subject:"\[Shorewall\-users\] ERROR\: Invalid parameter \(DROP\), Multicast\(DROP\)"

Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)

2018-04-16 Thread colony.three--- via Shorewall-users

Whups, reboot fixed it.  Pardon the noise.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)

2018-04-16 Thread colony.three--- via Shorewall-users

‐‐‐ Original Message ‐‐‐

On April 16, 2018 12:16 PM,  wrote:

> 
> 
> ‐‐‐ Original Message ‐‐‐
> 
> On April 16, 2018 11:30 AM, Tom Eastep teas...@shorewall.net wrote:
> 
> > On 04/16/2018 11:03 AM, colony.three--- via Shorewall-users wrote:
> > 
> > > ‐‐‐ Original Message ‐‐‐
> > > 
> > > On April 16, 2018 10:56 AM, Tom Eastep teas...@shorewall.net wrote:
> > > 
> > > > On 04/16/2018 10:50 AM, colony.three--- via Shorewall-users wrote:
> > > > 
> > > > > ‐‐‐ Original Message ‐‐‐
> > > > > 
> > > > > On April 16, 2018 10:42 AM, Tom Eastep teas...@shorewall.net wrote:
> > > > > 
> > > > > > On 04/16/2018 10:24 AM, colony.three--- via Shorewall-users wrote:
> > > > > > 
> > > > > > > Anyone seen this?
> > > > > > > 
> > > > > > > Nov 29 01:42:29 Compiling MAC Filtration -- Phase 2...
> > > > > > > 
> > > > > > > Nov 29 01:42:29 Applying Policies...
> > > > > > > 
> > > > > > > Nov 29 01:42:29 Compiling /usr/share/shorewall/action.Broadcast 
> > > > > > > for
> > > > > > > 
> > > > > > > chain Broadcast...
> > > > > > > 
> > > > > > > Nov 29 01:42:29    ERROR: Invalid parameter (DROP),Multicast(DROP)
> > > > > > > 
> > > > > > > /usr/share/shorewall/action.Broadcast (line 1)
> > > > > > > 
> > > > > > > from  (line EOF)
> > > > > > > 
> > > > > > > shorewall version
> > > > > > > =
> > > > > > > 
> > > > > > > 5.0.15.6
> > > > > > 
> > > > > > Don't see why you would be getting that message on 5.0.15.6. What 
> > > > > > does
> > > > > > 
> > > > > > your /usr/share/shorewall/action.Broadcast look like?
> > > > 
> > > > What is your setting of DROP_DEFAULT in shorewall.conf?
> > > > 
> > > > -Tom
> > > 
> > > DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
> > > 
> > > I didn't change it, but commenting it out does not help. Same with the 
> > > other settings which specify (DROP),Multicast(DROP).
> > > 
> > > I do have a restrictive sysctl, if that makes any difference. It's 
> > > working fine on all my other (CentOS7.4) machines. (attached)
> > 
> > Those setting are not valid on 5.0.15.6. The ability to list multiple
> > 
> > actions wasn't introduced until Shorewall 5.1.2.
> > 
> > -Tom
> 
> Oh, Ok. I'd grafted in my config from CentOS to the Pi.
> 
> Thanks Tom.


Except same error, now that I've replaced those stanzas with:

ACCEPT_DEFAULT="none"
DROP_DEFAULT=Drop
NFQUEUE_DEFAULT="none"
QUEUE_DEFAULT="none"
REJECT_DEFAULT=Reject

I'd copied the whole /etc/shorewall directory from CentOS to Raspbian.  I only 
find the bad stanzas in shorewall.conf but they're commented out now yet I get 
the same error.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)

2018-04-16 Thread colony.three--- via Shorewall-users


‐‐‐ Original Message ‐‐‐

On April 16, 2018 11:30 AM, Tom Eastep  wrote:

> 
> 
> On 04/16/2018 11:03 AM, colony.three--- via Shorewall-users wrote:
> 
> > ‐‐‐ Original Message ‐‐‐
> > 
> > On April 16, 2018 10:56 AM, Tom Eastep teas...@shorewall.net wrote:
> > 
> > > On 04/16/2018 10:50 AM, colony.three--- via Shorewall-users wrote:
> > > 
> > > > ‐‐‐ Original Message ‐‐‐
> > > > 
> > > > On April 16, 2018 10:42 AM, Tom Eastep teas...@shorewall.net wrote:
> > > > 
> > > > > On 04/16/2018 10:24 AM, colony.three--- via Shorewall-users wrote:
> > > > > 
> > > > > > Anyone seen this?
> > > > > > 
> > > > > > Nov 29 01:42:29 Compiling MAC Filtration -- Phase 2...
> > > > > > 
> > > > > > Nov 29 01:42:29 Applying Policies...
> > > > > > 
> > > > > > Nov 29 01:42:29 Compiling /usr/share/shorewall/action.Broadcast for
> > > > > > 
> > > > > > chain Broadcast...
> > > > > > 
> > > > > > Nov 29 01:42:29    ERROR: Invalid parameter (DROP),Multicast(DROP)
> > > > > > 
> > > > > > /usr/share/shorewall/action.Broadcast (line 1)
> > > > > > 
> > > > > > from  (line EOF)
> > > > > > 
> > > > > > shorewall version
> > > > > > =
> > > > > > 
> > > > > > 5.0.15.6
> > > > > 
> > > > > Don't see why you would be getting that message on 5.0.15.6. What does
> > > > > 
> > > > > your /usr/share/shorewall/action.Broadcast look like?
> > > 
> > > What is your setting of DROP_DEFAULT in shorewall.conf?
> > > 
> > > -Tom
> > 
> > DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
> > 
> > I didn't change it, but commenting it out does not help. Same with the 
> > other settings which specify (DROP),Multicast(DROP).
> > 
> > I do have a restrictive sysctl, if that makes any difference. It's working 
> > fine on all my other (CentOS7.4) machines. (attached)
> 
> Those setting are not valid on 5.0.15.6. The ability to list multiple
> 
> actions wasn't introduced until Shorewall 5.1.2.
> 
> -Tom
> 


Oh, Ok.  I'd grafted in my config from CentOS to the Pi.

Thanks Tom.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)

2018-04-16 Thread Tom Eastep

On 04/16/2018 11:03 AM, colony.three--- via Shorewall-users wrote:
> 
> 
> ‐‐‐ Original Message ‐‐‐
> 
> On April 16, 2018 10:56 AM, Tom Eastep  wrote:
> 
>> 
>>
>> On 04/16/2018 10:50 AM, colony.three--- via Shorewall-users wrote:
>>
>>> ‐‐‐ Original Message ‐‐‐
>>>
>>> On April 16, 2018 10:42 AM, Tom Eastep teas...@shorewall.net wrote:
>>>
 On 04/16/2018 10:24 AM, colony.three--- via Shorewall-users wrote:

> Anyone seen this?
>
> Nov 29 01:42:29 Compiling MAC Filtration -- Phase 2...
>
> Nov 29 01:42:29 Applying Policies...
>
> Nov 29 01:42:29 Compiling /usr/share/shorewall/action.Broadcast for
>
> chain Broadcast...
>
> Nov 29 01:42:29    ERROR: Invalid parameter (DROP),Multicast(DROP)
>
> /usr/share/shorewall/action.Broadcast (line 1)
>
> from  (line EOF)
>
> shorewall version
> =
>
> 5.0.15.6

 Don't see why you would be getting that message on 5.0.15.6. What does

 your /usr/share/shorewall/action.Broadcast look like?
>>
>> What is your setting of DROP_DEFAULT in shorewall.conf?
>>
>> -Tom
>>
> 
> 
> DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"
> 
> I didn't change it, but commenting it out does not help.  Same with the other 
> settings which specify (DROP),Multicast(DROP).
> 
> I do have a restrictive sysctl, if that makes any difference.  It's working 
> fine on all my other (CentOS7.4) machines. (attached)
> 
> 

Those setting are not valid on 5.0.15.6. The ability to list multiple
actions wasn't introduced until Shorewall 5.1.2.

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)

2018-04-16 Thread colony.three--- via Shorewall-users



‐‐‐ Original Message ‐‐‐

On April 16, 2018 10:56 AM, Tom Eastep  wrote:

> 
> 
> On 04/16/2018 10:50 AM, colony.three--- via Shorewall-users wrote:
> 
> > ‐‐‐ Original Message ‐‐‐
> > 
> > On April 16, 2018 10:42 AM, Tom Eastep teas...@shorewall.net wrote:
> > 
> > > On 04/16/2018 10:24 AM, colony.three--- via Shorewall-users wrote:
> > > 
> > > > Anyone seen this?
> > > > 
> > > > Nov 29 01:42:29 Compiling MAC Filtration -- Phase 2...
> > > > 
> > > > Nov 29 01:42:29 Applying Policies...
> > > > 
> > > > Nov 29 01:42:29 Compiling /usr/share/shorewall/action.Broadcast for
> > > > 
> > > > chain Broadcast...
> > > > 
> > > > Nov 29 01:42:29    ERROR: Invalid parameter (DROP),Multicast(DROP)
> > > > 
> > > > /usr/share/shorewall/action.Broadcast (line 1)
> > > > 
> > > > from  (line EOF)
> > > > 
> > > > shorewall version
> > > > =
> > > > 
> > > > 5.0.15.6
> > > 
> > > Don't see why you would be getting that message on 5.0.15.6. What does
> > > 
> > > your /usr/share/shorewall/action.Broadcast look like?
> 
> What is your setting of DROP_DEFAULT in shorewall.conf?
> 
> -Tom
> 


DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)"

I didn't change it, but commenting it out does not help.  Same with the other 
settings which specify (DROP),Multicast(DROP).

I do have a restrictive sysctl, if that makes any difference.  It's working 
fine on all my other (CentOS7.4) machines. (attached)



#--
# Security

## Kernel config START ##

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Kernel EXEC shield - for RedHat, CentOS, ...
#kernel.exec-shield = 1

# Make the addresses of mmap base, stack, heap and VDSO page randomized
kernel.randomize_va_space = 2

# Reboot system when kernel panic occur, oops will wait 30 seconds until call 
panic()
kernel.panic = 30
kernel.panic_on_oops = 30

# Disable magic-sysrq key
kernel.sysrq = 0

# No core dumps for SUID
fs.suid_dumpable = 0

# Set maximum amount of memory allocated to shm to 256MB
kernel.shmmax = 268435456

# Hide exposed kernel pointers regardless of privileges (2.6.38)
kernel.kptr_restrict = 2

# NULL pointer dereference, lowest virtual address which process can use for 
mapping
vm.mmap_min_addr = 4096

# Maximum number of file handles that the Linux kernel will allocate
fs.file-max = 65000

# Allow more PIDs
kernel.pid_max = 65536

## Kernel config END ##

## IPv4 networking START ##

# Increase the maximum amount of option memory buffers
net.core.optmem_max = 57344

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Disable Proxy ARP
net.ipv4.proxy_arp = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Enable tcp_window_scaling
net.ipv4.tcp_window_scaling = 1

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Prevent SYN attack
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_synack_retries = 2

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Log packets with impossible addresses to kernel
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0

# Disable IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.forwarding=0
net.ipv4.conf.all.mc_forwarding=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0

# Buffer size autotuning - buffer size (and tcp window size) is dynamically 
updated for each connection.
# This option is not present in kernels older then 2.4.27 or 2.6.7 - update 
your kernel
# In that case tuning options net.ipv4.tcp_wmem and net.ipv4.tcp_rmem isnt 
recommended
net.ipv4.tcp_moderate_rcvbuf = 1

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 144

# Increase allowed local port range
net.ipv4.ip_local_port_range = 1024 64000

# Increase the maximum memory used to reassemble IP fragments
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464

## IPv4 networking END ##

## IPv6 networking START ##

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# Controls IP packet forwarding
net.ipv6.ip_forward = 0

# This is not a router (RADVD) so accept ads
#net.ipv6.conf.all.accept_ra=1

# Number of Router Solicitations to send until assuming no

Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)

2018-04-16 Thread Tom Eastep

On 04/16/2018 10:50 AM, colony.three--- via Shorewall-users wrote:
> 
> 
> ‐‐‐ Original Message ‐‐‐
> 
> On April 16, 2018 10:42 AM, Tom Eastep  wrote:
> 
>> 
>>
>> On 04/16/2018 10:24 AM, colony.three--- via Shorewall-users wrote:
>>
>>> Anyone seen this?
>>>
>>> Nov 29 01:42:29 Compiling MAC Filtration -- Phase 2...
>>>
>>> Nov 29 01:42:29 Applying Policies...
>>>
>>> Nov 29 01:42:29 Compiling /usr/share/shorewall/action.Broadcast for
>>>
>>> chain Broadcast...
>>>
>>> Nov 29 01:42:29    ERROR: Invalid parameter (DROP),Multicast(DROP)
>>>
>>> /usr/share/shorewall/action.Broadcast (line 1)
>>>
>>>   from  (line EOF)
>>>
>>> shorewall version
>>> =
>>>
>>> 5.0.15.6
>>
>> Don't see why you would be getting that message on 5.0.15.6. What does
>>
>> your /usr/share/shorewall/action.Broadcast look like?
>>

What is your setting of DROP_DEFAULT in shorewall.conf?

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)

2018-04-16 Thread colony.three--- via Shorewall-users



‐‐‐ Original Message ‐‐‐

On April 16, 2018 10:42 AM, Tom Eastep  wrote:

> 
> 
> On 04/16/2018 10:24 AM, colony.three--- via Shorewall-users wrote:
> 
> > Anyone seen this?
> > 
> > Nov 29 01:42:29 Compiling MAC Filtration -- Phase 2...
> > 
> > Nov 29 01:42:29 Applying Policies...
> > 
> > Nov 29 01:42:29 Compiling /usr/share/shorewall/action.Broadcast for
> > 
> > chain Broadcast...
> > 
> > Nov 29 01:42:29    ERROR: Invalid parameter (DROP),Multicast(DROP)
> > 
> > /usr/share/shorewall/action.Broadcast (line 1)
> > 
> >   from  (line EOF)
> > 
> > shorewall version
> > =
> > 
> > 5.0.15.6
> 
> Don't see why you would be getting that message on 5.0.15.6. What does
> 
> your /usr/share/shorewall/action.Broadcast look like?
> 
> -Tom

Hi Tom,

I should have mentioned that this is on the most current Raspbian, and an 
install of Shorewall I did yesterday.


DEFAULTS DROP,-

?if __ADDRTYPE
@1  -   -   -   ;; -m addrtype --dst-type BROADCAST
@1  -   -   -   ;; -m addrtype --dst-type MULTICAST
@1  -   -   -   ;; -m addrtype --dst-type ANYCAST
?else
?begin perl;

use Shorewall::IPAddrs;
use Shorewall::Config;
use Shorewall::Chains;

my ( $action ) = get_action_params( 1 );
my $chainref   = get_action_chain;
my ( $level, $tag )= get_action_logging;

add_commands $chainref, 'for address in $ALL_BCASTS; do';
incr_cmd_level $chainref;
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 
$address ' if $level$
add_jump $chainref, $action, 0, "-d \$address ";
decr_cmd_level $chainref;
add_commands $chainref, 'done';

log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 
224.0.0.0/4 ' if $le$
add_jump $chainref, $action, 0, '-d 224.0.0.0/4 ';

1;

?end perl;
?endif




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)

2018-04-16 Thread Tom Eastep

On 04/16/2018 10:24 AM, colony.three--- via Shorewall-users wrote:
> Anyone seen this?
> Nov 29 01:42:29 Compiling MAC Filtration -- Phase 2...
> Nov 29 01:42:29 Applying Policies...
> Nov 29 01:42:29 Compiling /usr/share/shorewall/action.Broadcast for
> chain Broadcast...
> Nov 29 01:42:29    ERROR: Invalid parameter (DROP),Multicast(DROP)
> /usr/share/shorewall/action.Broadcast (line 1)
>   from  (line EOF)
> 
> # shorewall version
> 5.0.15.6
> 

Don't see why you would be getting that message on 5.0.15.6. What does
your /usr/share/shorewall/action.Broadcast look like?

-Tom
-- 
Tom Eastep\   Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
  \___



signature.asc
Description: OpenPGP digital signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] ERROR: Invalid parameter (DROP),Multicast(DROP)

2018-04-16 Thread colony.three--- via Shorewall-users

Anyone seen this?
Nov 29 01:42:29 Compiling MAC Filtration -- Phase 2...
Nov 29 01:42:29 Applying Policies...
Nov 29 01:42:29 Compiling /usr/share/shorewall/action.Broadcast for chain 
Broadcast...
Nov 29 01:42:29ERROR: Invalid parameter (DROP),Multicast(DROP) 
/usr/share/shorewall/action.Broadcast (line 1)
  from  (line EOF)

# shorewall version
5.0.15.6--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)

Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)

Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)

Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)

Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)

Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)

Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)

Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)

[Shorewall-users] ERROR: Invalid parameter (DROP),Multicast(DROP)

9 matches

Site Navigation

Mail list logo

Footer information