Shorewall random lock ports 53 dns

france · September 19, 2019, 4:22pm

Neth server 7.6 1810
shorewall

Hi everyone, I use nethserver with only one network interface and with the AD configuration having the br0 bridge interface. Upstream of the server there is a firewall that forwards to the server neth the domain area to have the resolution of the host names.
I noticed that neth’s firewall blocks firewall queries regarding dns resolution.
The block concerns only the domain area eg. internal2.lan, but if I make a reverse query, it is solved correctly and quickly.
I attach log:
neth7 kernel: Shorewall: loc2fw: REJECT: IN = br0 OUT = MAC = 08: 00: 27: 11: cc: 38: 08: 00: 27: 95: 64: c3: 08: 00 SRC = 192.168.3.2 DST = 192.168.3.83 LEN = 85 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 52076 PROTO = UDP SPT = 53 DPT = 42153 LEN = 65

alefattorini · September 24, 2019, 2:36pm

Sorry for the late response man.

I’d like to mention people like @dnutan @filippo_carletti @bwdjames

filippo_carletti · September 24, 2019, 2:55pm

You could trace the packet to see which firewall rule is rejecting it. Or try to guess looking at the output of shorewall show. I bet on a wrong firewall rule you added.

france · September 24, 2019, 5:08pm

Hi Filippo Thanks information As soon as possible I will verify the firewall rules. today I can’t understand the fact that the physical interface is only one and there is a bridge that is a virtual interface since the server downstream of the firewall cannot understand why the firewall that has the same network address is blocked . however as soon as I check in I will keep you informed.

EddieA · September 24, 2019, 11:01pm

The request is being sent to port 42153. Have you opened the firewall for that port and what is listening.

Cheers.

france · October 1, 2019, 6:52am

Hi, I performed a show of the rules and looked at what can refer to the blocking of the dns port. I looked carefully at the chains, but found it difficult to interpret the various blocks. Here’s how:
Shorewall 5.1.10.2 filter Table at neth7.internal2.lan - Tue Oct 1 07:20:55 CEST 2019

Counters reset Mon Sep 30 18:37:37 CEST 2019

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6757K 742M br0_in all – br0 * 0.0.0.0/0 0.0.0.0/0
701K 715M ACCEPT all – lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix “Shorewall:INPUT:REJECT:”
0 0 reject all – * * 0.0.0.0/0 0.0.0.0/0 [goto]

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 br0_fwd all – br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ppp+_fwd all – ppp+ * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix “Shorewall:FORWARD:REJECT:”
0 0 reject all – * * 0.0.0.0/0 0.0.0.0/0 [goto]

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
698K 18G ACCEPT all – * br0 0.0.0.0/0 0.0.0.0/0
701K 715M ACCEPT all – * lo 0.0.0.0/0 0.0.0.0/0
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix “Shorewall:OUTPUT:REJECT:”
0 0 reject all – * * 0.0.0.0/0 0.0.0.0/0 [goto]

Chain br0_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 dynamic all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,ESTABLISHED,UNTRACKED
0 0 smurfs all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
0 0 ACCEPT udp – * br0 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
0 0 tcpflags tcp – * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – * br0 127.0.0.1 0.0.0.0/0
0 0 ACCEPT all – * br0 192.168.17.0/24 0.0.0.0/0
0 0 ACCEPT all – * br0 192.168.19.0/24 0.0.0.0/0
0 0 ACCEPT all – * br0 192.168.3.0/24 0.0.0.0/0
0 0 ACCEPT all – * br0 192.168.5.0/24 0.0.0.0/0
0 0 net2loc all – * br0 0.0.0.0/0 127.0.0.1
0 0 net2loc all – * br0 0.0.0.0/0 192.168.17.0/24
0 0 net2loc all – * br0 0.0.0.0/0 192.168.19.0/24
0 0 net2loc all – * br0 0.0.0.0/0 192.168.3.0/24
0 0 net2loc all – * br0 0.0.0.0/0 192.168.5.0/24
0 0 ACCEPT all – * br0 0.0.0.0/0 0.0.0.0/0

Chain br0_in (1 references)
pkts bytes target prot opt in out source destination
6757K 742M dynamic all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,ESTABLISHED,UNTRACKED
14497 2339K smurfs all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
110 38763 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
6729K 737M tcpflags tcp – * * 0.0.0.0/0 0.0.0.0/0
0 0 loc2fw all – * * 127.0.0.1 0.0.0.0/0
0 0 loc2fw all – * * 192.168.17.0/24 0.0.0.0/0
0 0 loc2fw all – * * 192.168.19.0/24 0.0.0.0/0
6706K 674M loc2fw all – * * 192.168.3.0/24 0.0.0.0/0
0 0 loc2fw all – * * 192.168.5.0/24 0.0.0.0/0
50868 69M ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 multiport dports 110,143,4190,993,995,80,443,980,25,465,587,2222 / dovecot, httpd, httpd-admin, postfix, sshd */
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
6 1195 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix “Shorewall:net2fw:DROP:”
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain dynamic (3 references)
pkts bytes target prot opt in out source destination
0 0 DROP all – * * 66.249.64.106 0.0.0.0/0

Chain loc2fw (5 references)
pkts bytes target prot opt in out source destination
6692K 671M ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping /
8197 1826K ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 multiport dports 5353,123 / avahi-daemon, chronyd /
6 360 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 / cups /
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 / cups /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 / dnsmasq /
2265 178K ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 multiport dports 53,67,69 / dnsmasq /
1262 80768 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 multiport dports 110,143,4190,993,995,80,443,980,19999 / dovecot, httpd, httpd-admin, netdata /
476 74584 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 multiport dports 137,138 / nmb /
21 1304 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587,139,445,2222 / postfix, smb, sshd */
2089 133K DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
65 5636 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix “Shorewall:loc2fw:REJECT:”
65 5636 reject all – * * 0.0.0.0/0 0.0.0.0/0 [goto]

Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix “Shorewall:logdrop:DROP:”
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix “Shorewall:logreject:REJECT:”
0 0 reject all – * * 0.0.0.0/0 0.0.0.0/0

Chain net2loc (5 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type ANYCAST
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix “Shorewall:net2loc:DROP:”
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain ppp+_fwd (1 references)
pkts bytes target prot opt in out source destination
0 0 sfilter all – * ppp+ 0.0.0.0/0 0.0.0.0/0 [goto]
0 0 dynamic all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,ESTABLISHED,UNTRACKED
0 0 tcpflags tcp – * * 0.0.0.0/0 0.0.0.0/0

Chain reject (5 references)
pkts bytes target prot opt in out source destination
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST
0 0 DROP all – * * 224.0.0.0/4 0.0.0.0/0
0 0 DROP 2 – * * 0.0.0.0/0 0.0.0.0/0
1 40 REJECT tcp – * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
64 5596 REJECT udp – * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp – * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all – * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain sfilter (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 limit: up to 1/sec burst 10 mode srcip LOG flags 0 level 6 prefix “Shorewall:sfilter:DROP:”
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain sha-lh-216b87e5116e9bc7d3cb (0 references)
pkts bytes target prot opt in out source destination

Chain sha-rh-3f4117dcfe01d5a72b83 (0 references)
pkts bytes target prot opt in out source destination

Chain shorewall (0 references)
pkts bytes target prot opt in out source destination
0 0 all – * * 0.0.0.0/0 0.0.0.0/0 recent: SET name: %CURRENTTIME side: source mask: 255.255.255.255

Chain smurfs (2 references)
pkts bytes target prot opt in out source destination
61 22258 RETURN all – * * 0.0.0.0 0.0.0.0/0
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type BROADCAST
0 0 DROP all – * * 224.0.0.0/4 0.0.0.0/0

Chain tcpflags (3 references)
pkts bytes target prot opt in out source destination
0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x19/0x09
0 0 DROP tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp spt:0 flags:0x17/0x02

filippo_carletti · October 1, 2019, 8:27am

You may have a loop in dns resolution.
It’s hard to tell more without more details about network configuration.

france · October 1, 2019, 9:26am

I think you’re right because in the network configuration I think there’s a dns lookup. I do some tests to see where the error occurs. thanks

france · October 2, 2019, 6:13am

Thanks Filippo, I found the loop you suspected

Hitesh_Dubey · January 22, 2021, 2:42pm

Hi, please go trough with attached log link.
shorewall-log
Same i am facing this issue. Please let me know solution for the same.

filippo_carletti · January 22, 2021, 7:08pm

I hope @france can give you more details about finding the loop in the dns lookups.
Think about the DNS servers you are using in your network.