            eth0            64.201.181.177    
     track,balance           eth1
shw     2       2       main            eth2            24.79.4.1         
     track,balance           eth1

And here is the result of my shorewall restart:

Setting up Traffic Control Rules...
   TC Rule "2:P 10.10.10.0 0.0.0.0 tcp    " added
   TC Rule "1:P 10.10.10.11 0.0.0.0 tcp 25   " added

Note: 10.10.10.10 is a proxy server so I want all of it's traffic to go
out via the slower eth2 line. We want the eth0 line to be free for inbound
connections.

TC_ENABLED is set to TC_ENABLED=
If I set it to yes it bombs with a "no tcstart found" Is this my issue?
What should be in the tcstart file.

Thanks again for your help.


+------------------------------------+
Best regards,
-Richard Houston
-R.L.H.  Consulting
-E-Mail  rhouston@...
-WWW     http://www.rlhc.net
-Blog    http://www.rlhc.net/blog/

Richard Houston wrote:
> ...
> I have been working from that document and still having issues. Here is
> what I have:
> ...
> 
> TC_ENABLED is set to TC_ENABLED=
> If I set it to yes it bombs with a "no tcstart found" Is this my issue?
> What should be in the tcstart file.

If you're using Shorewall's built-in TC, it should be set to "Internal".

Paul

Thanks for that. That is what it was set to be for but it did not work
correctly. The mail and web traffic is balanced between the 2 Internet
connected connection.




+------------------------------------+
Best regards,
-Richard Houston
-R.L.H.  Consulting
-E-Mail  rhouston@...
-WWW     http://www.rlhc.net
-Blog    http://www.rlhc.net/blog/


> Richard Houston wrote:
>
>> ...
>> I have been working from that document and still having issues. Here is
>> what I have: ...
>>
>>
>> TC_ENABLED is set to TC_ENABLED=
>> If I set it to yes it bombs with a "no tcstart found" Is this my issue?
>> What should be in the tcstart file.
>>
>
> If you're using Shorewall's built-in TC, it should be set to "Internal".
>
>
> Paul
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting
> language that extends applications into web and mobile media. Attend the
> live webcast and join the prime developer group breaking into this new
> coding territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@...
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>

Richard Houston wrote:
> Thanks for that. That is what it was set to be for but it did not work
> correctly. The mail and web traffic is balanced between the 2 Internet
> connected connection.
> 
> 
How is the masq file setup?
Jerry

Richard Houston wrote:
> Thanks for that. That is what it was set to be for but it did not work
> correctly. The mail and web traffic is balanced between the 2 Internet
> connected connection.

Well your problem is elsewhere, then.  :-)

Paul

On Thursday 23 February 2006 16:45, Richard Houston wrote:
> Thanks for that. That is what it was set to be for but it did not work
> correctly. The mail and web traffic is balanced between the 2 Internet
> connected connection.

We have very specific instructions for reporting problems so that we can so=
lve=20
them easily (see http://www.shorwall.net/support.htm). We need the=20
information described in those instructions.

=2DTom
=2D-=20
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@...
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

> Richard Houston wrote:
>
>> Thanks for that. That is what it was set to be for but it did not work
>> correctly. The mail and web traffic is balanced between the 2 Internet
>> connected connection.
>>
>>
> How is the masq file setup?
> Jerry

Here it is:

#INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
eth0    eth1
eth2    eth1
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting
> language that extends applications into web and mobile media. Attend the
> live webcast and join the prime developer group breaking into this new
> coding territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@...
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>

Richard Houston wrote:
> Hi all
>
> Questions for the experts here. I have a Shorewall 3.0.5 firewall with 3
> Ethernet cards. One connects to a high speed radio service(8 mbit eth0)
> the second to a broadband cable provider (1.5 mbit eth2) and the other
> into our dmz (eth1) I have the two external lines balanced , both set at
> default weight.
>
> The issue I run into is the the cable providers ip addresses have been
> added to several RLB on the net so if the mail server, situated in the
> dmz, tries to send mail to gov addresses the mail gets bounce.
>
> What I would like to do is send all traffic for port 25 out on the 8 mbit
> eth0 line only. If it helps we can send all the traffic for a specific
> machine out via the 8 mbit eth0 interface, that works for me.
>
> Thanks all and appreciate your help.
>   

    Richard,

    I'm a pretty heavy duty sendmail admin who manages several large 
volume servers.

    My comments are unrelated to Shorewall (sorry).

    While putting a protocol through a specific interface might work, 
it's a really messy way of avoiding an RBL listing. The best way of 
handling it would be to find out what RBLs are involved, and get 
whitelisted.

    There are *several problems* and *RFC transgressions* that can 
happen under the config you are proposing, and while you might be able 
to avoid them through being meticulous, the best route really is to get 
off the RBLs.

    I would be suprised if the .gov servers you are referring to are 
using the really aggressive RBLs. If they are it will be more reliable 
long term to contact the administrators of the RBLs and go through the 
clearing process, and/or contact the postmasters of those servers for 
whitelisting.

    I've had to "cleanup" IP ranges a bunch of times as clients have 
come and gone and my servers have moved around the country. It pays in 
spades to do the RBL work up front.

    And in your case, if the second connection gets blacklisted, you'll 
have to de-pollute the IP range anyway. And that process, depending on 
how bad things are (ISP/Number of listings), and whether your servers 
are configured correctly, can take weeks.  

    Don't be without e-mail for weeks- deal with the RBL problem.

--
Michael Cozzi
cozzi@...

> On Thursday 23 February 2006 16:45, Richard Houston wrote:
>
>> Thanks for that. That is what it was set to be for but it did not work
>> correctly. The mail and web traffic is balanced between the 2 Internet
>> connected connection.
>
> We have very specific instructions for reporting problems so that we can
> solve them easily (see http://www.shorwall.net/support.htm). We need the
> information described in those instructions.
>
> -Tom

Will do.

Thanks!

> Richard Houston wrote:
>
>> Thanks for that. That is what it was set to be for but it did not work
>> correctly. The mail and web traffic is balanced between the 2 Internet
>> connected connection.
>
> Well your problem is elsewhere, then.  :-)
>
>
> Paul

K, any ideas where I can look for the issue?

>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by xPML, a groundbreaking scripting
> language that extends applications into web and mobile media. Attend the
> live webcast and join the prime developer group breaking into this new
> coding territory!
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@...
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>

Richard Houston wrote:
> 
> 
>>Richard Houston wrote:
>>
>>
>>>Thanks for that. That is what it was set to be for but it did not work
>>>correctly. The mail and web traffic is balanced between the 2 Internet
>>>connected connection.
>>>
>>>
>>
>>How is the masq file setup?
>>Jerry
> 
> 
> Here it is:
> 
> #INTERFACE              SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
> eth0    eth1
> eth2    eth1
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

You really should be doing SNAT here, that is done by using the third 
column, like in the examples on http://www.shorewall.net/MultiISP.html.
The short story is that iproute and the masq code don't play nice 
together. From experence, you should not give it a chance to guess what 
source address to use for the outbound masq'd connections.

Jerry

Hello Michael.

I like your approach. Going head on the problem, not working around it.
But as for getting the cable connection white listed is a difficult process.
Many RBL have a listing on dynamic IP ranges. (I would suspect that this is
the case of Richard's cable connection) and they will not remove these
listings.

I would expect the 8Mbit connection to have a more "permanent" status and
therefore a recommended solution. Make it possible to get of the blacklists
should that occur.

I would recommend on getting a permanent IP/range registered to your
organization on a non "dynamic CABLE/xDSL IP pool" for a critical mail
system. (If this isn't already the case on the 8Mbit connection.) It's also
recommended to get the proper reverse IP lookup on that mail server to match
the hostname. Some servers may check to se if the mail servers reported
hostname is equal to the official reverse lookup of the IP. Some have had
this as a requirement, but has later removed this for the amount of "good"
servers being rejected.


best regards,
Kristian.


-----Original Message-----
From: shorewall-users-admin@...
[mailto:shorewall-users-admin@...] On Behalf Of Michael
Cozzi
Sent: 24. februar 2006 04:10
To: shorewall-users@...
Subject: Re: [Shorewall-users] forcing specific protocols through specific
interface

Richard Houston wrote:
> Hi all
>
> Questions for the experts here. I have a Shorewall 3.0.5 firewall with 3
> Ethernet cards. One connects to a high speed radio service(8 mbit eth0)
> the second to a broadband cable provider (1.5 mbit eth2) and the other
> into our dmz (eth1) I have the two external lines balanced , both set at
> default weight.
>
> The issue I run into is the the cable providers ip addresses have been
> added to several RLB on the net so if the mail server, situated in the
> dmz, tries to send mail to gov addresses the mail gets bounce.
>
> What I would like to do is send all traffic for port 25 out on the 8 mbit
> eth0 line only. If it helps we can send all the traffic for a specific
> machine out via the 8 mbit eth0 interface, that works for me.
>
> Thanks all and appreciate your help.
>   

    Richard,

    I'm a pretty heavy duty sendmail admin who manages several large 
volume servers.

    My comments are unrelated to Shorewall (sorry).

    While putting a protocol through a specific interface might work, 
it's a really messy way of avoiding an RBL listing. The best way of 
handling it would be to find out what RBLs are involved, and get 
whitelisted.

    There are *several problems* and *RFC transgressions* that can 
happen under the config you are proposing, and while you might be able 
to avoid them through being meticulous, the best route really is to get 
off the RBLs.

    I would be suprised if the .gov servers you are referring to are 
using the really aggressive RBLs. If they are it will be more reliable 
long term to contact the administrators of the RBLs and go through the 
clearing process, and/or contact the postmasters of those servers for 
whitelisting.

    I've had to "cleanup" IP ranges a bunch of times as clients have 
come and gone and my servers have moved around the country. It pays in 
spades to do the RBL work up front.

    And in your case, if the second connection gets blacklisted, you'll 
have to de-pollute the IP range anyway. And that process, depending on 
how bad things are (ISP/Number of listings), and whether your servers 
are configured correctly, can take weeks.  

    Don't be without e-mail for weeks- deal with the RBL problem.

--
Michael Cozzi
cozzi@...

   


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Shorewall-users mailing list
Shorewall-users@...
https://lists.sourceforge.net/lists/listinfo/shorewall-users

K wrote:
> Hello Michael.
>
> I like your approach. Going head on the problem, not working around it.
> But as for getting the cable connection white listed is a difficult process.
> Many RBL have a listing on dynamic IP ranges. (I would suspect that this is
> the case of Richard's cable connection) and they will not remove these
> listings.
>   

    K,

    Yes is might be a challenge, but it seems easier than moving a mail 
server in production to a new IP range. If you work with the ISP, the 
RBL, and the problem servers you can fix it permanently.

    Some RBLs have become more sensitive to the dynamic IP listing since 
many Cable/Low tier providers are now handing out IP ranges and hosting 
servers.

    It's worth a try anyway. I've always been successful in these 
situations.

--
Michael Cozzi
cozzi@...