0

I have an Ubuntu 8.04 server with shorewall 4.0.6 installed. When I try to upload files using FTP, SCP, or cURL the file upload stalls almost immediatly and eventually times out. If I turn off shorewall then the uploads work fine. I don't have any rules that specifically allow FTP and I'm not too concerned with it, but I do need to be able to upload via 22 (SCP) and 80 & 443 (cURL).

This is what my rules look like:

COMMENT Allow Server to respond to any web (80) and SSL (443) requests
ACCEPT  net     $FW      tcp     80 
ACCEPT  $FW     net     tcp     80
ACCEPT  net     $FW      tcp     443
ACCEPT  $FW      net     tcp     443

COMMENT Allow Server to respond to SNMPD (161) requests
ACCEPT  net     $FW      udp     161

COMMENT Allow Server to respond to MySQL (3306) requests (for MySQL Graphing)
ACCEPT  net     $FW      tcp     3306

COMMENT Allow Server to respond to any SSH connection attempts, and to SSH out.
SSH/ACCEPT      net     $FW
SSH/ACCEPT      $FW     net

COMMENT Allow Server to make DNS Requests out.
DNS/ACCEPT      $FW             net

COMMENT Default "close" anything else.
Ping/REJECT     net             $FW
ACCEPT          $FW             net             icmp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

I expected the top four ACCEPT lines to allow inbound and outbound traffic over 80 and 443 and I expected the two SSH/ACCEPT lines to allow inbound and outbound trffic over 22, including SCP.

Any help is greatly appreciated.

/etc/shorewall/policy contains the following (all lines above are commented out):

#
# Allow all connection requests from teh firewall to the internet
#
$FW             net             ACCEPT

#
# Policies for traffic originating from the Internet zone (net)
# Drop (ignore) all connection requests from the Internet to the firewall
#
net             all             DROP            info

# THE FOLLOWING POLICY MUST BE LAST
# Reject all other connection requests
all             all             REJECT          info

#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
JamesArmes
  • 205
  • 3
  • 9

2 Answers2

0

FTP is not going to work with these rules until you allow it explicitly (unless you have a permitting policy instead, which would make these rules pointless).

You rules seem to allow SSH, HTTP and HTTPS though, but you can check your log files or capture traffic to verify this.

By the symptom you mention (starts and then stalls) I think your TCP MSS might be misconfigured. See your shorewall.conf and check the CLAMPMSS parameter. You might want to try clamping it low and see if the problem goes away.

Edit: I see in your policy file that you allow all outgoing traffic, so Shorewall shouldn't be the cause of your problem. Does the problem persist if you clear Shorewall? (shorewall clear).

joechip
  • 668
  • 3
  • 6
  • I checked /etc/shorewall/shorewall.conf and CLAMPMSS is set to "No" – JamesArmes Jun 28 '11 at 23:32
  • Well, try setting to, say, 800 and restart shorewall. If the problem persists, it's probably something else. – joechip Jun 29 '11 at 00:18
  • I set it to 800 and restarted shorewall, still getting the same result. – JamesArmes Jun 29 '11 at 01:02
  • Does the problem persist if you deactivate Shorewall by running "shorewall clear"? – joechip Jun 29 '11 at 03:45
  • I am able to successfully upload files after running "shorewall clear" – JamesArmes Jun 29 '11 at 13:03
  • Well, maybe your shorewall installation is somehow hosed or incompatible with your Ubuntu's traffic classification, and you might want to update it to the latest version (the one you have is currently unsupported too). If in doubt, see the [Shorewall homepage](http://shorewall.net/). – joechip Jun 29 '11 at 22:46
  • Thanks @joechip. We're currently working on pushing a systems update to our customers which would update the currently installed version of shorewall. What I find odd is that this same setup works for a number of other customers. Same exact software and configuration (they all came from the same OVF file). – JamesArmes Jun 30 '11 at 13:13
0

Please make sure that there is no traffic shaper running (maybe shorwall starts one). You could check this by running tc qdisc show dev eth0. If there is no shaper active, it may help to have a output of

iptables -Lnv
iptables -Lnv -t mangle
Thomas Berger
  • 1,700
  • 12
  • 22
  • The results of `tc qdisc show dev eth0` was "qdisc pfifo_fast 0: root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1". I get the same result when shorewall is on that I do when it is off. – JamesArmes Jun 28 '11 at 23:39
  • ok, there is a traffic shaper active, shorewall is just the "trigger" maybe. You could delete eth0 from the shaper this way: `tc qdisc del dev eth0 root`. But this may be only a temp. solution. Have a look at the documentation/wiki/board/here... of your distribution to get some hints where it comes from. @JamesArmes – Thomas Berger Jun 28 '11 at 23:47
  • **UPDATE** Follow up should be started at [askubuntu](http://askubuntu.com/) – Thomas Berger Jun 28 '11 at 23:54