Re: [gentoo-user] Looking for help with Shorewall
John Jolet wrote: Jerry wrote: I am setting up gentoo on another computer and cannot get shorewall to start properly. I had used another version of shorewall previously but cannot get 3.0.4 to work. I have read and tried to follow the instruction in /usr/share/doc/shorewall-3.0.4/Samples/one-interface but no success. I have dialup modem, one other computer connected via eth0. If root runs 'which ip' the response is '/sbin/ip'. /etc/shorewall/zones: #ZONE TYPEOPTIONS IN OUT OPTIONS OPTIONS net ipv4- #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS net ppp0- #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE /etc/shorewall/policy: #SOURCE DESTPOLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT net all DROPinfo # The FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE /etc/shorewall/rules: has all rules commented out to try to make the startup as simple as possible. When I run shorewall start: [EMAIL PROTECTED]:/etc/shorewall # shorewall start Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Starting Shorewall... Initializing... Shorewall has detected the following iptables/netfilter capabilities: NAT: Not available Packet Mangling: Available Multi-port Match: Not available Connection Tracking Match: Not available Packet Type Match: Not available Policy Match: Not available Physdev Match: Not available IP range Match: Not available Recent Match: Not available Owner Match: Not available Ipset Match: Not available CONNMARK Target: Not available Connmark Match: Not available Raw Table: Available CLASSIFY Target: Not available Determining Zones... IPv4 Zones: net Firewall Zone: fw Validating interfaces file... Validating hosts file... Validating Policy file... Determining Hosts in Zones... net Zone: ppp0:0.0.0.0/0 Processing /etc/shorewall/init ... Pre-processing Actions... Pre-processing /usr/share/shorewall/action.Drop... ..Expanding Macro /usr/share/shorewall/macro.Auth... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.SMB... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.DropUPnP... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep... ..End Macro Pre-processing /usr/share/shorewall/action.Reject... Pre-processing /usr/share/shorewall/action.Limit... Deleting user chains... iptables: No chain/target/match by that name ERROR: Command /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Failed Processing /etc/shorewall/stop ... iptables: No chain/target/match by that name iptables: No chain/target/match by that name IP Forwarding Enabled Processing /etc/shorewall/stopped ... Terminated [EMAIL PROTECTED]:/etc/shorewall # shorewall status Shorewall-3.0.4 Status at backup - Thu May 18 16:30:45 UTC 2006 Shorewall is stopped State:Stopped (Thu May 18 16:28:59 UTC 2006) Now I cannot connect to the internet through the modem nor ssh to the other computer. I was able to do both before running shorewall start. [EMAIL PROTECTED]:/etc/shorewall # /etc/init.d/iptables stop * Saving iptables state ...[ ok ] * Stopping firewall ...[ ok ] [EMAIL PROTECTED]:/etc/shorewall # ssh main Password: Now I can ssh and connect to the internet. What am I doing wrong? Any advice appreciated. Jerry to get your access back, issue shorewall clear the problem on start is that you don't have those capabilities listed activated in your kernel I figured out which capabilites I needed in the kernel and now shorewall starts without complaining. thanks john. jerry -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Looking for help with Shorewall
Ryan Tandy wrote: Jerry wrote: [EMAIL PROTECTED]:/etc/shorewall # shorewall start Any particular reason why you're running that instead of /etc/init.d/shorewall start? Thats is what the docs suggested as the start command. Shorewall has detected the following iptables/netfilter capabilities: NAT: Not available Packet Mangling: Available Multi-port Match: Not available Connection Tracking Match: Not available Packet Type Match: Not available Policy Match: Not available Physdev Match: Not available IP range Match: Not available Recent Match: Not available Owner Match: Not available Ipset Match: Not available CONNMARK Target: Not available Connmark Match: Not available Raw Table: Available CLASSIFY Target: Not available Hmmm... looks like you're missing a few fairly necessary components. Might want to add a bit more to your iptables configuration in your kernel config, or have some fun with modprobe. I rebuilt the kernel with more iptables modules and shorewall works fine. iptables: No chain/target/match by that name ERROR: Command /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Failed This is caused by the line Connection Tracking Match: Not available - you need to build in to your kernel or modprobe the conntrack module. Now I cannot connect to the internet through the modem nor ssh to the other computer. I was able to do both before running shorewall start. shorewall clearor/etc/init.d/shorewall clear [EMAIL PROTECTED]:/etc/shorewall # /etc/init.d/iptables stop * Saving iptables state ...[ ok ] * Stopping firewall ...[ ok ] You don't need to have iptables running for shorewall to work (I know I don't). delta ~ # /etc/init.d/shorewall status * status: started delta ~ # /etc/init.d/iptables status * status: stopped HTH. Ryan Thanks for the help ryan. jerry -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Looking for help with Shorewall
Uwe Thiem wrote: On 18 May 2006 17:38, Jerry wrote: Shorewall has detected the following iptables/netfilter capabilities: NAT: Not available Packet Mangling: Available Multi-port Match: Not available Connection Tracking Match: Not available Packet Type Match: Not available Policy Match: Not available Physdev Match: Not available IP range Match: Not available Recent Match: Not available Owner Match: Not available Ipset Match: Not available CONNMARK Target: Not available Connmark Match: Not available Raw Table: Available CLASSIFY Target: Not available What am I doing wrong? Any advice appreciated. You haven't configured your kernel for firewalling. Uwe Reconfigurred the kernel and all is fine. thanks uwe. jerry -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Looking for help with Shorewall
On 18 May 2006 17:38, Jerry wrote: Shorewall has detected the following iptables/netfilter capabilities: NAT: Not available Packet Mangling: Available Multi-port Match: Not available Connection Tracking Match: Not available Packet Type Match: Not available Policy Match: Not available Physdev Match: Not available IP range Match: Not available Recent Match: Not available Owner Match: Not available Ipset Match: Not available CONNMARK Target: Not available Connmark Match: Not available Raw Table: Available CLASSIFY Target: Not available What am I doing wrong? Any advice appreciated. You haven't configured your kernel for firewalling. Uwe -- Mark Twain: I rather decline two drinks than a German adjective. -- gentoo-user@gentoo.org mailing list
[gentoo-user] Looking for help with Shorewall
I am setting up gentoo on another computer and cannot get shorewall to start properly. I had used another version of shorewall previously but cannot get 3.0.4 to work. I have read and tried to follow the instruction in /usr/share/doc/shorewall-3.0.4/Samples/one-interface but no success. I have dialup modem, one other computer connected via eth0. If root runs 'which ip' the response is '/sbin/ip'. /etc/shorewall/zones: #ZONE TYPEOPTIONS IN OUT OPTIONS OPTIONS net ipv4- #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS net ppp0- #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE /etc/shorewall/policy: #SOURCE DESTPOLICY LOG LEVEL LIMIT:BURST $FW net ACCEPT net all DROPinfo # The FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE /etc/shorewall/rules: has all rules commented out to try to make the startup as simple as possible. When I run shorewall start: [EMAIL PROTECTED]:/etc/shorewall # shorewall start Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Starting Shorewall... Initializing... Shorewall has detected the following iptables/netfilter capabilities: NAT: Not available Packet Mangling: Available Multi-port Match: Not available Connection Tracking Match: Not available Packet Type Match: Not available Policy Match: Not available Physdev Match: Not available IP range Match: Not available Recent Match: Not available Owner Match: Not available Ipset Match: Not available CONNMARK Target: Not available Connmark Match: Not available Raw Table: Available CLASSIFY Target: Not available Determining Zones... IPv4 Zones: net Firewall Zone: fw Validating interfaces file... Validating hosts file... Validating Policy file... Determining Hosts in Zones... net Zone: ppp0:0.0.0.0/0 Processing /etc/shorewall/init ... Pre-processing Actions... Pre-processing /usr/share/shorewall/action.Drop... ..Expanding Macro /usr/share/shorewall/macro.Auth... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.SMB... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.DropUPnP... ..End Macro ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep... ..End Macro Pre-processing /usr/share/shorewall/action.Reject... Pre-processing /usr/share/shorewall/action.Limit... Deleting user chains... iptables: No chain/target/match by that name ERROR: Command /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Failed Processing /etc/shorewall/stop ... iptables: No chain/target/match by that name iptables: No chain/target/match by that name IP Forwarding Enabled Processing /etc/shorewall/stopped ... Terminated [EMAIL PROTECTED]:/etc/shorewall # shorewall status Shorewall-3.0.4 Status at backup - Thu May 18 16:30:45 UTC 2006 Shorewall is stopped State:Stopped (Thu May 18 16:28:59 UTC 2006) Now I cannot connect to the internet through the modem nor ssh to the other computer. I was able to do both before running shorewall start. [EMAIL PROTECTED]:/etc/shorewall # /etc/init.d/iptables stop * Saving iptables state ...[ ok ] * Stopping firewall ...[ ok ] [EMAIL PROTECTED]:/etc/shorewall # ssh main Password: Now I can ssh and connect to the internet. What am I doing wrong? Any advice appreciated. Jerry -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Looking for help with Shorewall
Jerry wrote: [EMAIL PROTECTED]:/etc/shorewall # shorewall start Any particular reason why you're running that instead of /etc/init.d/shorewall start? Shorewall has detected the following iptables/netfilter capabilities: NAT: Not available Packet Mangling: Available Multi-port Match: Not available Connection Tracking Match: Not available Packet Type Match: Not available Policy Match: Not available Physdev Match: Not available IP range Match: Not available Recent Match: Not available Owner Match: Not available Ipset Match: Not available CONNMARK Target: Not available Connmark Match: Not available Raw Table: Available CLASSIFY Target: Not available Hmmm... looks like you're missing a few fairly necessary components. Might want to add a bit more to your iptables configuration in your kernel config, or have some fun with modprobe. iptables: No chain/target/match by that name ERROR: Command /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Failed This is caused by the line Connection Tracking Match: Not available - you need to build in to your kernel or modprobe the conntrack module. Now I cannot connect to the internet through the modem nor ssh to the other computer. I was able to do both before running shorewall start. shorewall clearor/etc/init.d/shorewall clear [EMAIL PROTECTED]:/etc/shorewall # /etc/init.d/iptables stop * Saving iptables state ...[ ok ] * Stopping firewall ...[ ok ] You don't need to have iptables running for shorewall to work (I know I don't). delta ~ # /etc/init.d/shorewall status * status: started delta ~ # /etc/init.d/iptables status * status: stopped HTH. Ryan -- gentoo-user@gentoo.org mailing list
