Firewall blocks Nagios

Hi guys,

I have installed the Monitoring Pack and the Firewall Pack via Softwarecenter.
I have four green interfaces (one Subnet on each interface) and one red interface

My problem is, that Nagios seems not be able to communicate with my network because the traffic is blocked. The logs shows this entry:

Mar 28 12:15:33 gw kernel: Shorewall:fw2knet:REJECT:IN= OUT=eth2 SRC=10.1.0.1 DST=10.1.0.100 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=36373 SEQ=1 

I have a Hostgroup, that contains each IP-Address the Nethserver has on each Subnet.
I create the following rules, but no rule seems to allow the traffic:

  1. Hostgroup with all Nethserver IPs (“gateway”) to the Zone (10.1.0.0/24) (“knet”) to monitor
  2. Hostgroup with all Nethserver IPs (“gateway”) to all green interfaces
  3. Hostgroup with all Nethserver IPs (“gateway”) to the IP-Range (10.1.0.0-10.1.255.255) (“k-network”) to monitor
  4. IP of Nethserver in the Subnet (“kgateway”) to the Zone (“knet”) to monitor
  5. IP of Nethserver in the Subnet (“kgateway”) to the IP-Range (10.1.0.0-10.1.255.255) (“k-network”) to monitor
    Every rule is configured to allow all Services and the general setting “Allow traffic to internet” is allowed.

What can I do that Nagios is allowed to monitor my network?

Hi please create the service Nagios or make firewall rule. Please search the forum:)

I think the second role not go well. "Gateway to green…but wich green?"
Delete it.
The other roles below will able to trigger…

TCP or UDP? Nagios pings, but I cannot select ICMP… And my estimation is, that “all” contains “all” and not just “some”. Searching for “nagios firewall” doesn’t result in any resolutions.

My estimation was “all green”. I removed the rule. No change.

You need this rule inside a template custom:

   $FW    knet    ACCEPT

I can’t figure why right now, maybe I will ask you more info next days :slight_smile:

OK, I’ll wait for you :slight_smile:
I need to explain some of this stuff to “real user”-customers. So anything that cannot be done via GUI is something they can’t do.

I just looked again to your configuration and probably I have the solution.

Introduction

In Shorewall all firewall IPs are already contained inside a special zone named “$FW”.
If you want to open a port (53 tcp) in the firewall from red interface, you must create a rule like:

ACCEPT  net     $FW     tcp     53

But in NS the $FW object is not exposed inside the firewall rules page.
If you want to open a service hosted into the firewall itself, you must create a network service inside the Network Services page.
You have nethserver-adagios installed which takes care to open all needed port inside the firewall, sho you can safely skip this part.
(See: http://docs.nethserver.org/projects/nethserver-devel/en/latest/services.html#access-network-service)

Also, when you create a Zone in Shorewall you must specify a rule for each traffic direction, in your scenario, if you want to use a zone, you should create at least 12 rules! :open_mouth:
(See: http://shorewall.net/manpages/shorewall-zones.html)

Solution

Remove all rules, and the system should work out of the box.
If you need to specify some custom rules, use CIDR objects and not zones.
(See: http://docs.nethserver.org/en/latest/firewall.html#firewall-objects )

I removed all rules now (even the rules, that I need for other stuff) but it is still not working. Yes, the shorewall-service had a restart.

I tried to analyze why it is not working. There are more things that are not working but shoud - for example DNS. I figured out the following:
After a restart or a disconnect/reconnect of my virtual client machine, DNS works - for a short time. Absolutely no Idea why. After some seconds, it is blocked again by the firewall.
This is my Firewall-Config (I masked the Port-Forwarding Stuff):

# ================= DO NOT MODIFY THIS FILE =================
# 
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at https://dev.nethesis.it/projects/nethserver/wiki/NethServer
# original work from http://www.contribs.org/development/
#
# Copyright (C) 2013 Nethesis S.r.l. 
# http://www.nethesis.it - support@nethesis.it
# 
#
# Shorewall version 4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
######################################################################################################################################################################################
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
#							PORT	PORT(S)		DEST		LIMIT		GROUP
#SECTION ALL
#
#
# SECTION ESTABLISHED
#
?SECTION ESTABLISHED


#
# SECTION RELATED
#
?SECTION RELATED


#
# SECTION NEW
#
?SECTION NEW

#
# Drop Ping from the "bad" net zone.
#
Ping/DROP     net             $FW

#
#  Make ping work bi-directionally between the dmz, net, Firewall and local zone
#  (assumes that the loc-> net policy is ACCEPT).
#
Ping/ACCEPT     loc            $FW

#
#       Accept DNS connections from the firewall to the Internet
#
DNS/ACCEPT      $FW             net
#
#	Service: dnsmasq Access: private
#
?COMMENT dnsmasq
ACCEPT	loc	$FW	tcp	53
ACCEPT	loc	$FW	udp	53
ACCEPT	loc	$FW	udp	67
ACCEPT	loc	$FW	udp	69
#
#	Service: httpd Access: public
#
?COMMENT httpd
ACCEPT	loc	$FW	tcp	80
ACCEPT	net	$FW	tcp	80
?COMMENT httpd
ACCEPT	loc	$FW	tcp	443
ACCEPT	net	$FW	tcp	443
#
#	Service: httpd-admin Access: public
#
?COMMENT httpd-admin
ACCEPT	loc	$FW	tcp	980
ACCEPT	net	$FW	tcp	980
#
#	Service: mysqld Access: private
#
?COMMENT mysqld
ACCEPT	loc	$FW	tcp	3306
#
#	Service: nagios Access: private
#
?COMMENT nagios
ACCEPT	loc	$FW	tcp	6557
#
#	Service: nmb Access: private
#
ACCEPT	loc	$FW	udp	137
ACCEPT	loc	$FW	udp	138
#
#	Service: nrpe Access: private
#
?COMMENT nrpe
ACCEPT	loc	$FW	tcp	5666
#
#	Service: ntpd Access: private
#
ACCEPT	loc	$FW	udp	123
#
#	Service: openvpn Access: public
#
ACCEPT	loc	$FW	udp	1194
ACCEPT	net	$FW	udp	1194
#
#	Service: slapd Access: private
#
?COMMENT slapd
ACCEPT	loc	$FW	tcp	389
#
#	Service: smb Access: private
#
?COMMENT smb
ACCEPT	loc	$FW	tcp	139
?COMMENT smb
ACCEPT	loc	$FW	tcp	445
#
#	Service: sshd Access: private
#
?COMMENT sshd
ACCEPT	loc	$FW	tcp	222

#
# 40l2tp -- accept L2TP nego from ivpn zone
#
?COMMENT l2tp
ACCEPT  ivpn	$FW	udp	1701



#
# 50pf -- PORT FORWARDING
#

#
# PF 	&eth0:*x*x*x* -> *x*x*x*  
#
?COMMENT  from net
DNAT	net	knet:*x*x*x*	tcp	*x*x*x*	-	&eth0
#
# PF 	&eth0:*x*x*x* -> *x*x*x*  
#
?COMMENT  from net
DNAT	net	knet:*x*x*x*	tcp	*x*x*x*	-	&eth0


#
# 60rules
#

#
# RULE#1 iprange;k-network -> host-group;gateway 
#
?COMMENT RULE#1 
ACCEPT:none	knet:10.1.0.0-10.1.255.255	hnet:10.0.0.1,10.1.0.1	tcp	222



#
# 90dns_blue 
#

The Firewall Log shows all the time:

Mar 29 21:42:27 gw kernel: Shorewall:knet2fw:REJECT:IN=eth2 OUT= MAC=00:15:5d:15:07:10:00:15:5d:15:07:0b:08:00 SRC=10.1.0.101 DST=10.1.0.1 LEN=70 TOS=0x00 PREC=0x00 TTL=128 ID=6605 PROTO=UDP SPT=59879 DPT=53 LEN=50 
Mar 29 21:42:27 gw kernel: Shorewall:knet2fw:REJECT:IN=eth2 OUT= MAC=00:15:5d:15:07:10:00:15:5d:15:07:0b:08:00 SRC=10.1.0.101 DST=10.0.0.1 LEN=70 TOS=0x00 PREC=0x00 TTL=128 ID=5619 PROTO=UDP SPT=59879 DPT=53 LEN=50 
Mar 29 21:42:27 gw kernel: Shorewall:knet2fw:REJECT:IN=eth2 OUT= MAC=00:15:5d:15:07:10:00:15:5d:15:07:0b:08:00 SRC=10.1.0.101 DST=10.1.0.1 LEN=70 TOS=0x00 PREC=0x00 TTL=128 ID=6606 PROTO=UDP SPT=59879 DPT=53 LEN=50 
Mar 29 21:42:27 gw kernel: Shorewall:knet2fw:REJECT:IN=eth2 OUT= MAC=00:15:5d:15:07:10:00:15:5d:15:07:0b:08:00 SRC=10.1.0.101 DST=10.0.0.1 LEN=70 TOS=0x00 PREC=0x00 TTL=128 ID=5620 PROTO=UDP SPT=59879 DPT=53 LEN=50 
Mar 29 21:42:27 gw kernel: Shorewall:knet2fw:REJECT:IN=eth2 OUT= MAC=00:15:5d:15:07:10:00:15:5d:15:07:0b:08:00 SRC=10.1.0.101 DST=10.1.0.1 LEN=70 TOS=0x00 PREC=0x00 TTL=128 ID=6607 PROTO=UDP SPT=59879 DPT=53 LEN=50 
Mar 29 21:42:27 gw kernel: Shorewall:knet2fw:REJECT:IN=eth2 OUT= MAC=00:15:5d:15:07:10:00:15:5d:15:07:0b:08:00 SRC=10.1.0.101 DST=10.0.0.1 LEN=70 TOS=0x00 PREC=0x00 TTL=128 ID=5621 PROTO=UDP SPT=59879 DPT=53 LEN=50 
Mar 29 21:42:27 gw kernel: Shorewall:knet2fw:REJECT:IN=eth2 OUT= MAC=00:15:5d:15:07:10:00:15:5d:15:07:0b:08:00 SRC=10.1.0.101 DST=10.1.0.1 LEN=70 TOS=0x00 PREC=0x00 TTL=128 ID=6608 PROTO=UDP SPT=59879 DPT=53 LEN=50 
Mar 29 21:42:29 gw kernel: Shorewall:fw2knet:REJECT:IN= OUT=eth2 SRC=10.1.0.1 DST=10.1.0.100 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=63025 SEQ=1 
Mar 29 21:42:29 gw kernel: Shorewall:fw2knet:REJECT:IN= OUT=eth2 SRC=10.1.0.1 DST=10.1.0.101 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=63281 SEQ=1 

First seven rows: 10.1.0.1 and 10.0.0.1 are the primary and secondary DNS-Server on the Client (10.1.0.101).
Last two rows: This are the Nagios-Pings to two of my clients
All Rows are rejected - why?

bump
Anybody has an Idea? Otherwise I assume it is a bug somewhere in Nethserver and I will try to reinstall everything again tomorrow - I have to get the Network configuration done (Subnets, Firewall, VPN, HTTP-(Reverse)-Proxy, Let’s Encrypt).

Sorry but I don’t have much time to look at this, so I will try a blind shot:
go to network services page, and add all your cidr inside the “Allow hosts” field of nagios service.

No, still not working. Same issue.

I reinstalled Nethserver from the scratch and the problem is gone. Don’t know what the problem was.

That’s a pity. BTW I’m happy things went well