Shorewall sfilter dropping connections

stevesco · February 19, 2019, 9:18pm

I’m having a slight issue with the firewall, dropping connections with the sfilter.

My scenario, I have multiple LAN clients connecting through the NS box. I have 2 NIC’s in the NS box. 1 NIC is on the RED , and the other on the GREEN zones.
For the most part, everything is working, LAN clients can pickup their mail and browse the internet.
In the morning when clients power up their PC, they have no internet connection. I see entries in the firewall.log , with the sfilter as below. I’ve removed the MAC’s

Feb 19 07:41:15 mailway kernel: Shorewall:sfilter:DROP:IN=ens33 OUT=ens33 MAC=xxxxxxxxxxxxxxxxx SRC=192.168.254.205 DST=216.58.201.3 LEN=1378 TOS=0x00 PREC=0x00 TTL=127 ID=6132 DF PROTO=UDP SPT=56546 DPT=443 LEN=1358

Now, if I ping the client IP from the NS box , its all starts working.
Restarting the firewall has no affect. Once the firewall restarts, entries start in the firewall.log again.
Also, on the client end, if I try and ping a website on the internet, I get a DNS name resolution, but all dropped packets, and ICMP is blocked again by the sfilter in the firewall.
If on the client end I ping the NS server, then it all starts working.
If on the client end I disable the NIC, then restart it, it starts working.

The NS server is aways on. Only the LAN clients get shutdown at the end of the day.

Any help would be appreciated

federico.ballarini · February 19, 2019, 9:21pm

Could you post shorewall rules if you have set them?
And also shorewall version output

stevesco · February 19, 2019, 9:24pm

State:Started Tue Feb 19 16:29:37 GMT 2019 from /etc/shorewall/ (/var/lib/shorewall/firewall compiled Tue Feb 19 16:29:36 GMT 2019 by Shorewall version 5.1.10.2)

federico.ballarini · February 19, 2019, 9:25pm

Ok. Shorewall is up to date. Can you post your rules if you have?

pike · February 19, 2019, 9:45pm

Clients are receiving ip addresses from NethServer as DHCP Server?

stevesco · February 19, 2019, 9:46pm

No, all clients have static IP’s

pike · February 19, 2019, 9:48pm

Thanks.
Are there any reservations for these static IP addresses into DHCP Server?
Are these hosts objects or part of firewall groups?

stevesco · February 19, 2019, 9:51pm

No, DHCP is disabled. All are host objects , and have DNS entries

pike · February 19, 2019, 9:52pm

Thanks for answering to my questions.
@federico.ballarini asked

federico.ballarini · February 19, 2019, 9:55pm

Try these things:

disable all rules and check if something changes. Try also command shorewall stop and shorewall start and see if there is any error
try to ping from a pc with a static address
try to ping from a pc with a dhcp address if it is possible
post output of command shorewall status
check if shorewall trace check -r returns any error
check and post output of /var/log/firewall.log and /var/log/messages.log

Use ping www.google.com as command: you’re sure that it will answer.
Refer also to http://shorewall.org/troubleshoot.htm to troubleshoot the problem.