Firewall stop forwarding packets after roughly a week

From: Bas Rijniersce
Date: Fri Mar 02 2007 - 12:59:54 EST


Hello,

Basic info:

Distro = centos-release-4-4.2
Kernel = 2.6.9-42.0.3.EL
OpenSwan = Linux Openswan 2.CVSHEAD (klips)

The firewall has two interfaces, one LAN side (192.168.70.1) and one WAN
side (y.y.y.y)
The firewall runs OpenSwan to build a tunnel with Cisco VPN Concentrator
3500 on the other end. Private IP of the machine we reach on the other
end is 172.16.7.13

The firewall rules are managed with Vuurmuur
(http://vuurmuur.sourceforge.net/)

The whole setup runs perfectly fine for roughly a week, but then the
clients can no longer connect to 172.16.7.13. Only a reboot gets
everything going again.

I excluded the remote end and IPSEC tunnel since I see their ping reply
coming back on the ipsec0 interface. But it never makes it out on the
eth0 interface.

Using iptables I added some logging rules to see what is going on in the
firewall part (vrmr are default Vuurmuur log rules, BAS-IN|OUT are my
additional rules first in the ruleset):
----
BAS-FWD IN=eth0 OUT=ipsec0 SRC=192.168.70.29 DST=172.16.7.13 LEN=48
TOS=0x00 PREC=0x00 TTL=127 ID=37947 DF PROTO=TCP SPT=3990 DPT=23
WINDOW=65535 RES=0x00 SYN URGP=0

vrmr: ACCEPT IN=eth0 OUT=ipsec0 SRC=192.168.70.29 DST=172.16.7.13
LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=37947 DF PROTO=TCP SPT=3990 DPT=23
WINDOW=65535 RES=0x00 SYN URGP=0

vrmr: MASQ IN= OUT=ipsec0 SRC=192.168.70.29 DST=172.16.7.13 LEN=48
TOS=0x00 PREC=0x00 TTL=127 ID=37947 DF PROTO=TCP SPT=3990 DPT=23
WINDOW=65535 RES=0x00 SYN URGP=0

BAS-OUT IN= OUT=lo SRC=192.168.70.1 DST=192.168.70.1 LEN=76 TOS=0x00
PREC=0xC0 TTL=64 ID=21829 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.70.1
DST=172.16.7.13 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=37947 DF PROTO=TCP
SPT=3990 DPT=23 WINDOW=65535 RES=0x00 SYN URGP=0 ] MTU=0

BAS-IN IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00
SRC=192.168.70.1 DST=192.168.70.29 LEN=76 TOS=0x00 PREC=0xC0 TTL=64
ID=21829 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.70.29 DST=172.16.7.13
LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=37947 DF PROTO=TCP SPT=3990 DPT=23
WINDOW=65535 RES=0x00 SYN URGP=0 ] MTU=0

BAS-FWD IN=ipsec0 OUT=eth0 SRC=172.16.7.13 DST=192.168.70.29 LEN=44
TOS=0x00 PREC=0x00 TTL=125 ID=11649 DF PROTO=TCP SPT=23 DPT=3990
WINDOW=8192 RES=0x00 ACK SYN URGP=0

BAS-FWD IN=eth0 OUT=ipsec0 SRC=192.168.70.29 DST=172.16.7.13 LEN=48
TOS=0x00 PREC=0x00 TTL=127 ID=38026 DF PROTO=TCP SPT=3990 DPT=23
WINDOW=65535 RES=0x00 SYN URGP=0

BAS-OUT IN= OUT=lo SRC=192.168.70.1 DST=192.168.70.1 LEN=76 TOS=0x00
PREC=0xC0 TTL=64 ID=21830 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.70.1
DST=172.16.7.13 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=38026 DF PROTO=TCP
SPT=3990 DPT=23 WINDOW=65535 RES=0x00 SYN URGP=0 ] MTU=0

BAS-IN IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00
SRC=192.168.70.1 DST=192.168.70.29 LEN=76 TOS=0x00 PREC=0xC0 TTL=64
ID=21830 PROTO=ICMP TYPE=3 CODE=4 [SRC=192.168.70.29 DST=172.16.7.13
LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=38026 DF PROTO=TCP SPT=3990 DPT=23
WINDOW=65535 RES=0x00 SYN URGP=0 ] MTU=0

BAS-FWD IN=ipsec0 OUT=eth0 SRC=172.16.7.13 DST=192.168.70.29 LEN=44
TOS=0x00 PREC=0x00 TTL=125 ID=11662 DF PROTO=TCP SPT=23 DPT=3990
WINDOW=8192 RES=0x00 ACK SYN URGP=0
----

First three lines are my test telnet session going out. Masq rule is a
bit strange, but since it works for a week, this can't be a problem

Fourth line is the reason I mail to this list, this is apparently a
local packet (iface = lo) with an ICM Message Type 3, Code 4
(3=Destination Unreachable, 4 = Fragmentation Needed and Don't Fragment
was Set). Within the square brackets is the original packet this relates
to). The original packets all have the DF flag set.

What reasons could there be for this suddenly being a problem?

The next few packets might actually be a problem with the firewall
rules, since the firewall tries to forward me the SYN/ACK from
172.16.7.13, but it never reaches the proper forwarding rule (it would
have shown a vrmr log entry)

Any insights are very welcome

Bas Rijniersce

----
Bas Rijniersce
IT Specialist @ Seaspan Ship Management
E: brijniersce@xxxxxxxxxxxxx
P: +1 604 638 2620
M: +1 604 616 4969
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html