Re: [gentoo-user] no shorewall

[Jorge Almeida]

On Tue, 28 Aug 2007, William Kenworthy wrote:

 Checking the obvious: you have gone through and manually checked that
 the modules are still being built?
 
Yes.
 There has been some renaming going on within netfilter that just using
 oldconfig misses a few (leaves them unselected, but didnt ask if I
I don't trust oldconfig. I use it to see what's new, but then I use
menuconfig on the previously saved config file (see original post).
 wanted them built).  Not sure which kernel versions were involved but
 its recent, and caught me out - I was using the monmotha script at the
 time and the error messages were a good pointer.  Is dmesg showing
 anything after applying shorewall?
Didn't check that. Too late now.

Jorge
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] no shorewall

[Jorge Almeida]

On Mon, 27 Aug 2007, W.Kenworthy wrote:

 No problems on multiple systems built using oldconfig and not rebuilding
 iptables.
OK, that means it's not some problem related with gentoo-sources
patches.
 
 In the kernel I turn everything on by default and build it modular -
 this might be the cause for you?
 
I don't think so. I have everything as module. Some modules (very few,
related to hw I don't have) I didn't select, but they were never needed
with former kernel versions...

Thanks.

Jorge
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] no shorewall

[Jorge Almeida]

On Sun, 26 Aug 2007, David Snider wrote:

 Anybody managed to get shorewall working with gentoo-sources
 2.6.22-r5?
 I upgraded from 2.6.20, and there went the firewall. I used oldconfig
   
 I recently updated to 2.6.22-r5.  Shorewall seems to be working great.  No
 errors on startup.   I can post my .config file if you would like.
OK, thanks. My firewall is for a stand-alone workstation.

Jorge
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] no shorewall

[David Snider]

Jorge Almeida wrote:

On Sun, 26 Aug 2007, David Snider wrote:

  

Anybody managed to get shorewall working with gentoo-sources
2.6.22-r5?
I upgraded from 2.6.20, and there went the firewall. I used oldconfig
  


I recently updated to 2.6.22-r5.  Shorewall seems to be working great.  No
errors on startup.   I can post my .config file if you would like.


OK, thanks. My firewall is for a stand-alone workstation.

Jorge
  

Here's my .config


#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.22-gentoo-r5
# Sun Aug 26 20:36:52 2007
#
CONFIG_X86_32=y
CONFIG_GENERIC_TIME=y
CONFIG_CLOCKSOURCE_WATCHDOG=y
CONFIG_GENERIC_CLOCKEVENTS=y
CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
CONFIG_LOCKDEP_SUPPORT=y
CONFIG_STACKTRACE_SUPPORT=y
CONFIG_SEMAPHORE_SLEEPERS=y
CONFIG_X86=y
CONFIG_MMU=y
CONFIG_ZONE_DMA=y
CONFIG_QUICKLIST=y
CONFIG_GENERIC_ISA_DMA=y
CONFIG_GENERIC_IOMAP=y
CONFIG_GENERIC_BUG=y
CONFIG_GENERIC_HWEIGHT=y
CONFIG_ARCH_MAY_HAVE_PC_FDC=y
CONFIG_DMI=y
CONFIG_DEFCONFIG_LIST=/lib/modules/$UNAME_RELEASE/.config

#
# Code maturity level options
#
CONFIG_EXPERIMENTAL=y
CONFIG_BROKEN_ON_SMP=y
CONFIG_INIT_ENV_ARG_LIMIT=32

#
# General setup
#
CONFIG_LOCALVERSION=
CONFIG_LOCALVERSION_AUTO=y
CONFIG_SWAP=y
CONFIG_SYSVIPC=y
# CONFIG_IPC_NS is not set
CONFIG_SYSVIPC_SYSCTL=y
CONFIG_POSIX_MQUEUE=y
# CONFIG_BSD_PROCESS_ACCT is not set
# CONFIG_TASKSTATS is not set
# CONFIG_UTS_NS is not set
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_IKCONFIG=y
CONFIG_IKCONFIG_PROC=y
CONFIG_LOG_BUF_SHIFT=14
# CONFIG_SYSFS_DEPRECATED is not set
# CONFIG_RELAY is not set
CONFIG_BLK_DEV_INITRD=y
CONFIG_INITRAMFS_SOURCE=
# CONFIG_CC_OPTIMIZE_FOR_SIZE is not set
CONFIG_SYSCTL=y
# CONFIG_EMBEDDED is not set
CONFIG_UID16=y
CONFIG_SYSCTL_SYSCALL=y
CONFIG_KALLSYMS=y
# CONFIG_KALLSYMS_EXTRA_PASS is not set
CONFIG_HOTPLUG=y
CONFIG_PRINTK=y
CONFIG_BUG=y
CONFIG_ELF_CORE=y
CONFIG_BASE_FULL=y
CONFIG_FUTEX=y
CONFIG_ANON_INODES=y
CONFIG_EPOLL=y
CONFIG_SIGNALFD=y
CONFIG_TIMERFD=y
CONFIG_EVENTFD=y
CONFIG_SHMEM=y
CONFIG_VM_EVENT_COUNTERS=y
CONFIG_SLAB=y
# CONFIG_SLUB is not set
# CONFIG_SLOB is not set
CONFIG_RT_MUTEXES=y
# CONFIG_TINY_SHMEM is not set
CONFIG_BASE_SMALL=0

#
# Loadable module support
#
CONFIG_MODULES=y
CONFIG_MODULE_UNLOAD=y
CONFIG_MODULE_FORCE_UNLOAD=y
# CONFIG_MODVERSIONS is not set
# CONFIG_MODULE_SRCVERSION_ALL is not set
CONFIG_KMOD=y

#
# Block layer
#
CONFIG_BLOCK=y
CONFIG_LBD=y
# CONFIG_BLK_DEV_IO_TRACE is not set
# CONFIG_LSF is not set

#
# IO Schedulers
#
CONFIG_IOSCHED_NOOP=y
CONFIG_IOSCHED_AS=y
CONFIG_IOSCHED_DEADLINE=y
CONFIG_IOSCHED_CFQ=y
CONFIG_DEFAULT_AS=y
# CONFIG_DEFAULT_DEADLINE is not set
# CONFIG_DEFAULT_CFQ is not set
# CONFIG_DEFAULT_NOOP is not set
CONFIG_DEFAULT_IOSCHED=anticipatory

#
# Processor type and features
#
CONFIG_TICK_ONESHOT=y
CONFIG_NO_HZ=y
CONFIG_HIGH_RES_TIMERS=y
# CONFIG_SMP is not set
CONFIG_X86_PC=y
# CONFIG_X86_ELAN is not set
# CONFIG_X86_VOYAGER is not set
# CONFIG_X86_NUMAQ is not set
# CONFIG_X86_SUMMIT is not set
# CONFIG_X86_BIGSMP is not set
# CONFIG_X86_VISWS is not set
# CONFIG_X86_GENERICARCH is not set
# CONFIG_X86_ES7000 is not set
# CONFIG_PARAVIRT is not set
# CONFIG_M386 is not set
# CONFIG_M486 is not set
# CONFIG_M586 is not set
# CONFIG_M586TSC is not set
# CONFIG_M586MMX is not set
# CONFIG_M686 is not set
# CONFIG_MPENTIUMII is not set
# CONFIG_MPENTIUMIII is not set
# CONFIG_MPENTIUMM is not set
# CONFIG_MCORE2 is not set
CONFIG_MPENTIUM4=y
# CONFIG_MK6 is not set
# CONFIG_MK7 is not set
# CONFIG_MK8 is not set
# CONFIG_MCRUSOE is not set
# CONFIG_MEFFICEON is not set
# CONFIG_MWINCHIPC6 is not set
# CONFIG_MWINCHIP2 is not set
# CONFIG_MWINCHIP3D is not set
# CONFIG_MGEODEGX1 is not set
# CONFIG_MGEODE_LX is not set
# CONFIG_MCYRIXIII is not set
# CONFIG_MVIAC3_2 is not set
# CONFIG_MVIAC7 is not set
# CONFIG_X86_GENERIC is not set
CONFIG_X86_CMPXCHG=y
CONFIG_X86_L1_CACHE_SHIFT=7
CONFIG_X86_XADD=y
CONFIG_RWSEM_XCHGADD_ALGORITHM=y
# CONFIG_ARCH_HAS_ILOG2_U32 is not set
# CONFIG_ARCH_HAS_ILOG2_U64 is not set
CONFIG_GENERIC_CALIBRATE_DELAY=y
CONFIG_X86_WP_WORKS_OK=y
CONFIG_X86_INVLPG=y
CONFIG_X86_BSWAP=y
CONFIG_X86_POPAD_OK=y
CONFIG_X86_GOOD_APIC=y
CONFIG_X86_INTEL_USERCOPY=y
CONFIG_X86_USE_PPRO_CHECKSUM=y
CONFIG_X86_TSC=y
CONFIG_X86_CMOV=y
CONFIG_X86_MINIMUM_CPU_MODEL=4
CONFIG_HPET_TIMER=y
CONFIG_HPET_EMULATE_RTC=y
CONFIG_PREEMPT_NONE=y
# CONFIG_PREEMPT_VOLUNTARY is not set
# CONFIG_PREEMPT is not set
CONFIG_X86_UP_APIC=y
CONFIG_X86_UP_IOAPIC=y
CONFIG_X86_LOCAL_APIC=y
CONFIG_X86_IO_APIC=y
CONFIG_X86_MCE=y
CONFIG_X86_MCE_NONFATAL=y
CONFIG_X86_MCE_P4THERMAL=y
CONFIG_VM86=y
# CONFIG_TOSHIBA is not set
# CONFIG_I8K is not set
# CONFIG_X86_REBOOTFIXUPS is not set
# CONFIG_MICROCODE is not set
# CONFIG_X86_MSR is not set
# CONFIG_X86_CPUID is not set

#
# Firmware Drivers
#
# CONFIG_EDD is not set
# CONFIG_DELL_RBU is not set
CONFIG_DCDBAS=m
CONFIG_NOHIGHMEM=y
# CONFIG_HIGHMEM4G is not set
# CONFIG_HIGHMEM64G is not set

Re: [gentoo-user] no shorewall

[Jorge Almeida]

On Mon, 27 Aug 2007, David Snider wrote:


 Here's my .config
 
Thanks, David. Your configuration works for me. Meanwhile, I ended up by
selecting all modules in my former config, even those that are plainly
irrelevant (according to the help in menuconfig) and shorewall now
starts OK. I just wish I were any wiser, which I'm not.

Cheers,

Jorge
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] no shorewall

[Benno Schulenberg]

Jorge Almeida wrote:
 Meanwhile, I ended up by selecting all modules in my former
 config, even those  that are plainly irrelevant (according to the
 help in menuconfig) and shorewall now starts OK. I just wish I
 were any wiser, which I'm not.

Sure you are.  You've learned that shorewall sets up rules that are 
plainly irrelevant.  :)

Benno
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] no shorewall

[William Kenworthy]

Checking the obvious: you have gone through and manually checked that
the modules are still being built?

There has been some renaming going on within netfilter that just using
oldconfig misses a few (leaves them unselected, but didnt ask if I
wanted them built).  Not sure which kernel versions were involved but
its recent, and caught me out - I was using the monmotha script at the
time and the error messages were a good pointer.  Is dmesg showing
anything after applying shorewall?

BillK

On Mon, 2007-08-27 at 08:43 +0100, Jorge Almeida wrote:
 On Mon, 27 Aug 2007, W.Kenworthy wrote:
 
  No problems on multiple systems built using oldconfig and not rebuilding
  iptables.
 OK, that means it's not some problem related with gentoo-sources
 patches.
  
  In the kernel I turn everything on by default and build it modular -
  this might be the cause for you?
  
 I don't think so. I have everything as module. Some modules (very few,
 related to hw I don't have) I didn't select, but they were never needed
 with former kernel versions...
 
 Thanks.
 
 Jorge
-- 
William Kenworthy [EMAIL PROTECTED]
Home in Perth!
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] no shorewall

[Jorge Almeida]

On Sun, 26 Aug 2007, Norman Rieß wrote:

 Jorge Almeida schrieb:
  Anybody managed to get shorewall working with gentoo-sources 2.6.22-r5?
  I upgraded from 2.6.20, and there went the firewall. I used oldconfig

 I had similar problems. I solved them with the kernelsettings here:
 http://www.shorewall.net/3.0/kernel.htm#v2.6.20
 which ist pretty much activating everything :-). So i don´t really know
Well, I already had almost everything activated. When you say similar,
are you talking about kernel 2.6.22? My setup worked (and is working
now) with 2.6.20 (I never tried 2.6.21). The shorewall output suggests
the problem is with accounting, and in kernel 2.6.20 I had an entry
with that name selected. But with 2.6.22 that entry is no longer
selectable (it has --), so I assume its functionallity went somewhere
else...
I suppose I'll have to stay with 2.6.20...
Thanks.

Jorge

Re: [gentoo-user] no shorewall

[Norberto Bensa]

Quoting Jorge Almeida [EMAIL PROTECTED]:


the problem is with accounting, and in kernel 2.6.20 I had an entry
with that name selected. But with 2.6.22 that entry is no longer
selectable (it has --), so I assume its functionallity went somewhere
else...


-- means you can't deselect (because its pulled by something else...)


Have you recompiled iptables?

Try selecting everything (netfilter I mean) as modules.

Regards,
Norberto



This message was sent using IMP, the Internet Messaging Program.


--
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] no shorewall

[Jorge Almeida]

On Sun, 26 Aug 2007, Norberto Bensa wrote:

 -- means you can't deselect (because its pulled by something else...)
Yes. But it was not so before, with 2.6.20.
 
 
 Have you recompiled iptables?
I recompiled iptables once after emerging 2.6.22. Should I do it every
time I make some changes to the kernel configuration, or when I make
modules?
 

Jorge
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] no shorewall

[Norberto Bensa]

Quoting Jorge Almeida [EMAIL PROTECTED]:


Have you recompiled iptables?

I recompiled iptables once after emerging 2.6.22. Should I do it every
time I make some changes to the kernel configuration, or when I make
modules?


Usually it isn't needed but it won't hurt. Actually, I was out of  
ideas. I run shorewall, but it's a Debian box (kernel  
2.6.18-something...)


Try every netfilter option as module. If the problem continues,  
perhaps you'll like to ask on shorewall's mailing lists if there are  
know issues with 2.6.22.


BTW: a quick Googling shows netfilter is somewhat buggy on 2.6.22:

http://www.mail-archive.com/shorewall-users%40lists.sourceforge.net/msg02999.html
http://bugzilla.kernel.org/show_bug.cgi?id=8789

Perhaps you're just hitting a bug :-/

Regards,
Norberto


This message was sent using IMP, the Internet Messaging Program.


--
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] no shorewall

[Jorge Almeida]

On Sun, 26 Aug 2007, Norberto Bensa wrote:

 Try every netfilter option as module. If the problem continues, perhaps you'll
Everything is already as module...
 like to ask on shorewall's mailing lists if there are know issues with 2.6.22.
Will do.
 
 BTW: a quick Googling shows netfilter is somewhat buggy on 2.6.22:
 
 http://www.mail-archive.com/shorewall-users%40lists.sourceforge.net/msg02999.html
 http://bugzilla.kernel.org/show_bug.cgi?id=8789
 
I already had found these before posting. I also had the Error
inserting ipt_LOG problem, but I just unselected the corresponding
entry in the config, because I use ULOG anyway. I don't understand what
they mean by recompiling iptables against kernel 2.6.??. After all,
the kernel is not a library, and even the headers don't really belong to
the current kernel. Besides, the firewall works when I revert to 2.6.20,
even if I didn't recompile iptables a second time.
 Perhaps you're just hitting a bug :-/
Yes, or maybe the kernel masters just changed something and the info
still didn't make its way to user's level...

I'll try the shorewall list, and if needed I'll just skip one more
kernel version.

Thanks,

Jorge
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] no shorewall

[W.Kenworthy]

No problems on multiple systems built using oldconfig and not rebuilding
iptables.

In the kernel I turn everything on by default and build it modular -
this might be the cause for you?

Billk

On Sun, 2007-08-26 at 08:09 +0100, Jorge Almeida wrote:
 On Sun, 26 Aug 2007, Norman Rieß wrote:
 
  Jorge Almeida schrieb:
   Anybody managed to get shorewall working with gentoo-sources 2.6.22-r5?
   I upgraded from 2.6.20, and there went the firewall. I used oldconfig
 
 
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] no shorewall

[David Snider]

W.Kenworthy wrote:

No problems on multiple systems built using oldconfig and not rebuilding
iptables.

In the kernel I turn everything on by default and build it modular -
this might be the cause for you?

Billk

On Sun, 2007-08-26 at 08:09 +0100, Jorge Almeida wrote:
  

On Sun, 26 Aug 2007, Norman Rieß wrote:



Jorge Almeida schrieb:
  

Anybody managed to get shorewall working with gentoo-sources 2.6.22-r5?
I upgraded from 2.6.20, and there went the firewall. I used oldconfig
  

I recently updated to 2.6.22-r5.  Shorewall seems to be working great.  
No errors on startup.   I can post my .config file if you would like.

--
[EMAIL PROTECTED] mailing list

[gentoo-user] no shorewall

[Jorge Almeida]

Anybody managed to get shorewall working with gentoo-sources 2.6.22-r5?
I upgraded from 2.6.20, and there went the firewall. I used oldconfig
just to see what's new, then make clean, then make menuconfig (starting
with the saved config file from kernel 2.6.20). Shorewall is version
3.2.9. I already changed a few things in case some module would be
missing due to name change. I'm out of ideas. In case someone can
provide some suggestion, here comes the output of shorewall start and
the relevant part of .config.

Thanks.

$ shorewall start
Compiling...
Determining Zones...
   IPv4 Zones: net
   Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
   net Zone: eth0:0.0.0.0/0
Pre-processing Actions...
   Pre-processing /usr/share/shorewall/action.Drop...
   Pre-processing /usr/share/shorewall/action.Reject...
   Pre-processing /usr/share/shorewall/action.Limit...
Deleting user chains...
Compiling /etc/shorewall/routestopped ...
Compiling Accounting...
Creating Interface Chains...
Compiling Proxy ARP
Compiling NAT...
Compiling NETMAP...
Compiling Common Rules
Adding rules for DHCP
Enabling RFC1918 Filtering
Compiling Kernel Route Filtering...
Compiling IP Forwarding...
Compiling /etc/shorewall/rules...
Compiling /etc/shorewall/tunnels...
Compiling Actions...
Compiling /usr/share/shorewall/action.Drop for Chain Drop...
Compiling /usr/share/shorewall/action.Reject for Chain Reject...
Compiling /etc/shorewall/policy...
Compiling Masquerading/SNAT
Compiling /etc/shorewall/tos...
Compiling /etc/shorewall/ecn...
Compiling Traffic Control Rules...
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Compiling Rule Activation...
Compiling Refresh of Black List...
Compiling Refresh of /etc/shorewall/ecn...
Validating /etc/shorewall/tcdevices...
Validating /etc/shorewall/tcclasses...
Shorewall configuration compiled to /var/lib/shorewall/.start
Processing /etc/shorewall/params ...
Starting Shorewall
Initializing...
Processing /etc/shorewall/init ...
Clearing Traffic Control/QOS
Deleting user chains...
Processing /etc/shorewall/continue ...
Enabling Loopback and DNS Lookups
Setting up Accounting...
iptables: No chain/target/match by that name
Processing /etc/shorewall/stop ...
IP Forwarding Enabled
Processing /etc/shorewall/stopped ...
/sbin/shorewall: line 529: 10855 Terminated  ${VARDIR}/.start 
$debugging start
$


#
# Networking
#
CONFIG_NET=y

#
# Networking options
#
CONFIG_PACKET=y
CONFIG_PACKET_MMAP=y
CONFIG_UNIX=y
CONFIG_XFRM=y
# CONFIG_XFRM_USER is not set
# CONFIG_XFRM_SUB_POLICY is not set
# CONFIG_XFRM_MIGRATE is not set
# CONFIG_NET_KEY is not set
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_ASK_IP_FIB_HASH=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_MULTIPATH_CACHED=y
CONFIG_IP_ROUTE_MULTIPATH_RR=m
CONFIG_IP_ROUTE_MULTIPATH_RANDOM=m
CONFIG_IP_ROUTE_MULTIPATH_WRANDOM=m
CONFIG_IP_ROUTE_MULTIPATH_DRR=m
CONFIG_IP_ROUTE_VERBOSE=y
# CONFIG_IP_PNP is not set
CONFIG_NET_IPIP=y
CONFIG_NET_IPGRE=y
# CONFIG_NET_IPGRE_BROADCAST is not set
CONFIG_IP_MROUTE=y
# CONFIG_IP_PIMSM_V1 is not set
# CONFIG_IP_PIMSM_V2 is not set
# CONFIG_ARPD is not set
CONFIG_SYN_COOKIES=y
# CONFIG_INET_AH is not set
# CONFIG_INET_ESP is not set
# CONFIG_INET_IPCOMP is not set
# CONFIG_INET_XFRM_TUNNEL is not set
CONFIG_INET_TUNNEL=y
CONFIG_INET_XFRM_MODE_TRANSPORT=y
CONFIG_INET_XFRM_MODE_TUNNEL=y
CONFIG_INET_XFRM_MODE_BEET=y
CONFIG_INET_DIAG=y
CONFIG_INET_TCP_DIAG=y
CONFIG_TCP_CONG_ADVANCED=y
CONFIG_TCP_CONG_BIC=y
CONFIG_TCP_CONG_CUBIC=m
CONFIG_TCP_CONG_WESTWOOD=m
CONFIG_TCP_CONG_HTCP=m
# CONFIG_TCP_CONG_HSTCP is not set
# CONFIG_TCP_CONG_HYBLA is not set
# CONFIG_TCP_CONG_VEGAS is not set
# CONFIG_TCP_CONG_SCALABLE is not set
# CONFIG_TCP_CONG_LP is not set
# CONFIG_TCP_CONG_VENO is not set
# CONFIG_TCP_CONG_YEAH is not set
# CONFIG_TCP_CONG_ILLINOIS is not set
CONFIG_DEFAULT_BIC=y
# CONFIG_DEFAULT_CUBIC is not set
# CONFIG_DEFAULT_HTCP is not set
# CONFIG_DEFAULT_VEGAS is not set
# CONFIG_DEFAULT_WESTWOOD is not set
# CONFIG_DEFAULT_RENO is not set
CONFIG_DEFAULT_TCP_CONG=bic
# CONFIG_TCP_MD5SIG is not set
# CONFIG_IP_VS is not set
# CONFIG_IPV6 is not set
# CONFIG_INET6_XFRM_TUNNEL is not set
# CONFIG_INET6_TUNNEL is not set
# CONFIG_NETWORK_SECMARK is not set
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set

#
# Core Netfilter Configuration
#
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NF_CONNTRACK_ENABLED=m
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CT_ACCT=y
CONFIG_NF_CONNTRACK_MARK=y
# CONFIG_NF_CONNTRACK_EVENTS is not set
# CONFIG_NF_CT_PROTO_SCTP is not set
# CONFIG_NF_CONNTRACK_AMANDA is not set
# CONFIG_NF_CONNTRACK_FTP is not set
# CONFIG_NF_CONNTRACK_H323 is not set
# CONFIG_NF_CONNTRACK_IRC is not set
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
# 

Re: [gentoo-user] no shorewall

[Norman Rieß]

Jorge Almeida schrieb:
 Anybody managed to get shorewall working with gentoo-sources 2.6.22-r5?
 I upgraded from 2.6.20, and there went the firewall. I used oldconfig
 just to see what's new, then make clean, then make menuconfig (starting
 with the saved config file from kernel 2.6.20). Shorewall is version
 3.2.9. I already changed a few things in case some module would be
 missing due to name change. I'm out of ideas. In case someone can
 provide some suggestion, here comes the output of shorewall start and
 the relevant part of .config.


   
I had similar problems. I solved them with the kernelsettings here:
http://www.shorewall.net/3.0/kernel.htm#v2.6.20
which ist pretty much activating everything :-). So i don´t really know
what did the trick.
But i did not compile this as moduls. Perhaps this is a little
wastefull, but it worked.

Norman
-- 
[EMAIL PROTECTED] mailing list

[gentoo-user] {OT} Shorewall config check

[Grant]

Hello,

I set up shorewall on my Gentoo firewall/router for the first time
yesterday.  I had been using the iptables commands specified in the
Gentoo Home Router Guide before.  I used this:

http://www.shorewall.net/two-interface.htm

and ran into some trouble as the two-interface example files installed
with the package didn't match the ones described in the above
document.  I ended up with the following and I was hoping someone
could have a quick look and tell me if it's secure enough and not
overly redundant.

Wireless ath0 is on the local subnet.  eth0 is attached to a DSL modem
which (unfortunately) also happens to be a router with IP address
192.168.1.1.  I configured that modem/router to do static NAT and
forward all ports to the Gentoo firewall/router and I disabled
everything on it I could (DNS, DHCP, etc.).  The Gentoo
firewall/router provides DNS via dnsmasq and all the machines on the
network configure IPs manually so there is no DHCP anywhere.

/etc/shorewall/zones:

fw firewall
net ipv4
loc ipv4

/etc/shorewall/interfaces:

# I removed norfc1918 from the net OPTIONS because eth0
# has IP 192.168.1.2 from the modem/router.  Bad idea?
net eth0 detect tcpflags,routefilter,nosmurfs,logmartians
loc ath0 detect tcpflags,detectnets,nosmurfs

/etc/shorewall/policy:

loc net ACCEPT
loc $FW ACCEPT
loc all REJECT info
$FW net REJECT info
$FW loc REJECT info
$FW all REJECT info
net $FW DROP info
net loc DROP info
net all DROP info
all all REJECT info

/etc/shorewall/rules:

DNS/ACCEPT $FW net
Ping/REJECT net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
# Bittorrent
DNAT net loc:192.168.0.3 tcp 6881:6999
DNAT net loc:192.168.0.3 udp 6881:6999

/etc/shorewall/masq:

eth0 ath0

/etc/shorewall/routestopped:

ath0 -

Should I be using an ipp2p PROTO designation with my Bittorrent rules?

Would you bother to run a firewall on the machines connected to the
Gentoo firewall/router?

- Grant
--
gentoo-user@gentoo.org mailing list