Hi Marco, thanks for your report. Could you please provide your configuration files:
/etc/arno-iptables-firewall/debconf.cfg /etc/arno-iptables-firewall/firewall.conf Please be sure to remove any possibly confidential information from it before posting. Thanks, Michael On Wed, Feb 27, 2008 at 11:58:21AM +0100, Marco Rijnsburger wrote: > Package: arno-iptables-firewall > Version: 1.8.8.i-2 > Severity: important > > > > -- System Information: > Debian Release: lenny/sid > APT prefers testing > APT policy: (500, 'testing') > Architecture: sparc (sparc64) > > Kernel: Linux 2.6.18-3-sparc64-smp (SMP w/1 CPU core) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/bash > > Versions of packages arno-iptables-firewall depends on: > ii debconf [debconf-2.0] 1.5.19 Debian configuration management > sy > ii gawk 1:3.1.5.dfsg-4 GNU awk, a pattern scanning and > pr > ii iptables 1.3.8.0debian1-1 administration tools for packet > fi > ii lynx 2.8.6-2 Text-mode WWW Browser > > Versions of packages arno-iptables-firewall recommends: > ii iproute 20080108-1 Professional tools to control > the > > -- debconf information: > * arno-iptables-firewall/config-int-nat-net: 172.16.2.0 > * arno-iptables-firewall/dynamic-ip: false > * arno-iptables-firewall/config-int-net: 255.255.255.0 > * arno-iptables-firewall/icmp-echo: true > * arno-iptables-firewall/services-udp: 53 > arno-iptables-firewall/title: > * arno-iptables-firewall/config-ext-if: eth0 > * arno-iptables-firewall/services-tcp: 25 53 110 143 443 10000 > * arno-iptables-firewall/restart: true > * arno-iptables-firewall/config-int-if: eth1 > * arno-iptables-firewall/nat: true > * arno-iptables-firewall/debconf-wanted: true > > # ./arno-iptables-firewall start > Arno's Iptables Firewall Script 1.8.8.i-2 > ------------------------------------------------------------------------------- > Sanity checks passed...OK > Detected IPTABLES module... Loading additional IPTABLES modules: > All IPTABLES modules loaded! > Setting the kernel ring buffer to only log panic messages to the console > Configuring /proc/.... settings: > Enabling anti-spoof with rp_filter > Enabling SYN-flood protection via SYN-cookies > Disabling the logging of martians > Disabling the acception of ICMP-redirect messages > Setting the max. amount of simultaneous connections to 16384 > Enabling protection against source routed packets > Setting default conntrack timeouts > Enabling reduction of the DoS'ing ability > Setting Default TTL=64 > Disabling ECN (Explicit Congestion Notification) > Enabling support for dynamic IP's > Flushing route table > /proc/ setup done... > Flushing rules in the filter table > Setting default (secure) policies > Using loglevel "info" for syslogd > > Setting up firewall rules: > ------------------------------------------------------------------------------- > Accepting packets from the local loopback device > Enabling setting the maximum packet size via MSS > Enabling mangling TOS > Logging of stealth scans (nmap probes etc.) enabled > iptables: Invalid argument > iptables: Invalid argument > iptables: Invalid argument > iptables: Invalid argument > iptables: Invalid argument > iptables: Invalid argument > iptables: Invalid argument > Logging of packets with bad TCP-flags enabled > iptables: Invalid argument > iptables: Invalid argument > Logging of INVALID packets disabled > Logging of fragmented packets enabled > iptables: Invalid argument > Logging of access from reserved addresses enabled > iptables: Invalid argument > iptables: Invalid argument > iptables: Invalid argument > iptables: Invalid argument > Setting up anti-spoof rules > Reading custom IPTABLES rules from /etc/arno-iptables-firewall/custom-rules > Loading (user) plugins > iptables: Invalid argument > Setting up INPUT policy for the external net (INET): > iptables: Invalid argument > iptables: Invalid argument > iptables: Invalid argument > iptables: Invalid argument > Enabling support for a DHCP assigned IP on external interface(s): eth0 > Logging of explicitly blocked hosts enabled > Logging of denied local output connections enabled > Packets will NOT be checked for private source addresses > Allowing the whole world to connect to TCP port(s): 22 > Allowing the whole world to send ICMP-requests(ping) > iptables: Invalid argument > Logging of dropped ICMP-request(ping) packets enabled > iptables: Invalid argument > Logging of dropped other ICMP packets enabled > iptables: Invalid argument > iptables: Invalid argument > iptables: Invalid argument > iptables: Invalid argument > Logging of possible stealth scans enabled > iptables: Invalid argument > iptables: Invalid argument > Logging of (other) connection attempts to PRIVILEGED TCP ports enabled > iptables: Invalid argument > Logging of (other) connection attempts to PRIVILEGED UDP ports enabled > iptables: Invalid argument > Logging of (other) connection attempts to UNPRIVILEGED TCP ports enabled > iptables: Invalid argument > Logging of (other) connection attempts to UNPRIVILEGED UDP ports enabled > iptables: Invalid argument > Logging of other IP protocols (non TCP/UDP/ICMP) connection attempts enabled > iptables: Invalid argument > Logging of ICMP flooding enabled > iptables: Invalid argument > iptables: Invalid argument > iptables: Invalid argument > iptables: Invalid argument > iptables: Invalid argument > iptables: Invalid argument > Applying INET policy to external (INET) interface: eth0 (without an external > su) > iptables: Invalid argument > Setting up INPUT policy for internal (LAN) interface(s): eth1 eth2 > Allowing ICMP-requests(ping) > iptables: Invalid argument > iptables: Invalid argument > Allowing all (other) protocols > iptables: Invalid argument > Setting up FORWARD policy for internal (LAN) interface(s): eth1 eth2 > Logging of denied LAN->INET FORWARD connections enabled > Setting up LAN->INET policy: > Allowing ICMP-requests(ping) > iptables: Invalid argument > iptables: Invalid argument > Allowing all (other) protocols > Security is ENFORCED for external interface(s) in the FORWARD chain > iptables: Invalid argument > > Feb 27 11:55:28 All firewall rules applied. > -- GPG key: 1024D/3144BE0F Michael Hanke http://apsy.gse.uni-magdeburg.de/hanke ICQ: 48230050 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

