NethServer Version: 7.5.1804 (final)
Module: firewall
Today I discovered that my gateway/proxy firewall is not woking, Web UI shows:
However anyone can access the Internet, either having proxy configured or without it.
Please I need help ASAP
Are there any errors in /var/log/messages? You may restart the relevant services to reproduce the error.
Check if the services are running:
systemctl status shorewall
systemctl status squid
systemctl status ufdb
To see more details use the -l switch:
systemctl status squid -l
EDIT:
Another thing to check: Do the clients use Nethserver as gateway?
My brand new Manjaro KDE (Which is giving me a hard time to configure) and my Nexus 6P are currently connected to this Gateway (My entire network is using DHCP). I just restore my Gateway and the problem persist. I haven’t configured proxy setting on my PC and there is also other terminals browsing the Internet which souldn’t be allowed to (I’m using NTOPNG on the Gateway to see this)
# systemctl status shorewall.service -l
● shorewall.service - Shorewall IPv4 firewall
Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/shorewall.service.d
└─nethserver-firewall-base.conf
Active: active (exited) since Wed 2018-08-01 22:59:22 CDT; 3h 54min left
Process: 1136 ExecStart=/usr/sbin/shorewall $OPTIONS start $STARTOPTIONS (code=exited, status=0/SUCCESS)
Main PID: 1136 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/shorewall.service
Aug 01 22:59:21 heimdall.dcserver.local shorewall[1136]: 25 TC commands executed
Aug 01 22:59:21 heimdall.dcserver.local shorewall[1136]: All Done! Enjoy...
Aug 01 22:59:21 heimdall.dcserver.local shorewall[1136]: bye...
Aug 01 22:59:22 heimdall.dcserver.local shorewall[1136]: Preparing iptables-restore input...
Aug 01 22:59:22 heimdall.dcserver.local shorewall[1136]: Running /sbin/iptables-restore --wait 60...
Aug 01 22:59:22 heimdall.dcserver.local shorewall[1136]: IPv4 Forwarding Enabled
Aug 01 22:59:22 heimdall.dcserver.local shorewall[1136]: Processing /etc/shorewall/start ...
Aug 01 22:59:22 heimdall.dcserver.local shorewall[1136]: Processing /etc/shorewall/started ...
Aug 01 22:59:22 heimdall.dcserver.local shorewall[1136]: done.
Aug 01 22:59:22 heimdall.dcserver.local systemd[1]: Started Shorewall IPv4 firewall.
# systemctl status squid -l
● squid.service - Squid caching proxy
Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2018-08-01 22:59:18 CDT; 3h 50min left
Process: 1373 ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF (code=exited, status=0/SUCCESS)
Process: 1365 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
Main PID: 1452 (squid)
CGroup: /system.slice/squid.service
├─1452 /usr/sbin/squid -f /etc/squid/squid.conf
├─1455 (squid-1) -f /etc/squid/squid.conf
├─1456 (ufdbgclient) -l /var/log/squid
├─1457 (ufdbgclient) -l /var/log/squid
├─1458 (ufdbgclient) -l /var/log/squid
├─1459 (ufdbgclient) -l /var/log/squid
├─1460 (ufdbgclient) -l /var/log/squid
├─1461 (logfile-daemon) /var/log/squid/access.log
├─1973 (ufdbgclient) -l /var/log/squid
├─1974 (ufdbgclient) -l /var/log/squid
├─1975 (ufdbgclient) -l /var/log/squid
├─1976 (ufdbgclient) -l /var/log/squid
└─1977 (ufdbgclient) -l /var/log/squid
Aug 01 22:59:17 heimdall.dcserver.local systemd[1]: Starting Squid caching proxy...
Aug 01 22:59:18 heimdall.dcserver.local squid[1373]: 2018/08/01 22:59:18| Warning: empty ACL: acl no_cache dstdomain "/etc/squid/acls/no_cache.acl"
Aug 01 22:59:18 heimdall.dcserver.local squid[1452]: Squid Parent: will start 1 kids
Aug 01 22:59:18 heimdall.dcserver.local squid[1452]: Squid Parent: (squid-1) process 1455 started
Aug 01 22:59:18 heimdall.dcserver.local systemd[1]: Started Squid caching proxy.
# systemctl status ufdb -l
● ufdb.service - LSB: ufdbguardd daemons from URLfilterDB
Loaded: loaded (/etc/rc.d/init.d/ufdb; bad; vendor preset: disabled)
Active: active (running) since Wed 2018-08-01 22:59:16 CDT; 3h 49min left
Docs: man:systemd-sysv-generator(8)
Process: 1137 ExecStart=/etc/rc.d/init.d/ufdb start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/ufdb.service
└─1208 /usr/sbin/ufdbguardd -U ufdb -c /etc/ufdbguard/ufdbGuard.conf
Aug 01 22:59:15 heimdall.dcserver.local systemd[1]: Starting LSB: ufdbguardd daemons from URLfilterDB...
Aug 01 22:59:16 heimdall.dcserver.local ufdb[1137]: Starting ufdbguardd daemon OK
Aug 01 22:59:16 heimdall.dcserver.local systemd[1]: Started LSB: ufdbguardd daemons from URLfilterDB.
Did you setup proxy bypass? Maybe you excluded your clients from using proxy?
No, I did not
Ok, this is what I did to solve the problem:
yum autoremove to remove dependencies packagesI’m sure that doing just removing the custom rules would solved the problem but it was late and at that moment I thought it could be a package conflict. Anyway thanks for the help @mrmarkuz, should you ever come to Cuba I promise to buy you a big beer.
One more thing, sometimes we need to upload big files to the cloud, due to only having an upload bandwidth of 512kbps, to speed up the upload I have to ensure that only 1 PC has access to the gateway, how can I archive this? I know that I have to create some custom rules but it seems that the ones I created did the trick. Could you aid me with this? I already created a [Host Group] which will have the PC for this situation.
So firewall rules order matters, top rules will override rules further down as far as I know? Maybe that had something to do with it.
Yeah but shouldn’t rules like this two:
Be on top of those custom rules we define on [Firewall Rules]?
I still have my custom rules (I disabled) , maybe I should put them here and explain what I was trying to accomplish, that what I can get some feedback, what do you guys think?
Did you try to create a class with high min upload and map it to a firewall rule with the “upload” hostgroup as source?
Yes, that’s a good idea.
Ok so this is currently my Firewall Setup:
As you can see right now I don’t have any custom rules and only 3 rules for [Traffic shaping]
What I want to do is to make a set of rules to disallow access to the Internet except for a group of PC (A [Host Group] on [Firewall Objects] named “it-pc”), this rules would be disabled so when we need to use our full bandwidth for a quick download/upload we will just activate this rule set, do the operation and then go back again to normal configuration.
I couldn’t find a way to get a high download rate for the IT-PCs except of blocking the squid port for the other clients to just allow the IT-PC group.
I tried web proxy rules which should be used for HTTP(S) when using proxy and also traffic shaping without success.
How about making a set of rules like this one:
Allow any access from IT-PC to Role red
Allow any access from Role red to IT-PC
Reject any access from Role green to Role red
Reject any access from Role red to Role green
When enabled this should stop all traffic through the gateway/proxy and except for group object IT-PC
Right?
I rejected access to the squid proxy service directly. Maybe green to red doesn’t work if you use a proxy.
Ok so I would also add that, by the way in case I might create a set of rules that block me from accessing the web UI, how can a disable all custom rules?
To output the firewall rules:
db fwrules show
To disable rule 1:
db fwrules setprop 1 status disabled
Apply the configuration with:
signal-event firewall-adjust
http://docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-firewall-base.html#rules
So when web proxy rules applies?
I mean, I thought this rules:
would make [it-pc group] to have a high download rate
I think only proxy requests are prioritized, it does not affect download rates.
Just an idea, I didn’t test:
What about using gateway instead of proxy for the IT PCs and use traffic shaping firewall rules and map “green to squid” (proxy users) to low priority and “IT PCs to red” to high priority?
That will not work, I’m obliged to control and report all traffic on Internet, AFAIK that’s achieved by passing traffic through a proxy and then using Lightsquid to generate reports
