This is a production machine today. I'll need to switch it out to do much more than a quick install. --john
John R. Hill Director Of Technologies 812-314-8920 option #3 -----Original Message----- From: Tom Eastep [mailto:[email protected]] Sent: Tuesday, August 24, 2010 4:05 PM To: [email protected] Subject: Re: [Shorewall-users] Shorewall-4.4.12 ipset issue On 8/24/10 12:51 PM, Tom Eastep wrote: > On 8/24/10 12:03 PM, Hill, John wrote: >> I have been on the side now for a long, long time. After all of these >> years, last month I rebuilt my firewall. Today I hit a snag. >> >> >> >> I have 2 ipset lists Blacklistnets and Blacklisthosts. I have a >> portmap, BLOCKPORTS from 1 to 1024. I have port 25, 110 and 143 added >> to BLOCKPORTS and bound to both lists. >> >> All works in 4.4.11.2. I was just trying to keep the versions up. >> >> >> >> Now when I install 4.4.12 and start it, it is says that ipset match >> and iprange must be in the kernel and IPtables. Version 4.4.11.2 works fine. >> >> >> >> I found the instructions for creating a capabilities file, I have >> never purposefully done that before? I did just create one with >> 4.4.11.2 and it lists both of these requirements as yes. > > And 4.4.12 does not? > >> >> >> >> Do I need to create this in 4.4.12 before I run it? If so is the >> /etc/shorewall directory ok? >> >> >> >> Debian lenny Kernel 2.6.26-2amd64 Iptables 1.4.2 ipset 2.3.3. Ipset >> for Debian kernel was hard to come by, and it is old. > > I run ipsets fine with shorewall 4.4.12 and the 2.6.26 Debian kernel > (although I use xtables-addons-1.24 to install ipsets and the > netfilter module that goes with it). > > Please try the following from a root shell prompt: > > iptables -N foo > iptables -A foo -m set --set Blacklistnets src -j ACCEPT iptables -A > foo -m set --match-set Blacklistnets src -j ACCEPT > > What is the result? I just noticed something in the 4.4.12 code; please try the attached patch: patch /usr/share/shorewall/Shorewall/Config.pm < ipset.diff -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
