Shorewall - Error (6010) in the line 20

Rodrigo_Vieira_da_Co · July 21, 2017, 11:54am

Hi!

In my servers, shorewall present the error:

When the line 20 is removed, and service shorewall is restarted, this service run.

What is it?
Thanks!!

bwdjames · July 21, 2017, 12:47pm

What is on line 20 in the /etc/shorewall/stoppedrules file?

Rodrigo_Vieira_da_Co · July 21, 2017, 1:01pm

bwdjames · July 21, 2017, 1:08pm

Having the number 6010 there on its own does not look correct.

If you removed that line 20, I assume the shorewall reload works fine?

Rodrigo_Vieira_da_Co · July 21, 2017, 1:10pm

yes! works fine! but only in server with the web proxy is configured… in other services, like only vm server, the service is run perfectly

bwdjames · July 21, 2017, 1:48pm

Not sure what it putting that value in there to be honest, haven’t seen that occur before.

Rodrigo_Vieira_da_Co · July 21, 2017, 1:50pm

Okay, I just saw it happen recently in 03 servers that I installed … I’m also seeing the relationship with shorewall … I do not have anything configured as a 6010 port, I’m still researching a solution. Thank you!

dnutan · July 21, 2017, 2:05pm

Does this command returns anything:

netstat -tunap |grep 6010

Do you use X11 forwarding with ssh?

Rodrigo_Vieira_da_Co · July 21, 2017, 2:07pm

Yes, the X11 is actived

dnutan · July 21, 2017, 2:11pm

What’s the outcome of:

ss -nlp4t | grep sshd

Rodrigo_Vieira_da_Co · July 21, 2017, 2:12pm

dnutan · July 21, 2017, 2:18pm

cc/ @davidep @giacomo
The bug is in this script:

github.com

NethServer/nethserver-firewall-base/blob/master/root/etc/e-smith/templates/etc/shorewall/stoppedrules/20running_sshd

{
    my $ssh_port = `ss -nlp4t | grep sshd |  grep -v -F "127.0.0.1" | awk '{print \$4}' | cut -d':' -f 2` || return '';
    $ssh_port =~ s/^\s+//;
    $ssh_port =~ s/\s+$//;
    if ($sshd{'TCPPort'} ne $ssh_port) {
        $OUT .= "\n# Make sure running sshd port is open\n";
        foreach (split("\n", $ssh_port)) { # handle multiple SSH server instances
            $OUT .= "ACCEPT  -  \$FW  tcp  $_\n";
        }
    }
}

Rodrigo_Vieira_da_Co · July 21, 2017, 2:22pm

wow!!! great, man!!

How do we fix the bug and send the patch to the developers of nethserver?

dnutan · July 21, 2017, 2:38pm

Mmm… Good question. I don’t know the answer so I ask the same.

Do you want X11 forwarding available when the firewall is stopped/restarting?

stoppedrules — The Shorewall file that governs what traffic flows through the firewall while it is in the ‘stopped’ state.

What’s the outcome of:

echo `ss -nlp4t | grep sshd  | awk '{print \$4}' | cut -d':' -f 2`

P.S. Sorry, I don’t have x11 forwarding set up for testing

Rodrigo_Vieira_da_Co · July 21, 2017, 2:42pm

dnutan · July 21, 2017, 2:48pm

I don’t know much Perl but seems an easy fix is possible.
Maybe set ssh_port to an array and wrap the if statement within a (foreach) loop.
Do you have some experience with?

Rodrigo_Vieira_da_Co · July 21, 2017, 2:54pm

I Go Try modify the script…

filippo_carletti · July 21, 2017, 4:13pm

Great finding, a really nasty bug.
I’d change the code like:

ss -nlp4t | grep sshd | grep -v 127\.0\.0\.1 | awk '{print $4}' | cut -d':' -f 2

to filter out sshd listening on localhost from X forwarding.

filippo_carletti · July 21, 2017, 4:22pm

I did a test, replicated the problem and verified the fix.
Expect an update next week. Mean while you can keep your file modified as I suggested.

Rodrigo_Vieira_da_Co · July 21, 2017, 6:13pm

thanks, Filippo!! Great Help, Man!!!
Nethserver is a wonderful Linux Solution! Powerfull!!!