# Shorewall suddenly stopped working [solved]

## NotExcessive

I have a problem that I hope someone can help me with. I'm currently running a server with 3 NICs in it as a firewall, using shorewall. eth0 connects to the ADSL modem, eth1 connects to a DMZ machine, and eth2 connects to the trusted LAN. Everything was working fine until about a week ago, when the LAN machines couldn't surf the web any more. There have been no hardware changes or faults, and there have been no software mods or upgrades to the system, nor any configuration changes.

Problem is, the firewall machine can surf the net, but that's it. The outside world can see the websites on the DMZ machine, and the LAN machines can go through eth2, through the firewall, out eth1, and into the DMZ to see the websites, do ftp, and anything else "internal" as it is, but no more. Skype to the LAN works, instant messagers like MSN and ICQ etc are sporadic at best.

Before I post any config files, can anyone tell me what might be the cause of the brain damage considering nothing's been changed on the system? I've already reinstalled iptables, and shorewall, and checked the shorewall configuration files (which don't seem to have changed as far as I can tell), and come up with zero. Nothing's wrong, and yet it doesn't work, if you know what I mean.Last edited by NotExcessive on Tue May 06, 2008 5:44 pm; edited 1 time in total

----------

## Vieri

Are you saying that the LAN machines can't connect to port 80 on the Internet?

What about other ports?

Do SMTP, HTTPS, FTP work?

Did you double-check routing on the LAN machines? (gw, etc)

Did you by any chance install/configure an HTTP proxy during the past week?

Did you try a tcpdump on eth0 and eth2 to see if packets get to the shorewall box and if they go out on the right interface?

----------

## NotExcessive

 *Vieri wrote:*   

> Are you saying that the LAN machines can't connect to port 80 on the Internet?

 

That's the thing. When it first started to fail, you could go to a handful of sites only. For example google.com was OK but google.com.au was not. dlink.com was OK but neatorama.com was not. And when you could reach sites, they came in at full speed. Now, there's nothing at all. Mind you, surfing from the firewall server itself is 100%.

 *Vieri wrote:*   

> What about other ports?

 

It's odd. Skype is fine. MSN is erratic. ICQ and Jabber are no-go. On the other hand, the world can see my web sites on the DMZ just fine, and they load quickly.

 *Vieri wrote:*   

> Do SMTP, HTTPS, FTP work?

 

Mail used to go through, but now it's ground to a halt. I have an IMAP mail server on the trusted LAN. Clients can still ftp into the server on the DMZ. I can ftp from the LAN into the DMZ.

 *Vieri wrote:*   

> Did you double-check routing on the LAN machines? (gw, etc)

 

Yes just in case something stupid happened. All OK. And everybody can ping everybody else across all NICs.

 *Vieri wrote:*   

> Did you by any chance install/configure an HTTP proxy during the past week?

 

Nope. Nada. I emerge --sync every midnight but auto updates are disabled. Besides it wouldn't prevent all other ports from working properly, only 80.

 *Vieri wrote:*   

> Did you try a tcpdump on eth0 and eth2 to see if packets get to the shorewall box and if they go out on the right interface?

 

When it does go through, from what I can tell, the packets seem to be going where they should; it's just that bugger all seems to be coming out. Something broke but I don't have a clue as to what. As I said, no changes have been made to the system; it just ground to a halt over about a day.

----------

## Vieri

 *Quote:*   

> When it does go through, from what I can tell, the packets seem to be going where they should

 

What about when it doesn't seem to work?

Try to reproduce the problem and dump all the info you can get when it happens. Just a thought: I suggest you pick a target such as a static public IP address (resolve a host name and stick to it) and try connecting via port 80.

Test 1: from LAN host to Internet. While trying to make connections multiple times to remote port 80, tcpdump both eth0 and eth2 to a file. Also run a shorewall dump as specified on the Shorewall support web site.

Test 2: from the shorewall box do the same and dump again.

You could then subscribe to the shorewall mailing list where you will definitely find excellent support.

By the way, are you sure the switches are fine? And the eth2 hardware? I've had issues with some switches going unstable.

I would try replacing the switch and maybe even replacing eth2's ethernet card before going any further.

[EDIT]

 *Quote:*   

> I can ftp from the LAN into the DMZ

 

Well, it seems that your switch is fine, I guess...

Maybe you could just test another NIC for eth2.

[EDIT2]

sorry, I must be tired and giving dumb suggestions. In test2 no need to dump if the connections are fine of course, unless you want to compare.

----------

## NotExcessive

 *Vieri wrote:*   

> 
> 
> Well, it seems that your switch is fine, I guess...
> 
> Maybe you could just test another NIC for eth2.
> ...

 

Well I swapped eth0 and eth2 around, the idea being that if the original eth2 card was stuffed, it would now stop the modem connection working on eth0 and so even surfing from the firewall wouldn't work  any more. Unfortunately, the connection still went like a rocket, so that wasn't it. All I can think of is that the ipmasq from ppp0 on eth0 to eth1 and eth2 has somehow gone brain dead, because I just can't see anything wrong with Shorewall.

----------

## NotExcessive

Well I finally solved it, after much screaming at the machine and nearly nailing the cat to the power supply, it turns out that there was nothing really wrong with it. What happened was that the bloody DSLAM had been altered to accept a lower MSS value, and that value happened to be less than what we'd been running unchanged for the past two years. So the system dropped off the radar.

----------

