Re: [gentoo-user] OT - Need help enabling iptables support in kernel
On Wed, 14 Nov 2007 00:49:37 -0800 "Bryan Whitehead" <[EMAIL PROTECTED]> wrote: > if it is from the gentoo guys, I find it less annoying than the > default editor being nano instead of vi... :) yeah, no kidding. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] OT - Need help enabling iptables support in kernel
I'm pretty sure those changes are from the kernel devs - you would need to ask the lkml people. if it is from the gentoo guys, I find it less annoying than the default editor being nano instead of vi... :) On Nov 13, 2007 11:21 PM, Walter Dnes <[EMAIL PROTECTED]> wrote: > I've been running Gentoo for a few years, and I remember earlier > versions of iptables, where everything was on one page. Why do we have > to activate the same feature on two separate pages now? -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] OT - Need help enabling iptables support in kernel
On Mon, Nov 12, 2007 at 10:55:54PM -0800, Bryan Whitehead wrote > I don't see what the big deal is - you are choosing to do everything > manually by running gentoo and compiling your own kernel. If you don't > like having to learn things like this why not use Ubuntu or Fedora? I've been running Gentoo for a few years, and I remember earlier versions of iptables, where everything was on one page. Why do we have to activate the same feature on two separate pages now? -- Walter Dnes <[EMAIL PROTECTED]> In linux /sbin/init is Job #1 Q. Mr. Ghandi, what do you think of Microsoft security? A. I think it would be a good idea. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] OT - Need help enabling iptables support in kernel
On Mon, 2007-11-12 at 23:35 -0500, Walter Dnes wrote: > On Sat, Nov 10, 2007 at 10:53:52AM -0600, Michael Sullivan wrote > > On Sat, 2007-11-10 at 15:40 +0200, Daniel Iliev wrote: > > > > > > I believe your problem comes from: > > > > > > # CONFIG_IP_NF_CONNTRACK_SUPPORT is not set > > > > > > Build this module and try again. > > > > > This option isn't even available in my config. Should I add it? Will > > it work with the kernel I'm running (2.6.22-hardened-r8) > > I'm beginning to long for the good ole days of ipchains. Is it still > maintained? iptables has been scattered all over hell's-half-acre, and > you need to run around enabling things all over the place to make it > work. Here are some things enabled in my setup via "make menuconfig". > Note that this is just for filtering out the bad guys. I do not do any > masq/nat/mangling/etc with iptables. *IMPORTANT NOTE* you *MUST* enable > the item... "IPv4 connection tracking support (required for NAT)" in > order for state matching to work. I found this out "the hard way". > > Networking ---> > [*] Networking support > Networking options ---> > [*] Network packet filtering framework (Netfilter) ---> > Core Netfilter Configuration ---> > <*> Netfilter connection tracking support > --- Netfilter Xtables support (required for ip_tables) > <*> "CLASSIFY" target support > <*> "MARK" target support > <*> "NFQUEUE" target Support > < > "NFLOG" target support > < > "TCPMSS" target support > <*> "comment" match support > < > "connbytes" per-connection counter match support > < > "connmark" connection mark match support > < > "conntrack" connection tracking match support > <*> "DCCP" protocol match support > < > "DSCP" match support > < > "ESP" match support > < > "helper" match support > <*> "length" match support > <*> "limit" match support > <*> "mac" address match support > <*> "mark" match support > <*> Multiple port match support > <*> "pkttype" packet type match support > < > "quota" match support > <*> "realm" match support > <*> "sctp" protocol match support (EXPERIMENTAL) > <*> "state" match support > < > "statistic" match support > <*> "string" match support > > IP: Netfilter Configuration ---> > <*> IPv4 connection tracking support (required for NAT) > [*] proc/sysctl compatibility with old connection tracking > < > IP Userspace queueing via NETLINK (OBSOLETE) > <*> IP tables support (required for filtering/masq/NAT) > <*> IP range match support > <*> TOS match support > <*> recent match support > < > ECN match support > < > AH match support > <*> TTL match support > <*> Owner match support > <*> address type match support > <*> Packet filtering > <*> REJECT target support > <*> LOG target support > < > ULOG target support > < > Full NAT > < > Packet mangling > < > raw table support (required for NOTRACK/TRACE) > < > ARP tables support > > > > -- > Walter Dnes <[EMAIL PROTECTED]> In linux /sbin/init is Job #1 > Q. Mr. Ghandi, what do you think of Microsoft security? > A. I think it would be a good idea. I agree, though ipchains was obsolete by the time I started using Linux. Couldn't we have some package in portage that builds the necessary modules for iptables, similar to the way I have to emerge ivtv every time I boot with a new kernel so that my TV card will work? -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] OT - Need help enabling iptables support in kernel
I don't see what the big deal is - you are choosing to do everything manually by running gentoo and compiling your own kernel. If you don't like having to learn things like this why not use Ubuntu or Fedora? On Nov 12, 2007 8:35 PM, Walter Dnes <[EMAIL PROTECTED]> wrote: > On Sat, Nov 10, 2007 at 10:53:52AM -0600, Michael Sullivan wrote > > On Sat, 2007-11-10 at 15:40 +0200, Daniel Iliev wrote: > > > > > > I believe your problem comes from: > > > > > > # CONFIG_IP_NF_CONNTRACK_SUPPORT is not set > > > > > > Build this module and try again. > > > > > This option isn't even available in my config. Should I add it? Will > > it work with the kernel I'm running (2.6.22-hardened-r8) > > I'm beginning to long for the good ole days of ipchains. Is it still > maintained? iptables has been scattered all over hell's-half-acre, and > you need to run around enabling things all over the place to make it > work. Here are some things enabled in my setup via "make menuconfig". > Note that this is just for filtering out the bad guys. I do not do any > masq/nat/mangling/etc with iptables. *IMPORTANT NOTE* you *MUST* enable > the item... "IPv4 connection tracking support (required for NAT)" in > order for state matching to work. I found this out "the hard way". > > Networking ---> > [*] Networking support > Networking options ---> > [*] Network packet filtering framework (Netfilter) ---> > Core Netfilter Configuration ---> > <*> Netfilter connection tracking support > --- Netfilter Xtables support (required for ip_tables) > <*> "CLASSIFY" target support > <*> "MARK" target support > <*> "NFQUEUE" target Support > < > "NFLOG" target support > < > "TCPMSS" target support > <*> "comment" match support > < > "connbytes" per-connection counter match support > < > "connmark" connection mark match support > < > "conntrack" connection tracking match support > <*> "DCCP" protocol match support > < > "DSCP" match support > < > "ESP" match support > < > "helper" match support > <*> "length" match support > <*> "limit" match support > <*> "mac" address match support > <*> "mark" match support > <*> Multiple port match support > <*> "pkttype" packet type match support > < > "quota" match support > <*> "realm" match support > <*> "sctp" protocol match support (EXPERIMENTAL) > <*> "state" match support > < > "statistic" match support > <*> "string" match support > > IP: Netfilter Configuration ---> > <*> IPv4 connection tracking support (required for NAT) > [*] proc/sysctl compatibility with old connection tracking > < > IP Userspace queueing via NETLINK (OBSOLETE) > <*> IP tables support (required for filtering/masq/NAT) > <*> IP range match support > <*> TOS match support > <*> recent match support > < > ECN match support > < > AH match support > <*> TTL match support > <*> Owner match support > <*> address type match support > <*> Packet filtering > <*> REJECT target support > <*> LOG target support > < > ULOG target support > < > Full NAT > < > Packet mangling > < > raw table support (required for NOTRACK/TRACE) > < > ARP tables support > > > > -- > Walter Dnes <[EMAIL PROTECTED]> In linux /sbin/init is Job #1 > Q. Mr. Ghandi, what do you think of Microsoft security? > A. I think it would be a good idea. > > -- > [EMAIL PROTECTED] mailing list > > -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] OT - Need help enabling iptables support in kernel
On Sat, Nov 10, 2007 at 10:53:52AM -0600, Michael Sullivan wrote > On Sat, 2007-11-10 at 15:40 +0200, Daniel Iliev wrote: > > > > I believe your problem comes from: > > > > # CONFIG_IP_NF_CONNTRACK_SUPPORT is not set > > > > Build this module and try again. > > > This option isn't even available in my config. Should I add it? Will > it work with the kernel I'm running (2.6.22-hardened-r8) I'm beginning to long for the good ole days of ipchains. Is it still maintained? iptables has been scattered all over hell's-half-acre, and you need to run around enabling things all over the place to make it work. Here are some things enabled in my setup via "make menuconfig". Note that this is just for filtering out the bad guys. I do not do any masq/nat/mangling/etc with iptables. *IMPORTANT NOTE* you *MUST* enable the item... "IPv4 connection tracking support (required for NAT)" in order for state matching to work. I found this out "the hard way". Networking ---> [*] Networking support Networking options ---> [*] Network packet filtering framework (Netfilter) ---> Core Netfilter Configuration ---> <*> Netfilter connection tracking support --- Netfilter Xtables support (required for ip_tables) <*> "CLASSIFY" target support <*> "MARK" target support <*> "NFQUEUE" target Support < > "NFLOG" target support < > "TCPMSS" target support <*> "comment" match support < > "connbytes" per-connection counter match support < > "connmark" connection mark match support < > "conntrack" connection tracking match support <*> "DCCP" protocol match support < > "DSCP" match support < > "ESP" match support < > "helper" match support <*> "length" match support <*> "limit" match support <*> "mac" address match support <*> "mark" match support <*> Multiple port match support <*> "pkttype" packet type match support < > "quota" match support <*> "realm" match support <*> "sctp" protocol match support (EXPERIMENTAL) <*> "state" match support < > "statistic" match support <*> "string" match support IP: Netfilter Configuration ---> <*> IPv4 connection tracking support (required for NAT) [*] proc/sysctl compatibility with old connection tracking < > IP Userspace queueing via NETLINK (OBSOLETE) <*> IP tables support (required for filtering/masq/NAT) <*> IP range match support <*> TOS match support <*> recent match support < > ECN match support < > AH match support <*> TTL match support <*> Owner match support <*> address type match support <*> Packet filtering <*> REJECT target support <*> LOG target support < > ULOG target support < > Full NAT < > Packet mangling < > raw table support (required for NOTRACK/TRACE) < > ARP tables support -- Walter Dnes <[EMAIL PROTECTED]> In linux /sbin/init is Job #1 Q. Mr. Ghandi, what do you think of Microsoft security? A. I think it would be a good idea. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] OT - Need help enabling iptables support in kernel
Dan Farrell <[EMAIL PROTECTED]> writes: > Does anybody actually _use_ ipv6 ? Yes! -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] OT - Need help enabling iptables support in kernel
On Sat, 10 Nov 2007 14:50:56 +0100 Benno Schulenberg <[EMAIL PROTECTED]> wrote: > And if you use IPv6, then this one too. But if you don't absolutely > need IPv6, better switch all support for it off, just because it is > less confusing that way. Does anybody actually _use_ ipv6 ? -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] OT - Need help enabling iptables support in kernel
On Sat, 2007-11-10 at 15:40 +0200, Daniel Iliev wrote: > On Sat, 10 Nov 2007 06:53:42 -0600 > Michael Sullivan <[EMAIL PROTECTED]> wrote: > > > I have a big problem. I've asked this question here in the past, and > > have never gotten a straight answer. I use ipkungfu as my firewall > > sofware. I noticed yesterday when I had to reboot my server box that > > ipkungfu wasn't starting. > > > > baby ~ # /etc/init.d/ipkungfu restart > > * Starting ipkungfu ... > > Your kernel lacks stateful matching, this would break this script. > > Aborting. > > * Failed to start ipkungfu > > [ !! ] > > > > > I believe your problem comes from: > > # CONFIG_IP_NF_CONNTRACK_SUPPORT is not set > > Build this module and try again. > This option isn't even available in my config. Should I add it? Will it work with the kernel I'm running (2.6.22-hardened-r8) > > > -- > Best regards, > Daniel -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] OT - Need help enabling iptables support in kernel
Michael Sullivan wrote: > # CONFIG_NF_CONNTRACK_IPV4 is not set This should be switched on. > # CONFIG_NF_CONNTRACK_IPV6 is not set And if you use IPv6, then this one too. But if you don't absolutely need IPv6, better switch all support for it off, just because it is less confusing that way. Benno -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] OT - Need help enabling iptables support in kernel
On Sat, 10 Nov 2007 06:53:42 -0600 Michael Sullivan <[EMAIL PROTECTED]> wrote: > I have a big problem. I've asked this question here in the past, and > have never gotten a straight answer. I use ipkungfu as my firewall > sofware. I noticed yesterday when I had to reboot my server box that > ipkungfu wasn't starting. > > baby ~ # /etc/init.d/ipkungfu restart > * Starting ipkungfu ... > Your kernel lacks stateful matching, this would break this script. > Aborting. > * Failed to start ipkungfu > [ !! ] > I believe your problem comes from: # CONFIG_IP_NF_CONNTRACK_SUPPORT is not set Build this module and try again. -- Best regards, Daniel -- [EMAIL PROTECTED] mailing list
[gentoo-user] OT - Need help enabling iptables support in kernel
I have a big problem. I've asked this question here in the past, and have never gotten a straight answer. I use ipkungfu as my firewall sofware. I noticed yesterday when I had to reboot my server box that ipkungfu wasn't starting. baby ~ # /etc/init.d/ipkungfu restart * Starting ipkungfu ... Your kernel lacks stateful matching, this would break this script. Aborting. * Failed to start ipkungfu [ !! ] I rebuilt my kernel (2.6.20-hardened-r6) five or six times yesterday and this morning, enabling literally every single option under netfilter in the kernel config. I reboot each time only to find that the options have not in fact been enabled. Doing a google search for this only returns references to my previous emails. I'm panicking right now. What should I do? I just want my firewall back. Up until the reboot of a couple of days ago it worked, and I'm not sure what's changed. Please help. My kernel config is: # # Automatically generated make config: don't edit # Linux kernel version: 2.6.20-hardened-r6 # Mon Oct 1 18:04:10 2007 # CONFIG_X86_32=y CONFIG_GENERIC_TIME=y CONFIG_LOCKDEP_SUPPORT=y CONFIG_STACKTRACE_SUPPORT=y CONFIG_SEMAPHORE_SLEEPERS=y CONFIG_X86=y CONFIG_MMU=y CONFIG_GENERIC_ISA_DMA=y CONFIG_GENERIC_IOMAP=y CONFIG_GENERIC_BUG=y CONFIG_GENERIC_HWEIGHT=y CONFIG_ARCH_MAY_HAVE_PC_FDC=y CONFIG_DMI=y CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config" # # Code maturity level options # CONFIG_EXPERIMENTAL=y CONFIG_LOCK_KERNEL=y CONFIG_INIT_ENV_ARG_LIMIT=32 # # General setup # CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_SWAP=y CONFIG_SYSVIPC=y # CONFIG_IPC_NS is not set # CONFIG_POSIX_MQUEUE is not set # CONFIG_BSD_PROCESS_ACCT is not set # CONFIG_TASKSTATS is not set # CONFIG_UTS_NS is not set # CONFIG_AUDIT is not set CONFIG_IKCONFIG=y CONFIG_IKCONFIG_PROC=y # CONFIG_CPUSETS is not set CONFIG_SYSFS_DEPRECATED=y # CONFIG_RELAY is not set CONFIG_INITRAMFS_SOURCE="" CONFIG_CC_OPTIMIZE_FOR_SIZE=y CONFIG_SYSCTL=y CONFIG_EMBEDDED=y # CONFIG_UID16 is not set CONFIG_SYSCTL_SYSCALL=y # CONFIG_KALLSYMS is not set CONFIG_HOTPLUG=y CONFIG_PRINTK=y CONFIG_BUG=y CONFIG_ELF_CORE=y CONFIG_BASE_FULL=y CONFIG_FUTEX=y CONFIG_EPOLL=y CONFIG_SHMEM=y CONFIG_SLAB=y CONFIG_VM_EVENT_COUNTERS=y CONFIG_RT_MUTEXES=y # CONFIG_TINY_SHMEM is not set CONFIG_BASE_SMALL=0 # CONFIG_SLOB is not set # # Loadable module support # CONFIG_MODULES=y CONFIG_MODULE_UNLOAD=y # CONFIG_MODULE_FORCE_UNLOAD is not set # CONFIG_MODVERSIONS is not set # CONFIG_MODULE_SRCVERSION_ALL is not set CONFIG_KMOD=y CONFIG_STOP_MACHINE=y # # Block layer # CONFIG_BLOCK=y CONFIG_LBD=y # CONFIG_BLK_DEV_IO_TRACE is not set # CONFIG_LSF is not set # # IO Schedulers # CONFIG_IOSCHED_NOOP=y # CONFIG_IOSCHED_AS is not set CONFIG_IOSCHED_DEADLINE=y # CONFIG_IOSCHED_CFQ is not set # CONFIG_DEFAULT_AS is not set CONFIG_DEFAULT_DEADLINE=y # CONFIG_DEFAULT_CFQ is not set # CONFIG_DEFAULT_NOOP is not set CONFIG_DEFAULT_IOSCHED="deadline" # # Processor type and features # CONFIG_SMP=y CONFIG_X86_PC=y # CONFIG_X86_ELAN is not set # CONFIG_X86_VOYAGER is not set # CONFIG_X86_NUMAQ is not set # CONFIG_X86_SUMMIT is not set # CONFIG_X86_BIGSMP is not set # CONFIG_X86_VISWS is not set # CONFIG_X86_GENERICARCH is not set # CONFIG_X86_ES7000 is not set # CONFIG_PARAVIRT is not set # CONFIG_M386 is not set CONFIG_M486=y # CONFIG_M586 is not set # CONFIG_M586TSC is not set # CONFIG_M586MMX is not set # CONFIG_M686 is not set # CONFIG_MPENTIUMII is not set # CONFIG_MPENTIUMIII is not set # CONFIG_MPENTIUMM is not set # CONFIG_MCORE2 is not set # CONFIG_MPENTIUM4 is not set # CONFIG_MK6 is not set # CONFIG_MK7 is not set # CONFIG_MK8 is not set # CONFIG_MCRUSOE is not set # CONFIG_MEFFICEON is not set # CONFIG_MWINCHIPC6 is not set # CONFIG_MWINCHIP2 is not set # CONFIG_MWINCHIP3D is not set # CONFIG_MGEODEGX1 is not set # CONFIG_MGEODE_LX is not set # CONFIG_MCYRIXIII is not set # CONFIG_MVIAC3_2 is not set CONFIG_X86_GENERIC=y CONFIG_X86_CMPXCHG=y CONFIG_X86_XADD=y CONFIG_X86_L1_CACHE_SHIFT=7 CONFIG_RWSEM_XCHGADD_ALGORITHM=y # CONFIG_ARCH_HAS_ILOG2_U32 is not set # CONFIG_ARCH_HAS_ILOG2_U64 is not set CONFIG_GENERIC_CALIBRATE_DELAY=y CONFIG_X86_PPRO_FENCE=y CONFIG_X86_F00F_BUG=y CONFIG_X86_WP_WORKS_OK=y CONFIG_X86_INVLPG=y CONFIG_X86_BSWAP=y CONFIG_X86_POPAD_OK=y CONFIG_X86_ALIGNMENT_16=y CONFIG_X86_INTEL_USERCOPY=y # CONFIG_HPET_TIMER is not set CONFIG_NR_CPUS=8 CONFIG_SCHED_SMT=y CONFIG_SCHED_MC=y CONFIG_PREEMPT_NONE=y # CONFIG_PREEMPT_VOLUNTARY is not set # CONFIG_PREEMPT is not set # CONFIG_PREEMPT_BKL is not set CONFIG_X86_LOCAL_APIC=y CONFIG_X86_IO_APIC=y # CONFIG_X86_MCE is not set # CONFIG_VM86 is not set CONFIG_TOSHIBA=m # CONFIG_I8K is not set CONFIG_X86_REBOOTFIXUPS=y # CONFIG_MICROCODE is not set # CONFIG_X86_MSR is not set # CONFIG_X86_CPUID is not set # # Firmware Drivers # # CONFIG_EDD is not set CONFIG_EFI_VARS=y # CONFIG_DELL_RBU is not set # CONFIG_DCDBAS is not set # CONFIG_NOHIGHMEM is not set CONFIG_HIGHMEM
