I have installed the Monitoring Pack and the Firewall Pack via Softwarecenter.
I have four green interfaces (one Subnet on each interface) and one red interface
My problem is, that Nagios seems not be able to communicate with my network because the traffic is blocked. The logs shows this entry:
I have a Hostgroup, that contains each IP-Address the Nethserver has on each Subnet.
I create the following rules, but no rule seems to allow the traffic:
Hostgroup with all Nethserver IPs (“gateway”) to the Zone (10.1.0.0/24) (“knet”) to monitor
Hostgroup with all Nethserver IPs (“gateway”) to all green interfaces
Hostgroup with all Nethserver IPs (“gateway”) to the IP-Range (10.1.0.0-10.1.255.255) (“k-network”) to monitor
IP of Nethserver in the Subnet (“kgateway”) to the Zone (“knet”) to monitor
IP of Nethserver in the Subnet (“kgateway”) to the IP-Range (10.1.0.0-10.1.255.255) (“k-network”) to monitor
Every rule is configured to allow all Services and the general setting “Allow traffic to internet” is allowed.
What can I do that Nagios is allowed to monitor my network?
TCP or UDP? Nagios pings, but I cannot select ICMP… And my estimation is, that “all” contains “all” and not just “some”. Searching for “nagios firewall” doesn’t result in any resolutions.
My estimation was “all green”. I removed the rule. No change.
OK, I’ll wait for you
I need to explain some of this stuff to “real user”-customers. So anything that cannot be done via GUI is something they can’t do.
I just looked again to your configuration and probably I have the solution.
Introduction
In Shorewall all firewall IPs are already contained inside a special zone named “$FW”.
If you want to open a port (53 tcp) in the firewall from red interface, you must create a rule like:
ACCEPT net $FW tcp 53
But in NS the $FW object is not exposed inside the firewall rules page.
If you want to open a service hosted into the firewall itself, you must create a network service inside the Network Services page.
You have nethserver-adagios installed which takes care to open all needed port inside the firewall, sho you can safely skip this part.
(See: http://docs.nethserver.org/projects/nethserver-devel/en/latest/services.html#access-network-service)
Also, when you create a Zone in Shorewall you must specify a rule for each traffic direction, in your scenario, if you want to use a zone, you should create at least 12 rules!
(See: http://shorewall.net/manpages/shorewall-zones.html)
I tried to analyze why it is not working. There are more things that are not working but shoud - for example DNS. I figured out the following:
After a restart or a disconnect/reconnect of my virtual client machine, DNS works - for a short time. Absolutely no Idea why. After some seconds, it is blocked again by the firewall.
This is my Firewall-Config (I masked the Port-Forwarding Stuff):
# ================= DO NOT MODIFY THIS FILE =================
#
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at https://dev.nethesis.it/projects/nethserver/wiki/NethServer
# original work from http://www.contribs.org/development/
#
# Copyright (C) 2013 Nethesis S.r.l.
# http://www.nethesis.it - support@nethesis.it
#
#
# Shorewall version 4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
######################################################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#
#
# SECTION ESTABLISHED
#
?SECTION ESTABLISHED
#
# SECTION RELATED
#
?SECTION RELATED
#
# SECTION NEW
#
?SECTION NEW
#
# Drop Ping from the "bad" net zone.
#
Ping/DROP net $FW
#
# Make ping work bi-directionally between the dmz, net, Firewall and local zone
# (assumes that the loc-> net policy is ACCEPT).
#
Ping/ACCEPT loc $FW
#
# Accept DNS connections from the firewall to the Internet
#
DNS/ACCEPT $FW net
#
# Service: dnsmasq Access: private
#
?COMMENT dnsmasq
ACCEPT loc $FW tcp 53
ACCEPT loc $FW udp 53
ACCEPT loc $FW udp 67
ACCEPT loc $FW udp 69
#
# Service: httpd Access: public
#
?COMMENT httpd
ACCEPT loc $FW tcp 80
ACCEPT net $FW tcp 80
?COMMENT httpd
ACCEPT loc $FW tcp 443
ACCEPT net $FW tcp 443
#
# Service: httpd-admin Access: public
#
?COMMENT httpd-admin
ACCEPT loc $FW tcp 980
ACCEPT net $FW tcp 980
#
# Service: mysqld Access: private
#
?COMMENT mysqld
ACCEPT loc $FW tcp 3306
#
# Service: nagios Access: private
#
?COMMENT nagios
ACCEPT loc $FW tcp 6557
#
# Service: nmb Access: private
#
ACCEPT loc $FW udp 137
ACCEPT loc $FW udp 138
#
# Service: nrpe Access: private
#
?COMMENT nrpe
ACCEPT loc $FW tcp 5666
#
# Service: ntpd Access: private
#
ACCEPT loc $FW udp 123
#
# Service: openvpn Access: public
#
ACCEPT loc $FW udp 1194
ACCEPT net $FW udp 1194
#
# Service: slapd Access: private
#
?COMMENT slapd
ACCEPT loc $FW tcp 389
#
# Service: smb Access: private
#
?COMMENT smb
ACCEPT loc $FW tcp 139
?COMMENT smb
ACCEPT loc $FW tcp 445
#
# Service: sshd Access: private
#
?COMMENT sshd
ACCEPT loc $FW tcp 222
#
# 40l2tp -- accept L2TP nego from ivpn zone
#
?COMMENT l2tp
ACCEPT ivpn $FW udp 1701
#
# 50pf -- PORT FORWARDING
#
#
# PF ð0:*x*x*x* -> *x*x*x*
#
?COMMENT from net
DNAT net knet:*x*x*x* tcp *x*x*x* - ð0
#
# PF ð0:*x*x*x* -> *x*x*x*
#
?COMMENT from net
DNAT net knet:*x*x*x* tcp *x*x*x* - ð0
#
# 60rules
#
#
# RULE#1 iprange;k-network -> host-group;gateway
#
?COMMENT RULE#1
ACCEPT:none knet:10.1.0.0-10.1.255.255 hnet:10.0.0.1,10.1.0.1 tcp 222
#
# 90dns_blue
#
First seven rows: 10.1.0.1 and 10.0.0.1 are the primary and secondary DNS-Server on the Client (10.1.0.101).
Last two rows: This are the Nagios-Pings to two of my clients
All Rows are rejected - why?
bump
Anybody has an Idea? Otherwise I assume it is a bug somewhere in Nethserver and I will try to reinstall everything again tomorrow - I have to get the Network configuration done (Subnets, Firewall, VPN, HTTP-(Reverse)-Proxy, Let’s Encrypt).
Sorry but I don’t have much time to look at this, so I will try a blind shot:
go to network services page, and add all your cidr inside the “Allow hosts” field of nagios service.