Cannot remove shorewall modules

ertank · August 24, 2020, 11:36am

Interesting, none of them seems to be working on my system. I wonder what is the difference. I know that system is up to date as of two days ago in terms of application updates.

[root@neth ~]# cat /etc/shorewall/shorewall.conf |grep DONT
DONT_LOAD=nf_nat_sip,nf_conntrack_sip
[root@neth ~]# cat /etc/e-smith/templates/etc/shorewall/shorewall.conf/60options|grep DONT
DONT_LOAD=nf_nat_sip,nf_conntrack_sip
[root@neth ~]# cat /etc/shorewall/capabilities |grep SIP
SIP0_HELPER=
SIP_HELPER=
[root@neth ~]# cat /etc/shorewall/conntrack |grep SIP
#?if __SIP_HELPER // Here all three lines are commented, I don't know how to grep them all
[root@neth ~]# cat /etc/modprobe.d/blacklist.conf 
blacklist nf_nat_sip,nf_conntrack_sip  // Keeping just nf_conntrack_sip is not helping, too

mrmarkuz · August 24, 2020, 12:35pm

IIRC you need a separate blacklist line for each module like

blacklist module1
blacklist module2

stephdl · November 5, 2020, 3:53pm

I wonder if you need also to remove the alias of kernel module : nf_conntrack_sip, nf_nat_sip
alias: ip_conntrack_sip
alias: ip_nat_sip

root@ns7loc15 ~]# modinfo nf_conntrack_sip
filename:       /lib/modules/3.10.0-1127.18.2.el7.x86_64/kernel/net/netfilter/nf_conntrack_sip.ko.xz
alias:          nfct-helper-sip
alias:          ip_conntrack_sip
description:    SIP connection tracking helper
author:         Christian Hentschel <chentschel@arnet.com.ar>
license:        GPL
retpoline:      Y
rhelversion:    7.8
srcversion:     55190A00B759A250C9631DB
depends:        nf_conntrack
intree:         Y
vermagic:       3.10.0-1127.18.2.el7.x86_64 SMP mod_unload modversions 
signer:         CentOS Linux kernel signing key
sig_key:        C6:5D:F3:F8:0C:5C:C3:53:A7:25:6E:1F:8E:44:52:89:1E:D8:9C:FE
sig_hashalgo:   sha256
parm:           ports:port numbers of SIP servers (array of ushort)
parm:           sip_timeout:timeout for the master SIP session (uint)
parm:           sip_direct_signalling:expect incoming calls from registrar only (default 1) (int)
parm:           sip_direct_media:Expect Media streams between signalling endpoints only (default 1) (int)

[root@ns7loc15 ~]# modinfo nf_nat_sip
filename:       /lib/modules/3.10.0-1127.18.2.el7.x86_64/kernel/net/netfilter/nf_nat_sip.ko.xz
alias:          ip_nat_sip
description:    SIP NAT helper
author:         Christian Hentschel <chentschel@arnet.com.ar>
license:        GPL
retpoline:      Y
rhelversion:    7.8
srcversion:     42E5288B3BB05DA394CEC7A
depends:        nf_conntrack,nf_conntrack_sip,nf_nat
intree:         Y
vermagic:       3.10.0-1127.18.2.el7.x86_64 SMP mod_unload modversions 
signer:         CentOS Linux kernel signing key
sig_key:        C6:5D:F3:F8:0C:5C:C3:53:A7:25:6E:1F:8E:44:52:89:1E:D8:9C:FE
sig_hashalgo:   sha256

stephdl · November 5, 2020, 4:11pm

we have in development a feature related to this

ertank · November 5, 2020, 8:50pm

How can I do that? I will not be able to test it soon. But, I am going to as soon as possible.

ertank · November 5, 2020, 8:51pm

Is there an estimate date to expect it as an option in web GUI?

stephdl · November 5, 2020, 9:04pm

We need tests, no ETA, but you can install the last two rpms of the GH pull request, then go to the settings page of the firewall application

ertank · November 9, 2020, 1:28pm

Which file I need to modify to do that?

stephdl · November 9, 2020, 2:31pm

we have two rpm in nethserver-testing

you need to take care to remove your customizations, then go to the setting page of the firewall

ertank · November 9, 2020, 2:38pm

I am still a newbie to NethServer.
I am not sure how I can switch to testing branch or how to download and install relevant package.

There are several port forwarding rules and that’s all about it. If that is customization then I can do them again.

stephdl · November 9, 2020, 2:40pm

about customization I meant about how you removed the nf_conntrack_sip kernel module, not the tcp or service rules

either wait some time (we are on QA stage) or

yum install nethserver-firewall-base nethserver-firewall-base-ui --enablerepo=nethserver-testing

ertank · November 9, 2020, 2:43pm

I have upgraded NethServer last Friday (I wish I didn’t).
Now 3CX cannot connect to SIP trunk.
I am sure that SIP modules are not loaded in kernel but yet problem remains.

I would like to give it a go to see if it will be of any help.

stephdl · November 9, 2020, 2:45pm

lsmod | grep sip
lsmod | grep H323

ertank · November 9, 2020, 2:46pm

I am not familar with h323. Can it a problem?
Or, can conntrack be a problem?

[root@neth ~]# lsmod|grep sip
[root@neth ~]# lsmod|grep h323
nf_nat_h323            17720  0 
nf_conntrack_h323      73895  5 nf_nat_h323
nf_nat                 26583  10 nf_nat_ftp,nf_nat_irc,nf_nat_amanda,nf_nat_proto_gre,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_nat,nf_nat_masquerade_ipv4
nf_conntrack          139264  27 nf_nat_ftp,nf_nat_irc,nf_nat_amanda,xt_CT,nf_nat_snmp_basic,nf_conntrack_netbios_ns,nf_conntrack_proto_gre,nf_nat,xt_state,nf_nat_h323,nf_nat_ipv4,nf_nat_pptp,nf_nat_tftp,xt_conntrack,nf_conntrack_amanda,nf_nat_masquerade_ipv4,nf_conntrack_netlink,nf_conntrack_broadcast,xt_connmark,nf_conntrack_ftp,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_ipv4,nf_conntrack_pptp,nf_conntrack_sane,nf_conntrack_snmp,nf_conntrack_tftp
[root@neth ~]#

BTW, I cannot remove it to test as it is used by nf_nat

[root@neth ~]# rmmod nf_conntrack
rmmod: ERROR: Module nf_conntrack is in use by: nf_nat_ftp nf_nat_irc nf_nat_amanda xt_CT nf_nat_snmp_basic nf_conntrack_netbios_ns nf_conntrack_proto_gre nf_nat xt_state nf_nat_h323 nf_nat_ipv4 nf_nat_pptp nf_nat_tftp xt_conntrack nf_conntrack_amanda nf_nat_masquerade_ipv4 nf_conntrack_netlink nf_conntrack_broadcast xt_connmark nf_conntrack_ftp nf_conntrack_irc nf_conntrack_h323 nf_conntrack_ipv4 nf_conntrack_pptp nf_conntrack_sane nf_conntrack_snmp nf_conntrack_tftp
[root@neth ~]#

stephdl · November 9, 2020, 2:50pm

only if you still use h323 instead of sip

It seems that your shorewall does not load the conntrack sip module that it could block the SIP in one way.

ertank · November 9, 2020, 4:02pm

Is there a way to get notified when this feature included version released?

stephdl · November 9, 2020, 4:04pm

Everything is under control, please relax and take a breath

ertank · November 9, 2020, 7:11pm

Quite interesting. I checked latest updates to see if anything related with firewall. Nothing related until one month earlier update. Problem is very new.

Now, I cannot understand why our server cannot reach other side as I can ping, traceroute and all works nicely. Just SIP trunk is not getting registered.

Error I read is:
Destination (sip:188.132.208.13:5060;lr) is not reachable, DNS error resolving FQDN, or service is not available.

Service provider claims our packets are not arriving to their servers.

stephdl · November 9, 2020, 8:06pm

Not a firewall guy, you should open a new thread and gather informations

Reboot the firewall
Check the sip rule port exists in iptables
Check the firewall.log
…

ertank · November 10, 2020, 5:37pm

Problem turned out to be not related with an update or a setup parameter or firewall.

It turned out some router along the way to our SIP service provider IP is not routing SIP packets.

Our provider send us a new IP number and everything started to work again.

Yet, I will be making snapshots of the VM NethServer is running before applying updates for future