Tom Eastep wrote: > This is an OpenPGP/MIME signed message (RFC 2440 and 3156) > > David Mathog wrote: > > The support folks for the machine in question kindly sent me a > > 2.6.16.60 kernel with > > > > CONFIG_NETFILTER_XT_MATCH_STATE=m > > > > Sadly, shorewall won't start on that either.
<SNIP> > > CONFIG_IP_NF_TARGET_LOG > > Without that option, your firewall can do no logging. The config file shows that that one is set: CONFIG_IP_NF_TARGET_LOG=m Here are all the CONFIG_IP_NF_* entries: CONFIG_IP_NF_CONNTRACK=m CONFIG_IP_NF_CT_ACCT=y CONFIG_IP_NF_CONNTRACK_MARK=y CONFIG_IP_NF_CT_PROTO_SCTP=m CONFIG_IP_NF_FTP=m CONFIG_IP_NF_IRC=m CONFIG_IP_NF_TFTP=m CONFIG_IP_NF_AMANDA=m CONFIG_IP_NF_QUEUE=m CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_LOG=m and all of the CONFIG_NETFILTER* CONFIG_NETFILTER=y CONFIG_NETFILTER_NETLINK=m CONFIG_NETFILTER_NETLINK_QUEUE=m CONFIG_NETFILTER_NETLINK_LOG=m CONFIG_NETFILTER_XTABLES=m CONFIG_NETFILTER_XT_MATCH_MAC=m CONFIG_NETFILTER_XT_MATCH_MARK=m CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m CONFIG_NETFILTER_XT_MATCH_STATE=m Here are all the modules in: /lib/modules/2.6.16.60-c1/kernel/net/ipv4/netfilter ip_conntrack.ko ip_conntrack_amanda.ko ip_conntrack_ftp.ko ip_conntrack_irc.ko ip_conntrack_proto_sctp.ko ip_conntrack_tftp.ko ip_queue.ko ip_tables.ko ipt_LOG.ko ipt_REJECT.ko iptable_filter.ko Is something obvious (to you, clearly it isn't to me) missing which in turn is effectively disabling CONFIG_IP_NF_TARGET_LOG? Our other linux systems have many more modules in this directory, but for the system in question all we need to do is to restrict access to certain port/address ranges on the public interface. No forwarding, nat, masquerade, etc. are needed. Thanks, David Mathog [EMAIL PROTECTED] Manager, Sequence Analysis Facility, Biology Division, Caltech ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
