Firewall is not running on Gateway/Proxy


(Juan Carlos Fernandez) #1

NethServer Version: 7.5.1804 (final)
Module: firewall

Today I discovered that my gateway/proxy firewall is not woking, Web UI shows:

  • [Block HTTP and HTTPS ports] on [Web Proxy] as enable
  • [Mode for green zones and trusted networks] on [Web Proxy] as Manual
  • [Mode for blue zones] on [Web Proxy] as Manual
  • [Traffic to Internet (red interface)] on [Firewall Rules] as Blocked

However anyone can access the Internet, either having proxy configured or without it.

Please I need help ASAP


(Markus Neuberger) #2

Are there any errors in /var/log/messages? You may restart the relevant services to reproduce the error.

Check if the services are running:

systemctl status shorewall
systemctl status squid
systemctl status ufdb

To see more details use the -l switch:

systemctl status squid -l

EDIT:

Another thing to check: Do the clients use Nethserver as gateway?


(Juan Carlos Fernandez) #3

My brand new Manjaro KDE (Which is giving me a hard time to configure) and my Nexus 6P are currently connected to this Gateway (My entire network is using DHCP). I just restore my Gateway and the problem persist. I haven’t configured proxy setting on my PC and there is also other terminals browsing the Internet which souldn’t be allowed to (I’m using NTOPNG on the Gateway to see this)

# systemctl status shorewall.service -l
● shorewall.service - Shorewall IPv4 firewall
   Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/shorewall.service.d
           └─nethserver-firewall-base.conf
   Active: active (exited) since Wed 2018-08-01 22:59:22 CDT; 3h 54min left
  Process: 1136 ExecStart=/usr/sbin/shorewall $OPTIONS start $STARTOPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 1136 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/shorewall.service

Aug 01 22:59:21 heimdall.dcserver.local shorewall[1136]: 25 TC commands executed
Aug 01 22:59:21 heimdall.dcserver.local shorewall[1136]: All Done! Enjoy...
Aug 01 22:59:21 heimdall.dcserver.local shorewall[1136]: bye...
Aug 01 22:59:22 heimdall.dcserver.local shorewall[1136]: Preparing iptables-restore input...
Aug 01 22:59:22 heimdall.dcserver.local shorewall[1136]: Running /sbin/iptables-restore --wait 60...
Aug 01 22:59:22 heimdall.dcserver.local shorewall[1136]: IPv4 Forwarding Enabled
Aug 01 22:59:22 heimdall.dcserver.local shorewall[1136]: Processing /etc/shorewall/start ...
Aug 01 22:59:22 heimdall.dcserver.local shorewall[1136]: Processing /etc/shorewall/started ...
Aug 01 22:59:22 heimdall.dcserver.local shorewall[1136]: done.
Aug 01 22:59:22 heimdall.dcserver.local systemd[1]: Started Shorewall IPv4 firewall.

# systemctl status squid -l
● squid.service - Squid caching proxy
   Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2018-08-01 22:59:18 CDT; 3h 50min left
  Process: 1373 ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF (code=exited, status=0/SUCCESS)
  Process: 1365 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
 Main PID: 1452 (squid)
   CGroup: /system.slice/squid.service
           ├─1452 /usr/sbin/squid -f /etc/squid/squid.conf
           ├─1455 (squid-1) -f /etc/squid/squid.conf
           ├─1456 (ufdbgclient) -l /var/log/squid
           ├─1457 (ufdbgclient) -l /var/log/squid
           ├─1458 (ufdbgclient) -l /var/log/squid
           ├─1459 (ufdbgclient) -l /var/log/squid
           ├─1460 (ufdbgclient) -l /var/log/squid
           ├─1461 (logfile-daemon) /var/log/squid/access.log
           ├─1973 (ufdbgclient) -l /var/log/squid
           ├─1974 (ufdbgclient) -l /var/log/squid
           ├─1975 (ufdbgclient) -l /var/log/squid
           ├─1976 (ufdbgclient) -l /var/log/squid
           └─1977 (ufdbgclient) -l /var/log/squid

Aug 01 22:59:17 heimdall.dcserver.local systemd[1]: Starting Squid caching proxy...
Aug 01 22:59:18 heimdall.dcserver.local squid[1373]: 2018/08/01 22:59:18| Warning: empty ACL: acl no_cache dstdomain "/etc/squid/acls/no_cache.acl"
Aug 01 22:59:18 heimdall.dcserver.local squid[1452]: Squid Parent: will start 1 kids
Aug 01 22:59:18 heimdall.dcserver.local squid[1452]: Squid Parent: (squid-1) process 1455 started
Aug 01 22:59:18 heimdall.dcserver.local systemd[1]: Started Squid caching proxy.

# systemctl status ufdb -l
● ufdb.service - LSB: ufdbguardd daemons from URLfilterDB
   Loaded: loaded (/etc/rc.d/init.d/ufdb; bad; vendor preset: disabled)
   Active: active (running) since Wed 2018-08-01 22:59:16 CDT; 3h 49min left
     Docs: man:systemd-sysv-generator(8)
  Process: 1137 ExecStart=/etc/rc.d/init.d/ufdb start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/ufdb.service
           └─1208 /usr/sbin/ufdbguardd -U ufdb -c /etc/ufdbguard/ufdbGuard.conf

Aug 01 22:59:15 heimdall.dcserver.local systemd[1]: Starting LSB: ufdbguardd daemons from URLfilterDB...
Aug 01 22:59:16 heimdall.dcserver.local ufdb[1137]: Starting ufdbguardd daemon OK
Aug 01 22:59:16 heimdall.dcserver.local systemd[1]: Started LSB: ufdbguardd daemons from URLfilterDB.


(Juan Carlos Fernandez) #4

@mrmarkuz what about reinstalling firewall, web filter and web proxy modules?


(Markus Neuberger) #5

Did you setup proxy bypass? Maybe you excluded your clients from using proxy?

http://docs.nethserver.org/en/v7/web_proxy.html#bypass


(Juan Carlos Fernandez) #6

No, I did not

Ok, this is what I did to solve the problem:

  • I removed all custom rules from the [Firewall Rules]
  • Uninstalled [Web Proxy] [Web Content] and [Basic Firewall]
  • Did a yum autoremove to remove dependencies packages
  • Installed again [Web Proxy] [Web Content] and [Basic Firewall]

I’m sure that doing just removing the custom rules would solved the problem but it was late and at that moment I thought it could be a package conflict. Anyway thanks for the help @mrmarkuz, should you ever come to Cuba I promise to buy you a big beer.

One more thing, sometimes we need to upload big files to the cloud, due to only having an upload bandwidth of 512kbps, to speed up the upload I have to ensure that only 1 PC has access to the gateway, how can I archive this? I know that I have to create some custom rules but it seems that the ones I created did the trick. Could you aid me with this? I already created a [Host Group] which will have the PC for this situation.


(Joel Clendineng) #7

So firewall rules order matters, top rules will override rules further down as far as I know? Maybe that had something to do with it.


(Juan Carlos Fernandez) #8

Yeah but shouldn’t rules like this two:

  • [Block HTTP and HTTPS ports] on [Web Proxy]
  • [Traffic to Internet (red interface)] on [Firewall Rules] as Blocked

Be on top of those custom rules we define on [Firewall Rules]?

I still have my custom rules (I disabled) , maybe I should put them here and explain what I was trying to accomplish, that what I can get some feedback, what do you guys think?


(Markus Neuberger) #9

Did you try to create a class with high min upload and map it to a firewall rule with the “upload” hostgroup as source?

Yes, that’s a good idea.


(Juan Carlos Fernandez) #10

Ok so this is currently my Firewall Setup:

Firewall%20Rules%20Traffic%20shaping

As you can see right now I don’t have any custom rules and only 3 rules for [Traffic shaping]

What I want to do is to make a set of rules to disallow access to the Internet except for a group of PC (A [Host Group] on [Firewall Objects] named “it-pc”), this rules would be disabled so when we need to use our full bandwidth for a quick download/upload we will just activate this rule set, do the operation and then go back again to normal configuration.


(Markus Neuberger) #11

I couldn’t find a way to get a high download rate for the IT-PCs except of blocking the squid port for the other clients to just allow the IT-PC group.

I tried web proxy rules which should be used for HTTP(S) when using proxy and also traffic shaping without success.


[Web proxy rules] and [Traffic Shaping]
(Juan Carlos Fernandez) #12

How about making a set of rules like this one:
Allow any access from IT-PC to Role red
Allow any access from Role red to IT-PC

Reject any access from Role green to Role red
Reject any access from Role red to Role green

When enabled this should stop all traffic through the gateway/proxy and except for group object IT-PC
Right?


(Markus Neuberger) #13

I rejected access to the squid proxy service directly. Maybe green to red doesn’t work if you use a proxy.


(Juan Carlos Fernandez) #14

Ok so I would also add that, by the way in case I might create a set of rules that block me from accessing the web UI, how can a disable all custom rules?


(Markus Neuberger) #15

To output the firewall rules:

db fwrules show

To disable rule 1:

db fwrules setprop 1 status disabled

Apply the configuration with:

signal-event firewall-adjust

http://docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-firewall-base.html#rules


(Juan Carlos Fernandez) #16

So when web proxy rules applies?
I mean, I thought this rules:

would make [it-pc group] to have a high download rate


(Markus Neuberger) #17

I think only proxy requests are prioritized, it does not affect download rates.

Just an idea, I didn’t test:
What about using gateway instead of proxy for the IT PCs and use traffic shaping firewall rules and map “green to squid” (proxy users) to low priority and “IT PCs to red” to high priority?


(Juan Carlos Fernandez) #18

That will not work, I’m obliged to control and report all traffic on Internet, AFAIK that’s achieved by passing traffic through a proxy and then using Lightsquid to generate reports