I got my Shorewall installation (defending a school network from a
Raspberry Pi farm, with 3rd unfiltered Internet connection) working at
home on an equivalent network though with different network addresses,
and transferred the config files to school. After correcting a couple of
really stoopid misteaks in resetting network and host addresses to
school values it sort of works, but for some reason, Shorewall no longer
starts on boot.
After boot, shorewall status says it's stopped, and gives the time it
was last started, prior to the most recent reboot. No clues in
/var/log/messages.
I've checked that STARTUP_ENABLED=Yes is still in my shorewall.conf, and
though I'm not familiar with systemd, I've checked that
shorewall.service in /lib/systemd/system is the same between home and
school setups. However, at school I also seem to have a
shorewall-init.service, not present at home (where Shorewall starts as
it should).
I suppose I could just preserve the config files and then reinstall
Shorewall, but not knowing what's gone wrong and why, I wouldn't know
whether it might go wrong again at an inconvenient time. I'm not sure
where to go from here. For what it's worth, I'll append the output from
an apparently successful shorewall start - much more verbose than it
used to be - maybe I turned logging up a bit.
Regards - Philip
PiWall ~ # shorewall start
Compiling using Shorewall 5.0.4...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Interface "schl eno1 tcpflags,nosmurfs,logmartians,sourceroute=0"
Validated
Interface "pinet enp2s0 tcpflags,nosmurfs,routefilter,logmartians"
Validated
Interface "inet ppp0
tcpflags,nosmurfs,logmartians,sourceroute=0,optional" Validated
Determining Hosts in Zones...
fw (firewall)
schl (ipv4)
eno1:0.0.0.0/0
pinet (ipv4)
enp2s0:0.0.0.0/0
inet (ipv4)
ppp0:0.0.0.0/0
Locating Action Files...
Compiling /etc/shorewall/policy...
Policy for pinet to schl is DROP using chain pinet-schl
Policy for pinet to inet is DROP using chain pinet-inet
Policy for schl to fw is DROP using chain schl-all
Policy for schl to pinet is DROP using chain schl-all
Policy for schl to inet is DROP using chain schl-all
Policy for inet to fw is DROP using chain inet-all
Policy for inet to schl is DROP using chain inet-all
Policy for inet to pinet is DROP using chain inet-all
Policy for fw to schl is REJECT using chain all-all
Policy for fw to pinet is REJECT using chain all-all
Policy for fw to inet is REJECT using chain all-all
Policy for schl to fw is REJECT using chain all-all
Policy for schl to pinet is REJECT using chain all-all
Policy for schl to inet is REJECT using chain all-all
Policy for pinet to fw is REJECT using chain all-all
Policy for pinet to schl is REJECT using chain all-all
Policy for pinet to inet is REJECT using chain all-all
Policy for inet to fw is REJECT using chain all-all
Policy for inet to schl is REJECT using chain all-all
Policy for inet to pinet is REJECT using chain all-all
Adding Anti-smurf Rules
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling Accept Source Routing...
Compiling /etc/shorewall/providers...
Provider "raw 1 1 - ppp0 - fallback" Compiled
Provider "school 2 - - eno1 172.16.135.254 primary" Compiled
Compiling /etc/shorewall/rtrules...
Routing rule "enp2s0 - raw 11000 1" Compiled
Routing rule "lo - raw 11000 1" Compiled
Compiling /etc/shorewall/mangle...
Mangle Rule "MARK(1) enp2s0 - udp 33434:33523 - - -" 0
Mangle Rule "MARK(1) enp2s0 - 253 - - - -" 0
Mangle Rule "MARK(1) fw - udp 33434:33523 - - -" 0
Mangle Rule "MARK(1) fw - 253 - - - -" 0
Compiling /etc/shorewall/masq...
Masq record "eno1 192.168.1.0/24 172.16.135.160" 0
Masq record "ppp0 192.168.1.0/24 detect" 0
Compiling MAC Filtration -- Phase 1...
Chain eno1_iop deleted
Chain eno1_fop deleted
Chain enp2s0_iop deleted
Chain enp2s0_fop deleted
Chain ppp0_iop deleted
Chain ppp0_fop deleted
Compiling /etc/shorewall/rules...
..Expanding Macro /usr/share/shorewall/macro.Web...
Rule "PARAM - - tcp 80" 0
Rule "PARAM - - tcp 443" 0
..End Macro /usr/share/shorewall/macro.Web
Rule "Web(ACCEPT) pinet schl" 0
Rule "ACCEPT pinet schl udp ntp" 0
Rule "DNAT pinet schl:172.16.133.248 udp 53 - 192.168.1.254" 0
Rule "DNAT pinet schl:172.16.133.248 tcp 53 - 192.168.1.254" 0
..Expanding Macro /usr/share/shorewall/macro.SMBBI...
Rule "PARAM - - udp 135,445" 0
Rule " PARAM - - udp 137:139" 0
Rule "PARAM - - udp 1024: 137" 0
Rule "PARAM - - tcp 135,139,445" 0
Rule "PARAM DEST SOURCE udp 135,445" 0
Rule " PARAM DEST SOURCE udp 137:139" 0
Rule "PARAM DEST SOURCE udp 1024: 137" 0
Rule "PARAM DEST SOURCE tcp 135,139,445" 0
..End Macro /usr/share/shorewall/macro.SMBBI
Rule "SMBBI(ACCEPT) pinet fw" 0
..Expanding Macro /usr/share/shorewall/macro.Ping...
Rule "PARAM - - icmp 8" 0
..End Macro /usr/share/shorewall/macro.Ping
Rule "Ping(ACCEPT) pinet fw" 0
Rule "ACCEPT pinet inet udp 33434:33523" 0
Rule "ACCEPT pinet inet 253" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.1 - - - 172.16.135.129" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.2 - - - 172.16.135.130" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.3 - - - 172.16.135.131" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.4 - - - 172.16.135.132" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.5 - - - 172.16.135.133" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.6 - - - 172.16.135.134" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.7 - - - 172.16.135.135" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.8 - - - 172.16.135.136" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.9 - - - 172.16.135.137" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.10 - - - 172.16.135.138" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.11 - - - 172.16.135.139" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.12 - - - 172.16.135.140" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.13 - - - 172.16.135.141" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.14 - - - 172.16.135.142" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.15 - - - 172.16.135.143" 0
..Expanding Macro /etc/shorewall/macro.Pi...
Rule "PARAM - - tcp 5900:5909 - -" 0
Rule "PARAM - - tcp ssh - -" 0
Rule "PARAM - - tcp http - -" 0
Rule "PARAM - - tcp 8080:8081 - -" 0
..End Macro /etc/shorewall/macro.Pi
Rule "Pi(DNAT) schl pinet:192.168.1.16 - - - 172.16.135.144" 0
Rule "ACCEPT schl fw tcp ssh" 0
Rule "ACCEPT schl fw tcp http" 0
..Expanding Macro /usr/share/shorewall/macro.Ping...
Rule "PARAM - - icmp 8" 0
..End Macro /usr/share/shorewall/macro.Ping
Rule "Ping(ACCEPT) schl fw" 0
..Expanding Macro /usr/share/shorewall/macro.Web...
Rule "PARAM - - tcp 80" 0
Rule "PARAM - - tcp 443" 0
..End Macro /usr/share/shorewall/macro.Web
Rule "Web(ACCEPT) fw schl" 0
Rule "ACCEPT fw schl udp domain" 0
Rule "ACCEPT fw schl tcp domain" 0
Rule "ACCEPT fw schl udp ntp" 0
..Expanding Macro /usr/share/shorewall/macro.Ping...
Rule "PARAM - - icmp 8" 0
..End Macro /usr/share/shorewall/macro.Ping
Rule "Ping(ACCEPT) fw schl" 0
Rule "ACCEPT fw pinet" 0
Rule "ACCEPT fw inet udp 33434:33523" 0
Rule "ACCEPT fw inet 253" 0
Compiling /etc/shorewall/conntrack...
Conntrack rule "CT:helper:amanda:PO - - udp 10080" 0
Conntrack rule "CT:helper:amanda:PO - - udp 10080" 0
Conntrack rule "CT:helper:ftp:PO - - tcp 21" 0
Conntrack rule "CT:helper:ftp:PO - - tcp 21" 0
Conntrack rule "CT:helper:RAS:PO - - udp 1719" 0
Conntrack rule "CT:helper:RAS:PO - - udp 1719" 0
Conntrack rule "CT:helper:Q.931:PO - - tcp 1720" 0
Conntrack rule "CT:helper:Q.931:PO - - tcp 1720" 0
Conntrack rule "CT:helper:irc:PO - - tcp 6667" 0
Conntrack rule "CT:helper:irc:PO - - tcp 6667" 0
Conntrack rule "CT:helper:netbios-ns:PO - - udp 137" 0
Conntrack rule "CT:helper:netbios-ns:PO - - udp 137" 0
Conntrack rule "CT:helper:pptp:PO - - tcp 1723" 0
Conntrack rule "CT:helper:pptp:PO - - tcp 1723" 0
Conntrack rule "CT:helper:sane:PO - - tcp 6566" 0
Conntrack rule "CT:helper:sane:PO - - tcp 6566" 0
Conntrack rule "CT:helper:sip:PO - - udp 5060" 0
Conntrack rule "CT:helper:sip:PO - - udp 5060" 0
Conntrack rule "CT:helper:snmp:PO - - udp 161" 0
Conntrack rule "CT:helper:snmp:PO - - udp 161" 0
Conntrack rule "CT:helper:tftp:PO - - udp 69" 0
Conntrack rule "CT:helper:tftp:PO - - udp 69" 0
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Compiling /usr/share/shorewall/action.Reject for chain Reject...
Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast...
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
Rule "PARAM - - icmp fragmentation-needed" 0
Rule "PARAM - - icmp time-exceeded" 0
..End Macro /usr/share/shorewall/macro.AllowICMPs
..Expanding inline action /usr/share/shorewall/action.Invalid...
..End inline action /usr/share/shorewall/action.Invalid
..Expanding Macro /usr/share/shorewall/macro.SMB...
Rule "PARAM - - udp 135,445" 0
Rule " PARAM - - udp 137:139" 0
Rule "PARAM - - udp 1024: 137" 0
Rule "PARAM - - tcp 135,139,445" 0
..End Macro /usr/share/shorewall/macro.SMB
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
Rule "PARAM - - udp 1900" 0
..End Macro /usr/share/shorewall/macro.DropUPnP
..Expanding inline action /usr/share/shorewall/action.NotSyn...
..End inline action /usr/share/shorewall/action.NotSyn
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
Rule "PARAM - - udp - 53" 0
..End Macro /usr/share/shorewall/macro.DropDNSrep
Policy REJECT from fw to schl using chain fw-schl
Policy REJECT from fw to pinet using chain fw-pinet
Policy REJECT from fw to inet using chain fw-inet
Compiling /usr/share/shorewall/action.Drop for chain Drop...
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
Rule "PARAM - - icmp fragmentation-needed" 0
Rule "PARAM - - icmp time-exceeded" 0
..End Macro /usr/share/shorewall/macro.AllowICMPs
..Expanding inline action /usr/share/shorewall/action.Invalid...
..End inline action /usr/share/shorewall/action.Invalid
..Expanding Macro /usr/share/shorewall/macro.SMB...
Rule "PARAM - - udp 135,445" 0
Rule " PARAM - - udp 137:139" 0
Rule "PARAM - - udp 1024: 137" 0
Rule "PARAM - - tcp 135,139,445" 0
..End Macro /usr/share/shorewall/macro.SMB
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
Rule "PARAM - - udp 1900" 0
..End Macro /usr/share/shorewall/macro.DropUPnP
..Expanding inline action /usr/share/shorewall/action.NotSyn...
..End inline action /usr/share/shorewall/action.NotSyn
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
Rule "PARAM - - udp - 53" 0
..End Macro /usr/share/shorewall/macro.DropDNSrep
Policy DROP from schl to fw using chain schl-fw
Policy DROP from schl to pinet using chain schl-pinet
Policy DROP from schl to inet using chain schl-inet
Policy REJECT from pinet to fw using chain pinet-fw
Policy DROP from pinet to schl using chain pinet-schl
Policy DROP from pinet to inet using chain pinet-inet
Policy DROP from inet to fw using chain inet-fw
Policy DROP from inet to schl using chain inet-schl
Policy DROP from inet to pinet using chain inet-pinet
Generating Rule Matrix...
Handling complex zones...
Entering main matrix-generation loop...
Chain eno1_in deleted
Chain eno1_fwd deleted
Chain enp2s0_in deleted
Chain enp2s0_fwd deleted
Chain ppp0_in deleted
Chain ppp0_fwd deleted
Finishing matrix...
Optimizing Ruleset...
Table raw pass 1, 2 referenced chains, level 4a...
Table raw pass 2, 2 referenced chains, level 4b...
Table raw pass 2, 0 referenced user chains, level 8...
Table raw pass 3, 2 referenced user chains, level 16...
Table raw Optimized -- Passes =
Table nat pass 1, 7 referenced chains, level 4a...
1 references to chain eno1_masq replaced
Chain eno1_masq deleted
Table nat pass 2, 6 referenced chains, level 4a...
Table nat pass 3, 6 referenced chains, level 4a...
Table nat pass 4, 6 referenced chains, level 4b...
Table nat pass 5, 1 short chains, level 4b...
Table nat pass 5, 3 referenced user chains, level 8...
Table nat pass 6, 6 referenced user chains, level 16...
Table nat Optimized -- Passes =
Table mangle pass 1, 11 referenced chains, level 4a...
Chain tcin deleted
Chain tcpost deleted
Empty chain tcfor deleted
Table mangle pass 2, 8 referenced chains, level 4a...
Table mangle pass 3, 8 referenced chains, level 4b...
Table mangle pass 4, 3 short chains, level 4b...
Table mangle pass 4, 3 referenced user chains, level 8...
Table mangle pass 5, 8 referenced user chains, level 16...
Table mangle Optimized -- Passes =
Table filter pass 1, 30 referenced chains, level 4a...
5 ACCEPT rules deleted from chain fw-pinet
Table filter pass 2, 30 referenced chains, level 4a...
1 references to chain fw-pinet replaced
Chain fw-pinet deleted
Table filter pass 3, 29 referenced chains, level 4a...
Table filter pass 4, 29 referenced chains, level 4b...
Table filter pass 5, 4 short chains, level 4b...
Table filter pass 5, 26 referenced user chains, level 8...
Chain inet-schl combined with inet-pinet
1 references to chain inet-schl replaced
Chain inet-schl deleted
Chain inet-pinet renamed to ~comb0
Table filter pass 6, 25 referenced user chains, level 8...
Table filter pass 7, 28 referenced user chains, level 16...
Table filter Optimized -- Passes =
Creating iptables-restore input...
Shorewall configuration compiled to /var/lib/shorewall/.start
Configuration uses these capabilities ('*' denotes required):
ADDRTYPE
AMANDA_HELPER*
COMMENTS
CONNMARK*
CONNMARK_MATCH*
CONNTRACK_MATCH
CT_TARGET
ENHANCED_REJECT
EXMARK
FTP_HELPER*
FWMARK_RT_MASK
GOTO_TARGET
H323_HELPER*
IPTABLES_S
IRC_HELPER*
LOG_TARGET*
MANGLE_ENABLED
MANGLE_FORWARD
MARK
MULTIPORT*
NAT_ENABLED
NETBIOS_NS_HELPER
NEW_CONNTRACK_MATCH
PPTP_HELPER*
RAW_TABLE
RECENT_MATCH
SANE_HELPER*
SIP_HELPER*
SNMP_HELPER*
TCPMSS_TARGET*
TFTP_HELPER*
WAIT_OPTION
XMULTIPORT*
Starting Shorewall....
Device "ppp0" does not exist.
Initializing...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up log backend
Log Backend set to nf_log_ipv4
Disabling Kernel Automatic Helper Association
Shorewall-generated routing tables and routing rules removed
Adding Providers...
WARNING: Interface ppp0 is not usable -- Provider raw (1) not Started
Provider school (2) Started
Default route 'nexthop via 172.16.135.254 dev eno1 weight 1' Added
Preparing iptables-restore input...
Running /sbin/iptables-restore ...
IPv4 Forwarding Enabled
done.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
