On Sat, Nov 10, 2007 at 10:53:52AM -0600, Michael Sullivan wrote
> On Sat, 2007-11-10 at 15:40 +0200, Daniel Iliev wrote:
> >
> > I believe your problem comes from:
> >
> > # CONFIG_IP_NF_CONNTRACK_SUPPORT is not set
> >
> > Build this module and try again.
> >
> This option isn't even available in my config. Should I add it? Will
> it work with the kernel I'm running (2.6.22-hardened-r8)
I'm beginning to long for the good ole days of ipchains. Is it still
maintained? iptables has been scattered all over hell's-half-acre, and
you need to run around enabling things all over the place to make it
work. Here are some things enabled in my setup via "make menuconfig".
Note that this is just for filtering out the bad guys. I do not do any
masq/nat/mangling/etc with iptables. *IMPORTANT NOTE* you *MUST* enable
the item... "IPv4 connection tracking support (required for NAT)" in
order for state matching to work. I found this out "the hard way".
Networking --->
[*] Networking support
Networking options --->
[*] Network packet filtering framework (Netfilter) --->
Core Netfilter Configuration --->
<*> Netfilter connection tracking support
--- Netfilter Xtables support (required for ip_tables)
<*> "CLASSIFY" target support
<*> "MARK" target support
<*> "NFQUEUE" target Support
< > "NFLOG" target support
< > "TCPMSS" target support
<*> "comment" match support
< > "connbytes" per-connection counter match support
< > "connmark" connection mark match support
< > "conntrack" connection tracking match support
<*> "DCCP" protocol match support
< > "DSCP" match support
< > "ESP" match support
< > "helper" match support
<*> "length" match support
<*> "limit" match support
<*> "mac" address match support
<*> "mark" match support
<*> Multiple port match support
<*> "pkttype" packet type match support
< > "quota" match support
<*> "realm" match support
<*> "sctp" protocol match support (EXPERIMENTAL)
<*> "state" match support
< > "statistic" match support
<*> "string" match support
IP: Netfilter Configuration --->
<*> IPv4 connection tracking support (required for NAT)
[*] proc/sysctl compatibility with old connection tracking
< > IP Userspace queueing via NETLINK (OBSOLETE)
<*> IP tables support (required for filtering/masq/NAT)
<*> IP range match support
<*> TOS match support
<*> recent match support
< > ECN match support
< > AH match support
<*> TTL match support
<*> Owner match support
<*> address type match support
<*> Packet filtering
<*> REJECT target support
<*> LOG target support
< > ULOG target support
< > Full NAT
< > Packet mangling
< > raw table support (required for NOTRACK/TRACE)
< > ARP tables support
--
Walter Dnes <[EMAIL PROTECTED]> In linux /sbin/init is Job #1
Q. Mr. Ghandi, what do you think of Microsoft security?
A. I think it would be a good idea.
--
[EMAIL PROTECTED] mailing list
