Shorewall sfilter dropping connections

I’m having a slight issue with the firewall, dropping connections with the sfilter.

My scenario, I have multiple LAN clients connecting through the NS box. I have 2 NIC’s in the NS box. 1 NIC is on the RED , and the other on the GREEN zones.
For the most part, everything is working, LAN clients can pickup their mail and browse the internet.
In the morning when clients power up their PC, they have no internet connection. I see entries in the firewall.log , with the sfilter as below. I’ve removed the MAC’s

Feb 19 07:41:15 mailway kernel: Shorewall:sfilter:DROP:IN=ens33 OUT=ens33 MAC=xxxxxxxxxxxxxxxxx SRC= DST= LEN=1378 TOS=0x00 PREC=0x00 TTL=127 ID=6132 DF PROTO=UDP SPT=56546 DPT=443 LEN=1358

Now, if I ping the client IP from the NS box , its all starts working.
Restarting the firewall has no affect. Once the firewall restarts, entries start in the firewall.log again.
Also, on the client end, if I try and ping a website on the internet, I get a DNS name resolution, but all dropped packets, and ICMP is blocked again by the sfilter in the firewall.
If on the client end I ping the NS server, then it all starts working.
If on the client end I disable the NIC, then restart it, it starts working.

The NS server is aways on. Only the LAN clients get shutdown at the end of the day.

Any help would be appreciated

Could you post shorewall rules if you have set them?
And also shorewall version output

State:Started Tue Feb 19 16:29:37 GMT 2019 from /etc/shorewall/ (/var/lib/shorewall/firewall compiled Tue Feb 19 16:29:36 GMT 2019 by Shorewall version

Ok. Shorewall is up to date. Can you post your rules if you have?

Clients are receiving ip addresses from NethServer as DHCP Server?

No, all clients have static IP’s

Are there any reservations for these static IP addresses into DHCP Server?
Are these hosts objects or part of firewall groups?

No, DHCP is disabled. All are host objects , and have DNS entries

Thanks for answering to my questions.
@federico.ballarini asked

Try these things:

  • disable all rules and check if something changes. Try also command shorewall stop and shorewall start and see if there is any error
  • try to ping from a pc with a static address
  • try to ping from a pc with a dhcp address if it is possible
  • post output of command shorewall status
  • check if shorewall trace check -r returns any error
  • check and post output of /var/log/firewall.log and /var/log/messages.log

Use ping as command: you’re sure that it will answer.
Refer also to to troubleshoot the problem.

1 Like