Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)
Whups, reboot fixed it. Pardon the noise. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)
‐‐‐ Original Message ‐‐‐ On April 16, 2018 12:16 PM, wrote: > > > ‐‐‐ Original Message ‐‐‐ > > On April 16, 2018 11:30 AM, Tom Eastep teas...@shorewall.net wrote: > > > On 04/16/2018 11:03 AM, colony.three--- via Shorewall-users wrote: > > > > > ‐‐‐ Original Message ‐‐‐ > > > > > > On April 16, 2018 10:56 AM, Tom Eastep teas...@shorewall.net wrote: > > > > > > > On 04/16/2018 10:50 AM, colony.three--- via Shorewall-users wrote: > > > > > > > > > ‐‐‐ Original Message ‐‐‐ > > > > > > > > > > On April 16, 2018 10:42 AM, Tom Eastep teas...@shorewall.net wrote: > > > > > > > > > > > On 04/16/2018 10:24 AM, colony.three--- via Shorewall-users wrote: > > > > > > > > > > > > > Anyone seen this? > > > > > > > > > > > > > > Nov 29 01:42:29 Compiling MAC Filtration -- Phase 2... > > > > > > > > > > > > > > Nov 29 01:42:29 Applying Policies... > > > > > > > > > > > > > > Nov 29 01:42:29 Compiling /usr/share/shorewall/action.Broadcast > > > > > > > for > > > > > > > > > > > > > > chain Broadcast... > > > > > > > > > > > > > > Nov 29 01:42:29 ERROR: Invalid parameter (DROP),Multicast(DROP) > > > > > > > > > > > > > > /usr/share/shorewall/action.Broadcast (line 1) > > > > > > > > > > > > > > from (line EOF) > > > > > > > > > > > > > > shorewall version > > > > > > > = > > > > > > > > > > > > > > 5.0.15.6 > > > > > > > > > > > > Don't see why you would be getting that message on 5.0.15.6. What > > > > > > does > > > > > > > > > > > > your /usr/share/shorewall/action.Broadcast look like? > > > > > > > > What is your setting of DROP_DEFAULT in shorewall.conf? > > > > > > > > -Tom > > > > > > DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)" > > > > > > I didn't change it, but commenting it out does not help. Same with the > > > other settings which specify (DROP),Multicast(DROP). > > > > > > I do have a restrictive sysctl, if that makes any difference. It's > > > working fine on all my other (CentOS7.4) machines. (attached) > > > > Those setting are not valid on 5.0.15.6. The ability to list multiple > > > > actions wasn't introduced until Shorewall 5.1.2. > > > > -Tom > > Oh, Ok. I'd grafted in my config from CentOS to the Pi. > > Thanks Tom. Except same error, now that I've replaced those stanzas with: ACCEPT_DEFAULT="none" DROP_DEFAULT=Drop NFQUEUE_DEFAULT="none" QUEUE_DEFAULT="none" REJECT_DEFAULT=Reject I'd copied the whole /etc/shorewall directory from CentOS to Raspbian. I only find the bad stanzas in shorewall.conf but they're commented out now yet I get the same error. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)
‐‐‐ Original Message ‐‐‐ On April 16, 2018 11:30 AM, Tom Eastep wrote: > > > On 04/16/2018 11:03 AM, colony.three--- via Shorewall-users wrote: > > > ‐‐‐ Original Message ‐‐‐ > > > > On April 16, 2018 10:56 AM, Tom Eastep teas...@shorewall.net wrote: > > > > > On 04/16/2018 10:50 AM, colony.three--- via Shorewall-users wrote: > > > > > > > ‐‐‐ Original Message ‐‐‐ > > > > > > > > On April 16, 2018 10:42 AM, Tom Eastep teas...@shorewall.net wrote: > > > > > > > > > On 04/16/2018 10:24 AM, colony.three--- via Shorewall-users wrote: > > > > > > > > > > > Anyone seen this? > > > > > > > > > > > > Nov 29 01:42:29 Compiling MAC Filtration -- Phase 2... > > > > > > > > > > > > Nov 29 01:42:29 Applying Policies... > > > > > > > > > > > > Nov 29 01:42:29 Compiling /usr/share/shorewall/action.Broadcast for > > > > > > > > > > > > chain Broadcast... > > > > > > > > > > > > Nov 29 01:42:29 ERROR: Invalid parameter (DROP),Multicast(DROP) > > > > > > > > > > > > /usr/share/shorewall/action.Broadcast (line 1) > > > > > > > > > > > > from (line EOF) > > > > > > > > > > > > shorewall version > > > > > > = > > > > > > > > > > > > 5.0.15.6 > > > > > > > > > > Don't see why you would be getting that message on 5.0.15.6. What does > > > > > > > > > > your /usr/share/shorewall/action.Broadcast look like? > > > > > > What is your setting of DROP_DEFAULT in shorewall.conf? > > > > > > -Tom > > > > DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)" > > > > I didn't change it, but commenting it out does not help. Same with the > > other settings which specify (DROP),Multicast(DROP). > > > > I do have a restrictive sysctl, if that makes any difference. It's working > > fine on all my other (CentOS7.4) machines. (attached) > > Those setting are not valid on 5.0.15.6. The ability to list multiple > > actions wasn't introduced until Shorewall 5.1.2. > > -Tom > Oh, Ok. I'd grafted in my config from CentOS to the Pi. Thanks Tom. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)
On 04/16/2018 11:03 AM, colony.three--- via Shorewall-users wrote: > > > ‐‐‐ Original Message ‐‐‐ > > On April 16, 2018 10:56 AM, Tom Eastep wrote: > >> >> >> On 04/16/2018 10:50 AM, colony.three--- via Shorewall-users wrote: >> >>> ‐‐‐ Original Message ‐‐‐ >>> >>> On April 16, 2018 10:42 AM, Tom Eastep teas...@shorewall.net wrote: >>> On 04/16/2018 10:24 AM, colony.three--- via Shorewall-users wrote: > Anyone seen this? > > Nov 29 01:42:29 Compiling MAC Filtration -- Phase 2... > > Nov 29 01:42:29 Applying Policies... > > Nov 29 01:42:29 Compiling /usr/share/shorewall/action.Broadcast for > > chain Broadcast... > > Nov 29 01:42:29 ERROR: Invalid parameter (DROP),Multicast(DROP) > > /usr/share/shorewall/action.Broadcast (line 1) > > from (line EOF) > > shorewall version > = > > 5.0.15.6 Don't see why you would be getting that message on 5.0.15.6. What does your /usr/share/shorewall/action.Broadcast look like? >> >> What is your setting of DROP_DEFAULT in shorewall.conf? >> >> -Tom >> > > > DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)" > > I didn't change it, but commenting it out does not help. Same with the other > settings which specify (DROP),Multicast(DROP). > > I do have a restrictive sysctl, if that makes any difference. It's working > fine on all my other (CentOS7.4) machines. (attached) > > Those setting are not valid on 5.0.15.6. The ability to list multiple actions wasn't introduced until Shorewall 5.1.2. -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)
‐‐‐ Original Message ‐‐‐ On April 16, 2018 10:56 AM, Tom Eastep wrote: > > > On 04/16/2018 10:50 AM, colony.three--- via Shorewall-users wrote: > > > ‐‐‐ Original Message ‐‐‐ > > > > On April 16, 2018 10:42 AM, Tom Eastep teas...@shorewall.net wrote: > > > > > On 04/16/2018 10:24 AM, colony.three--- via Shorewall-users wrote: > > > > > > > Anyone seen this? > > > > > > > > Nov 29 01:42:29 Compiling MAC Filtration -- Phase 2... > > > > > > > > Nov 29 01:42:29 Applying Policies... > > > > > > > > Nov 29 01:42:29 Compiling /usr/share/shorewall/action.Broadcast for > > > > > > > > chain Broadcast... > > > > > > > > Nov 29 01:42:29 ERROR: Invalid parameter (DROP),Multicast(DROP) > > > > > > > > /usr/share/shorewall/action.Broadcast (line 1) > > > > > > > > from (line EOF) > > > > > > > > shorewall version > > > > = > > > > > > > > 5.0.15.6 > > > > > > Don't see why you would be getting that message on 5.0.15.6. What does > > > > > > your /usr/share/shorewall/action.Broadcast look like? > > What is your setting of DROP_DEFAULT in shorewall.conf? > > -Tom > DROP_DEFAULT="Broadcast(DROP),Multicast(DROP)" I didn't change it, but commenting it out does not help. Same with the other settings which specify (DROP),Multicast(DROP). I do have a restrictive sysctl, if that makes any difference. It's working fine on all my other (CentOS7.4) machines. (attached) #-- # Security ## Kernel config START ## # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 # Kernel EXEC shield - for RedHat, CentOS, ... #kernel.exec-shield = 1 # Make the addresses of mmap base, stack, heap and VDSO page randomized kernel.randomize_va_space = 2 # Reboot system when kernel panic occur, oops will wait 30 seconds until call panic() kernel.panic = 30 kernel.panic_on_oops = 30 # Disable magic-sysrq key kernel.sysrq = 0 # No core dumps for SUID fs.suid_dumpable = 0 # Set maximum amount of memory allocated to shm to 256MB kernel.shmmax = 268435456 # Hide exposed kernel pointers regardless of privileges (2.6.38) kernel.kptr_restrict = 2 # NULL pointer dereference, lowest virtual address which process can use for mapping vm.mmap_min_addr = 4096 # Maximum number of file handles that the Linux kernel will allocate fs.file-max = 65000 # Allow more PIDs kernel.pid_max = 65536 ## Kernel config END ## ## IPv4 networking START ## # Increase the maximum amount of option memory buffers net.core.optmem_max = 57344 # Controls IP packet forwarding net.ipv4.ip_forward = 0 # Disable Proxy ARP net.ipv4.proxy_arp = 0 # Decrease the time default value for tcp_fin_timeout connection net.ipv4.tcp_fin_timeout = 15 # Decrease the time default value for tcp_keepalive_time connection net.ipv4.tcp_keepalive_time = 1800 # Enable tcp_window_scaling net.ipv4.tcp_window_scaling = 1 # Turn off the tcp_sack net.ipv4.tcp_sack = 0 # Turn off the tcp_timestamps net.ipv4.tcp_timestamps = 0 # Enable ignoring broadcasts request net.ipv4.icmp_echo_ignore_broadcasts = 1 # Enable bad error message protection net.ipv4.icmp_ignore_bogus_error_responses = 1 # Prevent SYN attack net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.tcp_syn_retries = 5 net.ipv4.tcp_synack_retries = 2 # Enable IP spoofing protection, turn on source route verification net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Log packets with impossible addresses to kernel net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 # Disable IP source routing net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.forwarding=0 net.ipv4.conf.all.mc_forwarding=0 net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.all.secure_redirects=0 # Buffer size autotuning - buffer size (and tcp window size) is dynamically updated for each connection. # This option is not present in kernels older then 2.4.27 or 2.6.7 - update your kernel # In that case tuning options net.ipv4.tcp_wmem and net.ipv4.tcp_rmem isnt recommended net.ipv4.tcp_moderate_rcvbuf = 1 # Increase the tcp-time-wait buckets pool size net.ipv4.tcp_max_tw_buckets = 144 # Increase allowed local port range net.ipv4.ip_local_port_range = 1024 64000 # Increase the maximum memory used to reassemble IP fragments net.ipv4.ipfrag_high_thresh = 512000 net.ipv4.ipfrag_low_thresh = 446464 ## IPv4 networking END ## ## IPv6 networking START ## net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 # Controls IP packet forwarding net.ipv6.ip_forward = 0 # This is not a router (RADVD) so accept ads #net.ipv6.conf.all.accept_ra=1 # Number of Router Solicitations to send until assuming no routers are present. # T
Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)
On 04/16/2018 10:50 AM, colony.three--- via Shorewall-users wrote: > > > ‐‐‐ Original Message ‐‐‐ > > On April 16, 2018 10:42 AM, Tom Eastep wrote: > >> >> >> On 04/16/2018 10:24 AM, colony.three--- via Shorewall-users wrote: >> >>> Anyone seen this? >>> >>> Nov 29 01:42:29 Compiling MAC Filtration -- Phase 2... >>> >>> Nov 29 01:42:29 Applying Policies... >>> >>> Nov 29 01:42:29 Compiling /usr/share/shorewall/action.Broadcast for >>> >>> chain Broadcast... >>> >>> Nov 29 01:42:29 ERROR: Invalid parameter (DROP),Multicast(DROP) >>> >>> /usr/share/shorewall/action.Broadcast (line 1) >>> >>> from (line EOF) >>> >>> shorewall version >>> = >>> >>> 5.0.15.6 >> >> Don't see why you would be getting that message on 5.0.15.6. What does >> >> your /usr/share/shorewall/action.Broadcast look like? >> What is your setting of DROP_DEFAULT in shorewall.conf? -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)
‐‐‐ Original Message ‐‐‐ On April 16, 2018 10:42 AM, Tom Eastep wrote: > > > On 04/16/2018 10:24 AM, colony.three--- via Shorewall-users wrote: > > > Anyone seen this? > > > > Nov 29 01:42:29 Compiling MAC Filtration -- Phase 2... > > > > Nov 29 01:42:29 Applying Policies... > > > > Nov 29 01:42:29 Compiling /usr/share/shorewall/action.Broadcast for > > > > chain Broadcast... > > > > Nov 29 01:42:29 ERROR: Invalid parameter (DROP),Multicast(DROP) > > > > /usr/share/shorewall/action.Broadcast (line 1) > > > > from (line EOF) > > > > shorewall version > > = > > > > 5.0.15.6 > > Don't see why you would be getting that message on 5.0.15.6. What does > > your /usr/share/shorewall/action.Broadcast look like? > > -Tom Hi Tom, I should have mentioned that this is on the most current Raspbian, and an install of Shorewall I did yesterday. DEFAULTS DROP,- ?if __ADDRTYPE @1 - - - ;; -m addrtype --dst-type BROADCAST @1 - - - ;; -m addrtype --dst-type MULTICAST @1 - - - ;; -m addrtype --dst-type ANYCAST ?else ?begin perl; use Shorewall::IPAddrs; use Shorewall::Config; use Shorewall::Chains; my ( $action ) = get_action_params( 1 ); my $chainref = get_action_chain; my ( $level, $tag )= get_action_logging; add_commands $chainref, 'for address in $ALL_BCASTS; do'; incr_cmd_level $chainref; log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level$ add_jump $chainref, $action, 0, "-d \$address "; decr_cmd_level $chainref; add_commands $chainref, 'done'; log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $le$ add_jump $chainref, $action, 0, '-d 224.0.0.0/4 '; 1; ?end perl; ?endif -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] ERROR: Invalid parameter (DROP), Multicast(DROP)
On 04/16/2018 10:24 AM, colony.three--- via Shorewall-users wrote: > Anyone seen this? > Nov 29 01:42:29 Compiling MAC Filtration -- Phase 2... > Nov 29 01:42:29 Applying Policies... > Nov 29 01:42:29 Compiling /usr/share/shorewall/action.Broadcast for > chain Broadcast... > Nov 29 01:42:29 ERROR: Invalid parameter (DROP),Multicast(DROP) > /usr/share/shorewall/action.Broadcast (line 1) > from (line EOF) > > # shorewall version > 5.0.15.6 > Don't see why you would be getting that message on 5.0.15.6. What does your /usr/share/shorewall/action.Broadcast look like? -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
[Shorewall-users] ERROR: Invalid parameter (DROP),Multicast(DROP)
Anyone seen this? Nov 29 01:42:29 Compiling MAC Filtration -- Phase 2... Nov 29 01:42:29 Applying Policies... Nov 29 01:42:29 Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast... Nov 29 01:42:29ERROR: Invalid parameter (DROP),Multicast(DROP) /usr/share/shorewall/action.Broadcast (line 1) from (line EOF) # shorewall version 5.0.15.6-- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users