occasional restart of firewall needed, pls help

Phisherman <(E-Mail Removed)> wrote:
> I am using Jay's firewall and Squid, running pppd. The Linux box
> prime purpose is to provide dialup internet connections to my Windows
> machines connected though an ethernet hub. Everything works great,
> email, IE, newsgroups, streaming audio, and Kazaa. But, periodically,
> the connection drops. (IE shows a DNS error.)

See if your IP address changes before and after the fault. If it does,
make sure Jay's Firewall is set to use MASQUERADE instead of SNAT. To
test, use the following.

iptables -t NAT -L POSTROUTING

If you see lines that mention SNAT, you need to edit your configuration
for Jay's firewall, assuming it allows you to change such things.

> Jay's Firewall says the following:
>
> Open ports for ppp0: 1214, 110, 25, 119, 53

You don't need to open 110, 25, 119, unless you want POP3, SMTP, and
NNTP connections to come INTO your network from the internet. Normally,
connections would go the other way.

> I'm willing to provide more details and/or try something else other
> than Jay's Firewall or Squid, but it must be text-based and run on
> Redhat Fedora.

I've had good results in the past with gShield

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!

I am using Jay's firewall and Squid, running pppd. The Linux box
prime purpose is to provide dialup internet connections to my Windows
machines connected though an ethernet hub. Everything works great,
email, IE, newsgroups, streaming audio, and Kazaa. But, periodically,
the connection drops. (IE shows a DNS error.) I issue the command

/etc/init.d/fw-jay restart

then everything works again. The modem, Squid nor pppd needs to be
restarted. But after 10-100 minutes the firewall needs restarting
again. I tried looking at tcpdump outputs, but that only made me
dizzy. Any clues? The "occasional" event makes this difficult to
troubleshoot, and I'm not a network guru.

Jay's Firewall says the following:

Open ports for ppp0: 1214, 110, 25, 119, 53
Open ports for UDP: none
TCP Forwarded Ports: eth0 > 80 > 192.168.0.3:3128
Masquerading/NAT selected, no DHCP Server
ISP Config, DNS 204.127.xxx.x 204.127.xxx.x 204.127.xxx.x
DHCP Server (nothing)

I'm willing to provide more details and/or try something else other
than Jay's Firewall or Squid, but it must be text-based and run on
Redhat Fedora.

Thanks!

Hello,

> I am using Jay's firewall and Squid, running pppd. The Linux box
> prime purpose is to provide dialup internet connections to my Windows
> machines connected though an ethernet hub. Everything works great,
> email, IE, newsgroups, streaming audio, and Kazaa. But, periodically,
> the connection drops. (IE shows a DNS error.) I issue the command
>
> /etc/init.d/fw-jay restart
>
> then everything works again. The modem, Squid nor pppd needs to be
> restarted. But after 10-100 minutes the firewall needs restarting
> again.

I don't know Jay's firewall, but since you are using a P2P software, maybe
you are simply filling up your IP conntrack table.

If this is the case, you should have some errors talking about that in
your syslog's message file.

When the problem show up, try connecting to your routing box and do

# wc -l /proc/net/ip_conntrack

to show how many connexion trackers you are using, and then do

# cat /proc/sys/net/ipv4/ip_conntrack_max

to know how many connection trackers you have.

If the table is full, no more connection can be routed.
If the table fills to fast, you can manually increase the number of
conntracks by doing :

# echo 1024 > /proc/sys/net/ipv4/ip_conntrack_max

It may slow down your router a bit, but your conntrack table will not be
full anymore.

1024 should be sufficient for the worst P2P apps, as many are limited to
500 connections, but it's up to you to tune this number, depending on your
needs.

hope this helps, bye.

Phisherman <(E-Mail Removed)> wrote:
> On 5 Mar 2004 06:54:48 +1300, Cameron Kerr

>>iptables -t NAT -L POSTROUTING
>>
> I issued the above command with the following (strange) output...
>
> iptables v1.2.8: can't initialize iptables table 'NAT': Table does not
> exist (do you mead to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.

Sorry, that should be 'nat', not 'NAT'

> There's no mention of SNAT. I thought this was used only for those
> customers with static IPs (right?).

Correct. When you use SNAT and your address changes, the firewall will
break in the way mentioned.

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!

On 5 Mar 2004 06:54:48 +1300, Cameron Kerr
<(E-Mail Removed)> wrote:

>Phisherman <(E-Mail Removed)> wrote:
>> I am using Jay's firewall and Squid, running pppd. The Linux box
>> prime purpose is to provide dialup internet connections to my Windows
>> machines connected though an ethernet hub. Everything works great,
>> email, IE, newsgroups, streaming audio, and Kazaa. But, periodically,
>> the connection drops. (IE shows a DNS error.)
>
>See if your IP address changes before and after the fault. If it does,
>make sure Jay's Firewall is set to use MASQUERADE instead of SNAT. To
>test, use the following.
>
>iptables -t NAT -L POSTROUTING
>
I issued the above command with the following (strange) output...

iptables v1.2.8: can't initialize iptables table 'NAT': Table does not
exist (do you mead to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

There's no mention of SNAT. I thought this was used only for those
customers with static IPs (right?). I use AT&T dialup and ppp0
connects to get a new IP address every time the modem completes a
call.

>If you see lines that mention SNAT, you need to edit your configuration
>for Jay's firewall, assuming it allows you to change such things.
>
>> Jay's Firewall says the following:
>>
>> Open ports for ppp0: 1214, 110, 25, 119, 53
>
>You don't need to open 110, 25, 119, unless you want POP3, SMTP, and
>NNTP connections to come INTO your network from the internet. Normally,
>connections would go the other way.
>
Although this did not solve my problem, I removed 110, 25, and 119 as
you suggested and this had no effect on the needed services.
Actually, I added port 53 today after surfing w/Google and reading
responses to "firewall restart issues," thinking this might solve the
problem of my periodic connectivity loss--but this did not work. :-(

>> I'm willing to provide more details and/or try something else other
>> than Jay's Firewall or Squid, but it must be text-based and run on
>> Redhat Fedora.
>
>I've had good results in the past with gShield

Thanks Cameron. I'll keep gShield in the back of my mind in case I
get all tweaked out from Jay's Firewall.

Phisherman <(E-Mail Removed)> wrote:
> I am using Jay's firewall and Squid, running pppd. The Linux box
> prime purpose is to provide dialup internet connections to my Windows
> machines connected though an ethernet hub. Everything works great,
> email, IE, newsgroups, streaming audio, and Kazaa. But, periodically,
> the connection drops. (IE shows a DNS error.) I issue the command
>
> /etc/init.d/fw-jay restart

You should probably call this from a script in /etc/ppp/ip-up.d/.

This may be different on Fedora however.

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!

On 5 Mar 2004 12:22:11 +1300, Cameron Kerr
<(E-Mail Removed)> wrote:

>Phisherman <(E-Mail Removed)> wrote:
>> On 5 Mar 2004 06:54:48 +1300, Cameron Kerr
>
>>>iptables -t NAT -L POSTROUTING
>>>
>> I issued the above command with the following (strange) output...
>>
>> iptables v1.2.8: can't initialize iptables table 'NAT': Table does not
>> exist (do you mead to insmod?)
>> Perhaps iptables or your kernel needs to be upgraded.
>
>Sorry, that should be 'nat', not 'NAT'

[root@Blue root]# iptables -t nat -L POSTROUTING
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.0.0/24 anywhere

The 192.168.0.1 and 192.168.0.2 are windows clients. The proxy host
(the linux box) is 192.168.0.3
>
>> There's no mention of SNAT. I thought this was used only for those
>> customers with static IPs (right?).
>
>Correct. When you use SNAT and your address changes, the firewall will
>break in the way mentioned.