pseudo
unread,Jul 31, 2022, 4:00:03 PM7/31/22You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to
Package: shorewall
Version: 5.2.3.4-1
Severity: minor
Tags: upstream
Dear debian Maintainer,
* What led up to the situation?
I installed shorewall, everything worked fine.
Since I filled /etc/shorewall/blrules with ~4000 lines, shorewall takes huge time to start
* What exactly did you do (or not do) that was effective (or
ineffective)?
* What was the outcome of this action?
* What outcome did you expect instead?
Packet Filter takes 0.3 sec to start with the same blacklist.
* What's relevant logs?
Here is /var/log/shorewall-init.log
[...]
Jul 31 21:04:43 Conntrack rule "CT:helper:pptp:PO - - tcp 1723" Compiled
Jul 31 21:04:43 Conntrack rule "CT:helper:sane:PO - - tcp 6566" Compiled
Jul 31 21:04:43 Conntrack rule "CT:helper:sane:PO - - tcp 6566" Compiled
Jul 31 21:04:43 Conntrack rule "CT:helper:sip:PO - - udp 5060" Compiled
Jul 31 21:04:43 Conntrack rule "CT:helper:sip:PO - - udp 5060" Compiled
Jul 31 21:04:43 Conntrack rule "CT:helper:snmp:PO - - udp 161" Compiled
Jul 31 21:04:43 Conntrack rule "CT:helper:snmp:PO - - udp 161" Compiled
Jul 31 21:04:43 Conntrack rule "CT:helper:tftp:PO - - udp 69" Compiled
Jul 31 21:04:43 Conntrack rule "CT:helper:tftp:PO - - udp 69" Compiled
Jul 31 21:04:43 Compiling MAC Filtration -- Phase 2...
Jul 31 21:04:43 Applying Policies...
Jul 31 21:04:43 Policy ACCEPT from fw to net using chain fw-net
Jul 31 21:04:43 ..Expanding inline action /usr/share/shorewall/action.Broadcast...
Jul 31 21:04:43 Rule " DROP - - - ;; -m addrtype --dst-type BROADCAST" Compiled
Jul 31 21:04:43 Rule " DROP - - - ;; -m addrtype --dst-type ANYCAST" Compiled
Jul 31 21:04:43 ..End inline action /usr/share/shorewall/action.Broadcast
Jul 31 21:04:43 ..Expanding inline action /usr/share/shorewall/action.Multicast...
Jul 31 21:04:43 Rule " DROP - - - ;; -m addrtype --dst-type MULTICAST" Compiled
Jul 31 21:04:43 ..End inline action /usr/share/shorewall/action.Multicast
Jul 31 21:04:43 Policy DROP from net to fw using chain net-fw
Jul 31 21:04:43 Policy ACCEPT from net to net using chain net-net
Jul 31 21:04:43 Generating Rule Matrix...
Jul 31 21:04:43 Handling complex zones...
Jul 31 21:04:43 Entering main matrix-generation loop...
Jul 31 21:04:43 Finishing matrix...
Jul 31 21:04:43 ..Expanding inline action /usr/share/shorewall/action.Broadcast...
Jul 31 21:04:43 Rule " DROP - - - ;; -m addrtype --dst-type BROADCAST" Compiled
Jul 31 21:04:43 Rule " DROP - - - ;; -m addrtype --dst-type ANYCAST" Compiled
Jul 31 21:04:43 ..End inline action /usr/share/shorewall/action.Broadcast
Jul 31 21:04:43 ..Expanding inline action /usr/share/shorewall/action.Multicast...
Jul 31 21:04:43 Rule " DROP - - - ;; -m addrtype --dst-type MULTICAST" Compiled
Jul 31 21:04:43 ..End inline action /usr/share/shorewall/action.Multicast
Jul 31 21:04:43 ..Expanding inline action /usr/share/shorewall/action.Broadcast...
Jul 31 21:04:43 Rule " DROP - - - ;; -m addrtype --dst-type BROADCAST" Compiled
Jul 31 21:04:43 Rule " DROP - - - ;; -m addrtype --dst-type ANYCAST" Compiled
Jul 31 21:04:43 ..End inline action /usr/share/shorewall/action.Broadcast
Jul 31 21:04:43 ..Expanding inline action /usr/share/shorewall/action.Multicast...
Jul 31 21:04:43 Rule " DROP - - - ;; -m addrtype --dst-type MULTICAST" Compiled
Jul 31 21:04:43 ..End inline action /usr/share/shorewall/action.Multicast
Jul 31 21:04:43 ..Expanding inline action /usr/share/shorewall/action.Broadcast...
Jul 31 21:04:43 Rule " DROP - - - ;; -m addrtype --dst-type BROADCAST" Compiled
Jul 31 21:04:43 Rule " DROP - - - ;; -m addrtype --dst-type ANYCAST" Compiled
Jul 31 21:04:43 ..End inline action /usr/share/shorewall/action.Broadcast
Jul 31 21:04:43 ..Expanding inline action /usr/share/shorewall/action.Multicast...
Jul 31 21:04:43 Rule " DROP - - - ;; -m addrtype --dst-type MULTICAST" Compiled
Jul 31 21:04:43 ..End inline action /usr/share/shorewall/action.Multicast
Jul 31 21:04:43 Chain NET_IF_iop deleted
Jul 31 21:04:43 Chain A_DROP deleted
Jul 31 21:04:43 Chain NET_IF_oop deleted
Jul 31 21:04:43 Chain NET_IF_fop deleted
Jul 31 21:04:43 Chain net-net deleted
Jul 31 21:04:43 Optimizing Ruleset...
Jul 31 21:04:43
Table raw pass 1, 2 referenced chains, level 4a...
Jul 31 21:04:43
Table raw pass 2, 2 referenced chains, level 4b...
Jul 31 21:04:43
Table raw pass 2, 2 referenced user chains, level 16...
Jul 31 21:04:43
Table raw pass , 0 referenced user chains, level 8...
Jul 31 21:04:43 Table raw Optimized -- Passes = 1
Jul 31 21:04:43
Jul 31 21:04:43
Table nat pass 1, 4 referenced chains, level 4a...
Jul 31 21:04:43
Table nat pass 2, 4 referenced chains, level 4b...
Jul 31 21:04:43
Table nat pass 2, 4 referenced user chains, level 16...
Jul 31 21:04:43
Table nat pass , 0 referenced user chains, level 8...
Jul 31 21:04:43 Table nat Optimized -- Passes = 1
Jul 31 21:04:43
Jul 31 21:04:43
Table mangle pass 1, 10 referenced chains, level 4a...
Jul 31 21:04:43 Chain tcin deleted
Jul 31 21:04:43 Chain tcout deleted
Jul 31 21:04:43 Chain tcpost deleted
Jul 31 21:04:43 Chain tcpre deleted
Jul 31 21:04:43 Empty chain tcfor deleted
Jul 31 21:04:43
Table mangle pass 2, 5 referenced chains, level 4a...
Jul 31 21:04:43
Table mangle pass 3, 5 referenced chains, level 4b...
Jul 31 21:04:43
Table mangle pass 3, 5 referenced user chains, level 16...
Jul 31 21:04:43
Table mangle pass , 0 referenced user chains, level 8...
Jul 31 21:04:43 Table mangle Optimized -- Passes = 1
Jul 31 21:04:43
Jul 31 21:04:43
Table filter pass 1, 14 referenced chains, level 4a...
Jul 31 21:04:43 3 ACCEPT rules deleted from chain fw-net
Jul 31 21:04:43 3 DROP rules deleted from chain net-fw
Jul 31 21:04:43
Table filter pass 2, 14 referenced chains, level 4a...
Jul 31 21:04:43 1 references to chain fw-net replaced
Jul 31 21:04:43 Chain fw-net deleted
Jul 31 21:04:43
Table filter pass 3, 13 referenced chains, level 4a...
Jul 31 21:04:43
Table filter pass 4, 13 referenced chains, level 4b...
Jul 31 21:04:43
Table filter pass 5, 2 short chains, level 4c...
Jul 31 21:04:43
Table filter pass 5, 13 referenced user chains, level 16...
Jul 31 21:11:44
Table filter pass , 10 referenced user chains, level 8...
Jul 31 21:11:44 Table filter Optimized -- Passes = 1
Jul 31 21:11:44
Jul 31 21:11:44 Creating iptables-restore input...
Jul 31 21:11:45 Shorewall configuration compiled to /var/lib/shorewall/.start
Jul 31 21:11:45 Starting Shorewall....
Jul 31 21:11:45 Initializing...
Jul 31 21:11:45 Setting up Route Filtering...
Jul 31 21:11:45 Setting up Martian Logging...
Jul 31 21:11:45 Setting up Accept Source Routing...
Jul 31 21:11:45 Disabling Kernel Automatic Helper Association
Jul 31 21:11:45 Preparing iptables-restore input...
Jul 31 21:11:45 Running /sbin/iptables-restore --wait 60...
Jul 31 21:11:45 done.
-- System Information:
Debian Release: 11.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-16-amd64 (SMP w/4 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages shorewall depends on:
ii bc 1.07.1-2+b2
ii debconf [debconf-2.0] 1.5.77
ii iproute2 5.10.0-4
ii iptables 1.8.7-1
ii lsb-base 11.1.0
ii perl 5.32.1-4+deb11u2
ii shorewall-core 5.2.3.4-1
Versions of packages shorewall recommends:
ii libnetfilter-cthelper0 1.0.0-3
Versions of packages shorewall suggests:
ii make 4.3-4.1
ii shorewall-doc 5.2.3-1.1
-- Configuration Files:
/etc/shorewall/params changed:
/etc/shorewall/shorewall.conf changed:
STARTUP_ENABLED=Yes
VERBOSITY=1
PAGER=
FIREWALL=
LOG_LEVEL="debug"
BLACKLIST_LOG_LEVEL=
INVALID_LOG_LEVEL=
LOG_BACKEND=
LOG_MARTIANS=Yes
LOG_VERBOSITY=2
LOG_ZONE=Both
LOGALLNEW=
LOGFILE=/var/log/messages
LOGFORMAT="%s %s "
LOGTAGONLY=No
LOGLIMIT="s:1/sec:10"
MACLIST_LOG_LEVEL="$LOG_LEVEL"
RELATED_LOG_LEVEL=
RPFILTER_LOG_LEVEL="$LOG_LEVEL"
SFILTER_LOG_LEVEL="$LOG_LEVEL"
SMURF_LOG_LEVEL="$LOG_LEVEL"
STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
UNTRACKED_LOG_LEVEL=
ARPTABLES=
CONFIG_PATH=":${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
GEOIPDIR=/usr/share/xt_geoip/LE
IPTABLES=
IP=
IPSET=
LOCKFILE=
MODULESDIR=
NFACCT=
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
PERL=/usr/bin/perl
RESTOREFILE=restore
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=""
TC=
ACCEPT_DEFAULT="none"
BLACKLIST_DEFAULT="Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'
ACCOUNTING=Yes
ACCOUNTING_TABLE=filter
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
ADMINISABSENTMINDED=Yes
AUTOCOMMENT=Yes
AUTOHELPERS=Yes
AUTOMAKE=Yes
BALANCE_PROVIDERS=No
BASIC_FILTERS=No
BLACKLIST="NEW,INVALID,UNTRACKED"
CLAMPMSS=No
CLEAR_TC=Yes
COMPLETE=No
DEFER_DNS_RESOLUTION=Yes
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No
DISABLE_IPV6=Yes
DOCKER=No
DONT_LOAD=
DYNAMIC_BLACKLIST=Yes
EXPAND_POLICIES=Yes
EXPORTMODULES=Yes
FASTACCEPT=No
FORWARD_CLEAR_MARK=
HELPERS=
IGNOREUNKNOWNVARIABLES=No
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
IP_FORWARDING=Keep
KEEP_RT_TABLES=No
MACLIST_TABLE=filter
MACLIST_TTL=
MANGLE_ENABLED=Yes
MARK_IN_FORWARD_CHAIN=No
MINIUPNPD=No
MULTICAST=No
MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No
PERL_HASH_SEED=0
REJECT_ACTION=
RENAME_COMBINED=Yes
REQUIRE_INTERFACE=No
RESTART=restart
RESTORE_DEFAULT_ROUTE=Yes
RESTORE_ROUTEMARKS=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=Yes
SAVE_ARPTABLES=No
SAVE_IPSETS=No
TC_ENABLED=Internal
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
TRACK_PROVIDERS=Yes
TRACK_RULES=No
USE_DEFAULT_RT=Yes
USE_NFLOG_SIZE=No
USE_PHYSICAL_NAMES=No
USE_RT_NAMES=No
VERBOSE_MESSAGES=Yes
WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
ZERO_MARKS=No
ZONE2ZONE=-
BLACKLIST_DISPOSITION=DROP
INVALID_DISPOSITION=CONTINUE
MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
RPFILTER_DISPOSITION=DROP
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
UNTRACKED_DISPOSITION=CONTINUE
TC_BITS=
PROVIDER_BITS=
PROVIDER_OFFSET=
MASK_BITS=
ZONE_BITS=0
-- debconf information:
shorewall/invalid_config:
shorewall/dont_restart:
shorewall/major_release: