Re: [Partial Solution] Re: Can't run shorewall with kernel 2.6.20.2
On Mon, 12 Mar 2007 18:59:29 -0400 Roberto C. Sanchez [EMAIL PROTECTED] wrote: On Mon, Mar 12, 2007 at 09:00:06AM +0200, Micha Feigin wrote: That helped a bit. It appears that shorewall requires Ipv4 connection tracking enabled. Now shorewall comes up and seems to work except that dns requests from the firewall fail when it is enabled. (I can ping out by address but not by name) What are the contents of /etc/shorewall/policy? $FW all ACCEPT - net $FW DROPinfo all all DROPinfo I then add specific incoming ports in /etc/shorewall/rules Regards, -Roberto -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Partial Solution] Re: Can't run shorewall with kernel 2.6.20.2
On Tue, Mar 13, 2007 at 10:28:04AM +0200, Micha Feigin wrote: On Mon, 12 Mar 2007 18:59:29 -0400 Roberto C. Sanchez [EMAIL PROTECTED] wrote: On Mon, Mar 12, 2007 at 09:00:06AM +0200, Micha Feigin wrote: That helped a bit. It appears that shorewall requires Ipv4 connection tracking enabled. Now shorewall comes up and seems to work except that dns requests from the firewall fail when it is enabled. (I can ping out by address but not by name) What are the contents of /etc/shorewall/policy? $FW all ACCEPT - net $FW DROPinfo all all DROPinfo I then add specific incoming ports in /etc/shorewall/rules And when you say DNS requests from the firewall you mean for actual applications running on the firewall box itself? Not something else behind the firewall? Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: [Partial Solution] Re: Can't run shorewall with kernel 2.6.20.2
On Thu, 15 Mar 2007 08:51:07 -0400 Roberto C. Sanchez [EMAIL PROTECTED] wrote: On Tue, Mar 13, 2007 at 10:28:04AM +0200, Micha Feigin wrote: On Mon, 12 Mar 2007 18:59:29 -0400 Roberto C. Sanchez [EMAIL PROTECTED] wrote: On Mon, Mar 12, 2007 at 09:00:06AM +0200, Micha Feigin wrote: That helped a bit. It appears that shorewall requires Ipv4 connection tracking enabled. Now shorewall comes up and seems to work except that dns requests from the firewall fail when it is enabled. (I can ping out by address but not by name) What are the contents of /etc/shorewall/policy? $FW all ACCEPT - net $FW DROPinfo all all DROPinfo I then add specific incoming ports in /etc/shorewall/rules And when you say DNS requests from the firewall you mean for actual applications running on the firewall box itself? Not something else behind the firewall? The firewall is running on a laptop connecting to a local gateway. The was a problem pinging from the laptop to the gateway when the firewall was up. I tried several reboots which didn't solve the problem, but seems to began working now without me noticing, so I think I will accept the situation and not try to fix what's not broken Thanks for the help Regards, -Roberto -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[Partial Solution] Re: Can't run shorewall with kernel 2.6.20.2
On Sat, 10 Mar 2007 18:05:00 -0500 Roberto C. Sanchez [EMAIL PROTECTED] wrote: On Sun, Mar 11, 2007 at 12:21:09AM +0200, Micha Feigin wrote: distribution of Debian Debian unstable version of shorewall 3.2.9-1 version of iptables 1.3.6.0debian1-5 method by which kernel was built Vanilla kernel + software suspend + dsdt fixes (debian doesn't have 2.6.20.2 yet) I would start by checking the recent messages on the shorewall-users list. I seem to recall Tom Eastep mentioning some issues with 2.6.20 in relation to another user's mail. If it is not in the archives, then try following the directions here: http://shorewall.net/support.htm That helped a bit. It appears that shorewall requires Ipv4 connection tracking enabled. Now shorewall comes up and seems to work except that dns requests from the firewall fail when it is enabled. (I can ping out by address but not by name) Regards, -Roberto -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [Partial Solution] Re: Can't run shorewall with kernel 2.6.20.2
On Mon, Mar 12, 2007 at 09:00:06AM +0200, Micha Feigin wrote: That helped a bit. It appears that shorewall requires Ipv4 connection tracking enabled. Now shorewall comes up and seems to work except that dns requests from the firewall fail when it is enabled. (I can ping out by address but not by name) What are the contents of /etc/shorewall/policy? Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Can't run shorewall with kernel 2.6.20.2
Seems to be a compilation error. Have you all the iptables modules ?? Check if you have all the modules. The problem isn´t shorewall, it is the iptables. 2007/3/10, Roberto C. Sanchez [EMAIL PROTECTED]: On Sat, Mar 10, 2007 at 05:00:34AM +0200, Micha Feigin wrote: I tried upgrading to kernel 2.6.20 and 2.6.20.2 but shorewall refuses to start. The only error I get is: (from /var/log/shorewall-init.log) [...] Shorewall configuration compiled to /var/lib/shorewall/.start Starting Shorewall Initializing... Clearing Traffic Control/QOS Deleting user chains... iptables: No chain/target/match by that name ERROR: Command /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Failed iptables: No chain/target/match by that name iptables: No chain/target/match by that name /sbin/shorewall: line 531: 1991 Terminated ${VARDIR}/.start $debugging start Please provide the following: distribution of Debian version of shorewall version of iptables method by which kernel was built Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFF8ioW1snWssAFC08RAkBDAJ9GE/vrdnd/bfS4fmJUgvzP2sicgwCfd1ga GQDT8dvra0E0B7hN+XN8+NU= =VrAl -END PGP SIGNATURE-
Re: Can't run shorewall with kernel 2.6.20.2
on Sat, Mar 10, 2007 at 02:53:37PM +0100 Adrián Ebay wrote: Seems to be a compilation error. Have you all the iptables modules ?? Check if you have all the modules. The problem isn´t shorewall, it is the iptables. Indeed, that was the problem I had in upgrading my kernel here - iptables has been moved into another subdirectory of the kernel tree and needs to be activated during kernel configuration. Regards, Dave -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Can't run shorewall with kernel 2.6.20.2
On Fri, 9 Mar 2007 22:46:30 -0500 Roberto C. Sanchez [EMAIL PROTECTED] wrote: On Sat, Mar 10, 2007 at 05:00:34AM +0200, Micha Feigin wrote: I tried upgrading to kernel 2.6.20 and 2.6.20.2 but shorewall refuses to start. The only error I get is: (from /var/log/shorewall-init.log) [...] Shorewall configuration compiled to /var/lib/shorewall/.start Starting Shorewall Initializing... Clearing Traffic Control/QOS Deleting user chains... iptables: No chain/target/match by that name ERROR: Command /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Failed iptables: No chain/target/match by that name iptables: No chain/target/match by that name /sbin/shorewall: line 531: 1991 Terminated ${VARDIR}/.start $debugging start Please provide the following: distribution of Debian Debian unstable version of shorewall 3.2.9-1 version of iptables 1.3.6.0debian1-5 method by which kernel was built Vanilla kernel + software suspend + dsdt fixes (debian doesn't have 2.6.20.2 yet) The sections I believe are relevant to the firewall from the config: # # Core Netfilter Configuration # # CONFIG_NETFILTER_NETLINK is not set # CONFIG_NF_CONNTRACK_ENABLED is not set CONFIG_NETFILTER_XTABLES=m # CONFIG_NETFILTER_XT_TARGET_CLASSIFY is not set # CONFIG_NETFILTER_XT_TARGET_DSCP is not set # CONFIG_NETFILTER_XT_TARGET_MARK is not set # CONFIG_NETFILTER_XT_TARGET_NFQUEUE is not set # CONFIG_NETFILTER_XT_TARGET_NFLOG is not set # CONFIG_NETFILTER_XT_MATCH_COMMENT is not set # CONFIG_NETFILTER_XT_MATCH_DCCP is not set # CONFIG_NETFILTER_XT_MATCH_DSCP is not set # CONFIG_NETFILTER_XT_MATCH_ESP is not set # CONFIG_NETFILTER_XT_MATCH_LENGTH is not set # CONFIG_NETFILTER_XT_MATCH_LIMIT is not set # CONFIG_NETFILTER_XT_MATCH_MAC is not set # CONFIG_NETFILTER_XT_MATCH_MARK is not set # CONFIG_NETFILTER_XT_MATCH_POLICY is not set # CONFIG_NETFILTER_XT_MATCH_MULTIPORT is not set CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m # CONFIG_NETFILTER_XT_MATCH_QUOTA is not set # CONFIG_NETFILTER_XT_MATCH_REALM is not set # CONFIG_NETFILTER_XT_MATCH_SCTP is not set # CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set CONFIG_NETFILTER_XT_MATCH_STRING=m # CONFIG_NETFILTER_XT_MATCH_TCPMSS is not set # CONFIG_NETFILTER_XT_MATCH_HASHLIMIT is not set # # IP: Netfilter Configuration # # CONFIG_IP_NF_QUEUE is not set CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_MATCH_IPRANGE=m # CONFIG_IP_NF_MATCH_TOS is not set # CONFIG_IP_NF_MATCH_RECENT is not set # CONFIG_IP_NF_MATCH_ECN is not set # CONFIG_IP_NF_MATCH_AH is not set # CONFIG_IP_NF_MATCH_TTL is not set CONFIG_IP_NF_MATCH_OWNER=m CONFIG_IP_NF_MATCH_ADDRTYPE=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_LOG=m # CONFIG_IP_NF_TARGET_ULOG is not set # CONFIG_IP_NF_TARGET_TCPMSS is not set CONFIG_IP_NF_MANGLE=m # CONFIG_IP_NF_TARGET_TOS is not set # CONFIG_IP_NF_TARGET_ECN is not set # CONFIG_IP_NF_TARGET_TTL is not set # CONFIG_IP_NF_RAW is not set # CONFIG_IP_NF_ARPTABLES is not set Regards, -Roberto -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Can't run shorewall with kernel 2.6.20.2
On Sat, 10 Mar 2007 14:53:37 +0100 Adrián Ebay [EMAIL PROTECTED] wrote: Seems to be a compilation error. Have you all the iptables modules ?? Check if you have all the modules. The problem isn´t shorewall, it is the iptables. That is my guess, but kernel 2.6.20 split the iptable modules in a way that I'm not sure what to add. I tried adding anything I found but it didn't work. 2007/3/10, Roberto C. Sanchez [EMAIL PROTECTED]: On Sat, Mar 10, 2007 at 05:00:34AM +0200, Micha Feigin wrote: I tried upgrading to kernel 2.6.20 and 2.6.20.2 but shorewall refuses to start. The only error I get is: (from /var/log/shorewall-init.log) [...] Shorewall configuration compiled to /var/lib/shorewall/.start Starting Shorewall Initializing... Clearing Traffic Control/QOS Deleting user chains... iptables: No chain/target/match by that name ERROR: Command /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Failed iptables: No chain/target/match by that name iptables: No chain/target/match by that name /sbin/shorewall: line 531: 1991 Terminated ${VARDIR}/.start $debugging start Please provide the following: distribution of Debian version of shorewall version of iptables method by which kernel was built Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFF8ioW1snWssAFC08RAkBDAJ9GE/vrdnd/bfS4fmJUgvzP2sicgwCfd1ga GQDT8dvra0E0B7hN+XN8+NU= =VrAl -END PGP SIGNATURE-
Re: Can't run shorewall with kernel 2.6.20.2
On Sun, Mar 11, 2007 at 12:21:09AM +0200, Micha Feigin wrote: distribution of Debian Debian unstable version of shorewall 3.2.9-1 version of iptables 1.3.6.0debian1-5 method by which kernel was built Vanilla kernel + software suspend + dsdt fixes (debian doesn't have 2.6.20.2 yet) I would start by checking the recent messages on the shorewall-users list. I seem to recall Tom Eastep mentioning some issues with 2.6.20 in relation to another user's mail. If it is not in the archives, then try following the directions here: http://shorewall.net/support.htm Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature
Re: Can't run shorewall with kernel 2.6.20.2
On Sat, 10 Mar 2007 14:53:37 +0100 Adrián Ebay [EMAIL PROTECTED] wrote: Seems to be a compilation error. Have you all the iptables modules ?? Check if you have all the modules. The problem isn´t shorewall, it is the iptables. It seems that the command that is failing at the moment is: /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT If try to run it by itself (with the -v option) I get the error: ACCEPT 0 opt -- in * out * 0.0.0.0/0 - 0.0.0.0/0 state RELATED,ESTABLISHED iptables: Invalid argument running just /sbin/iptables -A FORWARD -j ACCEPT works so it's something with the -m state option. Any idea what module is needed? I tried compiling xt_state, xt_conntrack and nf_conntrack which seemed related but they didn't help. Nothing else that seems to fit from previous kernels. The only modules that seem to be missing from this version of the kernel and I can't find options to compile them are: ipt_hashlimit.ko ip_conntrack_ftp.ko ip_conntrack.ko Thanks 2007/3/10, Roberto C. Sanchez [EMAIL PROTECTED]: On Sat, Mar 10, 2007 at 05:00:34AM +0200, Micha Feigin wrote: I tried upgrading to kernel 2.6.20 and 2.6.20.2 but shorewall refuses to start. The only error I get is: (from /var/log/shorewall-init.log) [...] Shorewall configuration compiled to /var/lib/shorewall/.start Starting Shorewall Initializing... Clearing Traffic Control/QOS Deleting user chains... iptables: No chain/target/match by that name ERROR: Command /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Failed iptables: No chain/target/match by that name iptables: No chain/target/match by that name /sbin/shorewall: line 531: 1991 Terminated ${VARDIR}/.start $debugging start Please provide the following: distribution of Debian version of shorewall version of iptables method by which kernel was built Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFF8ioW1snWssAFC08RAkBDAJ9GE/vrdnd/bfS4fmJUgvzP2sicgwCfd1ga GQDT8dvra0E0B7hN+XN8+NU= =VrAl -END PGP SIGNATURE-
Can't run shorewall with kernel 2.6.20.2
I tried upgrading to kernel 2.6.20 and 2.6.20.2 but shorewall refuses to start. The only error I get is: (from /var/log/shorewall-init.log) [...] Shorewall configuration compiled to /var/lib/shorewall/.start Starting Shorewall Initializing... Clearing Traffic Control/QOS Deleting user chains... iptables: No chain/target/match by that name ERROR: Command /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Failed iptables: No chain/target/match by that name iptables: No chain/target/match by that name /sbin/shorewall: line 531: 1991 Terminated ${VARDIR}/.start $debugging start I can't figure out which chain/target/match is missing and whether it is a module I'm not compiling in or an incompatibility with the latest kernel. I'll be glad for any suggestions. Thanks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Can't run shorewall with kernel 2.6.20.2
On Sat, Mar 10, 2007 at 05:00:34AM +0200, Micha Feigin wrote: I tried upgrading to kernel 2.6.20 and 2.6.20.2 but shorewall refuses to start. The only error I get is: (from /var/log/shorewall-init.log) [...] Shorewall configuration compiled to /var/lib/shorewall/.start Starting Shorewall Initializing... Clearing Traffic Control/QOS Deleting user chains... iptables: No chain/target/match by that name ERROR: Command /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Failed iptables: No chain/target/match by that name iptables: No chain/target/match by that name /sbin/shorewall: line 531: 1991 Terminated ${VARDIR}/.start $debugging start Please provide the following: distribution of Debian version of shorewall version of iptables method by which kernel was built Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com signature.asc Description: Digital signature