Ubuntu
shorewall package

Bug #275121
Comment #1

Comment 1 for bug 275121

Revision history for this message

Gavin McCullagh (gmccullagh) wrote on 2008-09-27:

filtered_syslog.txt Edit (511.2 KiB, text/plain)

On my home desktop I've managed to reproduce some garbled messages which should make for easier reproduction by others.

Instructions to reproduce this bug for demonstration purposes:

1. Take a common or garden Ubuntu Hardy desktop install with a single network interface, on a subnet with another (ideally linux) machine.
2. sudo apt-get -y install shorewall nmap
3. sudo cp /usr/share/doc/shorewall-common/examples/one-interface/{rules,interfaces,policy,zones} /etc/shorewall/
4. edit /etc/default/shorewall and set startup=1
5. edit /etc/shorewall/shorewall.conf and set STARTUP_ENABLED=Yes
6. Edit /etc/shorewall/policy and change _all_ lines to have policy "REJECT" with log level "info"
7. Edit /etc/shorewall/rules changing the Ping/REJECT to Ping/ACCEPT and add these lines
   ACCEPT $FW net tcp 22
   ACCEPT $FW net tcp 22
   ACCEPT net $FW tcp 22
   ACCEPT net $FW tcp 22
8. sudo /etc/init.d/shorewall restart
9. sudo ifconfig eth0:1 192.168.2.1 netmask 255.255.255.0
10. On the other linux machine run
      sudo ifconfig eth0:1 192.168.2.2 netmask 255.255.255.0
11. nmap 192.168.2.2
12. On the other linux machine run
      nmap 192.168.2.1
13. Look in /var/log/syslog and see do you get any garbled entries.

I have just done this and got garbled messages from the port scans in both directions (fw2net and net2fw):

Sep 27 12:50:02 balti kernel: [ 957.257874] Shorewall:fw2net:REJECT:IN= OUT=eth0 SRC=192.168.2.1 DST=192.168.2.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49089 DF PROTO=TCP SPT=47775 DPT=403 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 12:50:02 balti kernel: [ 957.257912] Shorewall:fw2net:REJECT:IN= OUT=et549 DF PROTO=TCP SPT=54860 DPT=302 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 12:50:02 balti kernel: [ 957.260304] Shorewall:fw2net:REJECT:IN= OUT=eth0 SRC=192.168.2.1 DST=192.168.2.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9528 DF PROTO=TCP SPT=58089 DPT=727 WINDOW=5840 RES=0x00 SYN URGP=0

Sep 27 12:53:18 balti kernel: [ 1151.778943] Shorewall:net2fw:REJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DST=192.168.2.1 LEN=60 TOS
=0x00 PREC=0x00 TTL=64 ID=4404 DF PROTO=TCP SPT=54174 DPT=813 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 12:53:18 balti kernel: [ 1151.780464]= MAC=00:30:1b:ae:a2: MAC=00:30:1b:ae:a2 MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 MAC=00:30:1b:ae:a2: MAC=00:30:1b:ae:a2:2e:00:16:6f:7= MAC=00:30:1b: MAC=00:30:1b:a= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20990 DF PROTOMAC=00:30:1b:ae:a2AC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DSTC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2AC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:0C=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00AC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:0AC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:AC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.AC=00:30:1b:ae:a2:2e:0AC=00:30:1b:ae:a2:2eMAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25 MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08 MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 = MAC=00:30:1b:ae:a2:2e:
Sep 27 12:53:18 balti kernel: 0:16:6f:7c:25:8a:08:00 SRCT= MAC=00:30:1T= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DST=192.168.2.1 LEN=6= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DT= MAC=00:30:1b:ae:aT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DST=192.168.2.1 LEN=T= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:T= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2UT= MAC=00:30:1b:aOUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:70 OUT= MAC=00:h0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.16th0 OUT= MAC=00:30:1b:ae:a2:2e:00:16th0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=19eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:2N=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64
Sep 27 12:53:18 balti kernel: N=eth0 OUT= MAC=00:3CT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08JECT:IN=eth0 OUT= MAECT:IN=eth0 OUT= MAECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00EJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2eECT:IN=eth0 OUT= MACJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2ECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:ECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64JECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=JECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:0EJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:EJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00REJECT:IN=eth0 OUT= MAC=00:30:1b:aew:REJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:0w:REJECT:IN=eth0 OUT= MAC=00:30:1b:ae:w:REJECT:IN=eth0 fw:REJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6fet2fw:REJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2eet2fw:REJECT:IN=eth0 OUT= MAC=00:30:1b:ae:t2fw:REJECT:IN=eth0 OUT= MAC=00:30:1b:ae:at2fw:REJECT:INt2fw:REJECT:IN=eth0 OUT= M

I'm attaching a file which contains the syslog entries relevant to both port scans. You can see small garbage in the outgoing nmap but much larger garbage on the incoming portscan.

For some reason, this doesn't appear to happen when a DROP policy is in action, I only see it for REJECTs.

The above of course is just proof of concept and may seem a strange config. I'm seeing it on more sensibly configured machines too though.

Gavin

On my home desktop I've managed to reproduce some garbled messages which should make for easier reproduction by others.

Instructions to reproduce this bug for demonstration purposes:

1. Take a common or garden Ubuntu Hardy desktop install with a single network interface, on a subnet  with another (ideally linux) machine.
2. sudo apt-get -y install shorewall nmap
3. sudo cp /usr/share/doc/shorewall-common/examples/one-interface/{rules,interfaces,policy,zones} /etc/shorewall/
4. edit /etc/default/shorewall and set startup=1
5. edit /etc/shorewall/shorewall.conf and set STARTUP_ENABLED=Yes
6. Edit /etc/shorewall/policy and change _all_ lines to have policy "REJECT" with log level "info"
7. Edit /etc/shorewall/rules changing the Ping/REJECT to Ping/ACCEPT and add these lines
   ACCEPT    $FW  net  tcp  22
   ACCEPT    $FW  net  tcp  22
   ACCEPT    net  $FW  tcp  22
   ACCEPT    net  $FW  tcp  22
8. sudo /etc/init.d/shorewall restart
9. sudo ifconfig eth0:1 192.168.2.1 netmask 255.255.255.0
10. On the other linux machine run 
      sudo ifconfig eth0:1 192.168.2.2 netmask 255.255.255.0
11. nmap 192.168.2.2
12. On the other linux machine run
      nmap 192.168.2.1
13. Look in /var/log/syslog and see do you get any garbled entries.

I have just done this and got garbled messages from the port scans in both directions (fw2net and net2fw):

Sep 27 12:50:02 balti kernel: [  957.257874] Shorewall:fw2net:REJECT:IN= OUT=eth0 SRC=192.168.2.1 DST=192.168.2.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49089 DF PROTO=TCP SPT=47775 DPT=403 WINDOW=5840 RES=0x00 SYN URGP=0 
Sep 27 12:50:02 balti kernel: [  957.257912] Shorewall:fw2net:REJECT:IN= OUT=et549 DF PROTO=TCP SPT=54860 DPT=302 WINDOW=5840 RES=0x00 SYN URGP=0 
Sep 27 12:50:02 balti kernel: [  957.260304] Shorewall:fw2net:REJECT:IN= OUT=eth0 SRC=192.168.2.1 DST=192.168.2.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9528 DF PROTO=TCP SPT=58089 DPT=727 WINDOW=5840 RES=0x00 SYN URGP=0

Sep 27 12:53:18 balti kernel: [ 1151.778943] Shorewall:net2fw:REJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DST=192.168.2.1 LEN=60 TOS
=0x00 PREC=0x00 TTL=64 ID=4404 DF PROTO=TCP SPT=54174 DPT=813 WINDOW=5840 RES=0x00 SYN URGP=0 
Sep 27 12:53:18 balti kernel: [ 1151.780464]= MAC=00:30:1b:ae:a2: MAC=00:30:1b:ae:a2 MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2  MAC=00:30:1b:ae:a2: MAC=00:30:1b:ae:a2:2e:00:16:6f:7= MAC=00:30:1b: MAC=00:30:1b:a= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20990 DF PROTOMAC=00:30:1b:ae:a2AC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DSTC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2AC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:0C=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00AC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:0AC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:AC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.AC=00:30:1b:ae:a2:2e:0AC=00:30:1b:ae:a2:2eMAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25 MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08 MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 = MAC=00:30:1b:ae:a2:2e:
Sep 27 12:53:18 balti kernel: 0:16:6f:7c:25:8a:08:00 SRCT= MAC=00:30:1T= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DST=192.168.2.1 LEN=6= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DT= MAC=00:30:1b:ae:aT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DST=192.168.2.1 LEN=T= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:T= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2UT= MAC=00:30:1b:aOUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:70 OUT= MAC=00:h0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.16th0 OUT= MAC=00:30:1b:ae:a2:2e:00:16th0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=19eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:2N=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 
Sep 27 12:53:18 balti kernel: N=eth0 OUT= MAC=00:3CT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08JECT:IN=eth0 OUT= MAECT:IN=eth0 OUT= MAECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00EJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2eECT:IN=eth0 OUT= MACJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2ECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:ECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64JECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=JECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:0EJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:EJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00REJECT:IN=eth0 OUT= MAC=00:30:1b:aew:REJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:0w:REJECT:IN=eth0 OUT= MAC=00:30:1b:ae:w:REJECT:IN=eth0 fw:REJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6fet2fw:REJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2eet2fw:REJECT:IN=eth0 OUT= MAC=00:30:1b:ae:t2fw:REJECT:IN=eth0 OUT= MAC=00:30:1b:ae:at2fw:REJECT:INt2fw:REJECT:IN=eth0 OUT= M

I'm attaching a file which contains the syslog entries relevant to both port scans.  You can see small garbage in the outgoing nmap but much larger garbage on the incoming portscan.

For some reason, this doesn't appear to happen when a DROP policy is in action, I only see it for REJECTs.

The above of course is just proof of concept and may seem a strange config.  I'm seeing it on more sensibly configured machines too though.

Gavin

Ubuntushorewall package

Comment 1 for bug 275121

Ubuntu
shorewall package