Shorewall issues on Debian Squeeze

Fred Lappert · 02-15-2012, 11:40 AM

We recently moved to a new server running Debian Squeeze.

A few weeks after putting the server into production, I did a routine apt-get dist-upgrade. Usually there are no surprises.

But we noticed all of a sudden we could not access mail via pop3, and we could not log in to Webmin.

After a bit of research on system logs, I discovered the issue related to Shorewall. Up until that point, I had never even heard of Shorewall (obviously I'm not s security expert).

As a temporary fix I can issues a "shorewall clear" to gain access to mail, and later issue a "shorewall restart" to block it again.

But I have some questions:

- if this was installed or enabled by the dist-upgrade, then what did it replace? Is it really needed or necessary? (or better, what value does it have?)

- and where and how would I change the Shorewall configuration so it doesn't block mail or webmin? If Shorewall is worth using, then there has to be a way to allow access to mail and Webmin.

Thank you.

AlucardZero · 02-15-2012, 12:06 PM

Including the relevant error messages in your request for help is a big part of getting helped.

Shorewall is a firewall. I can't imagine it is a dependency of anything, so you must have installed it at some point. Next time you should pay more attention to what dist-upgrade does. The choice of having a firewall or not is your decision as the admin.

Shorewall has wonderful documentation. Browse it at http://shorewall.net/ . The basic config files are in /etc/shorewall. You should read them/the docs to figure out what to edit. There are also example configs for various setups at - iirc - /usr/share/doc/shorewall/examples. Of course there is a way to allow the services you want.

Fred Lappert · 02-15-2012, 12:44 PM

Thanks for the reply. We just installed the new machine in mid-January. I did not install Shorewall... didn't even know it existed. Maybe it was there to begin with. But something happened when I did the dist-upgrade on January 28th. That's when I couldn't access pop3 mail or Webmin.

From Syslog, trying to connect with webmin

Quote:

Jan 28 13:18:25 shaw kernel: [14750395.928866] Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=00:30:48:62:88:6e:00:19:2f:e8:fa:00:08:00 SRC=nnn.nnn.nnn.nnn DST=zzz.zzz.zzz.zzz LEN=52 TOS=0x00 PREC=0x00 TTL=116 ID=24815 DF PROTO=TCP SPT=55224 DPT=10000 WINDOW=8192 RES=0x00 SYN URGP=0
Jan 28 13:18:28 shaw kernel: [14750398.680029] Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=00:30:48:62:88:6e:00:19:2f:e8:fa:00:08:00 SRC=nnn.nnn.nnn.nnn DST=zzz.zzz.zzz.zzz LEN=52 TOS=0x00 PREC=0x00 TTL=116 ID=24817 DF PROTO=TCP SPT=55223 DPT=10000 WINDOW=8192 RES=0x00 SYN URGP=0

and trying to access pop3 mail:

Quote:

Jan 28 13:19:33 shaw kernel: [14750463.864621] Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=00:30:48:62:88:6e:00:19:2f:e8:fa:00:08:00 SRC=nnn.nnn.nnn.nnn DST=zzz.zzz.zzz.zzz LEN=52 TOS=0x00 PREC=0x00 TTL=116 ID=24845 DF PROTO=TCP SPT=55225 DPT=110 WINDOW=8192 RES=0x00 SYN URGP=0
Jan 28 13:19:33 shaw kernel: [14750463.906600] Shorewall:net2fw:DROP:IN=eth0 OUT= MAC=00:30:48:62:88:6e:00:19:2f:e8:fa:00:08:00 SRC=nnn.nnn.nnn.nnn DST=zzz.zzz.zzz.zzz LEN=52 TOS=0x00 PREC=0x00 TTL=116 ID=24847 DF PROTO=TCP SPT=55226 DPT=110 WINDOW=8192 RES=0x00 SYN URGP=0