Good afternoon,I figured that since i was putting along with 3.4 and had not had time to upgrade to 4.0 yet, that i would do it this morning and see if i could add any input. I had two problems, both concerning starting Shorewall.
I am running SuSE Linux 10.0 on an i586: > cat /etc/SuSE-release SUSE LINUX 10.0 (i586) VERSION = 10.0The installation is pretty well out-of-the-box, meaning i have only installed patches from SuSE, have not recompiled the kernel, etc.
I upgraded to 4.0 this morning using rpm's (installed common and both compilers), redid the configuration files (.rpmnew) and everything went fine until i did a 'shorewall check' to verify the configuration before restarting. The machine froze, for the most part (only the mouse pointer and, strangely, the kde volume control worked). I had no response otherwise and had to power off the machine to get any control. I had the same result with both compilers.
Since the other question was about modules and Tom had a suggestion on that one, i took an old /usr/share/shorewall/modules, copied in into /etc/shorewall and i could once again at least try to start shorewall. I can offer very little information about that problem as the machine locks up - any attempt to generate a trace file fails. The last line printed on the screen from 'shorewall debug check' was "Loading modules...". That was also the last line of a debug print from /usr/share/shorewall/lib.base.
I have another 'shorewall start' problem that i believe i have seen before but i do not seem to remember seeing a solution: there is an error in a line in the /var/lib/shorewall/.iptables-restore-input file:
iptables-restore v1.3.3: addrtype: bad type `BROADCAST-j' Error occurred at line: 80 Try `iptables-restore -h' or 'iptables-restore --help' for more information.ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input /sbin/shorewall: line 375: 11947 Terminated ${VARDIR}/.start $debugging start
The problem is that there is a space missing between "BROADCAST" and "-j", but there are other lines which are correct (ie: "BROADCAST -j").
I have attached a trace file and the restore file just in case.
Thanks, and have a good weekend. Patrick Tom Eastep wrote:
Scorpy wrote:I am using Shorewall version 4.0.0-1 on Suse 10.Are you using shorewall-shell or shorewall-perl? Is this SEL 10.0? OpenSuSE 10.0, ???When I start/restart shorewall i get error: FATAL: Error inserting nf_conntrack_ipv4 (/lib/modules/2.6.13-15-default/kernel/net/ipv4/netfilter/nf_conntrack_ipv4.ko): Device or resource busyI suggest that you copy /usr/share/shorewall/modules to /etc/shorewall/modules and modify the copy to the bare minimum (those modules from the 'helper' section that you actually use such as ip_conntrack_ftp, ip_nat_ftp, ...).Shorewall works I guess but I dont know which part of Shorewall isntworking because of this error.If shorewall start/restart succeeds then Shorewall is working.I also have question relating /var/log/messages file. In previous versionsPrevious versions of what? Shorewall? SuSE?this file contained all the date relavent to hack attemps. Now it shows nothing.The reason that I've been asking about your SuSE version is that SuSE switched to using syslog_ng somewhere in the 10 series; with syslog_ng, all netfilter messages (including Shorewall's) are logged to /var/log/firewall rather than /var/log/messages. Remember -- Shorewall has no control over where messages are logged; the LOGFILE setting in shorewall.conf merely tells /sbin/shorewall where to look for the messages when processing the 'show log', 'logwatch' and 'dump' commands. See http://www.shorewall.net/shorewall_logging.html. Is this maybe related to the problem mentioned above? No. The module loading message has to do with different kernel versions having different valid combinations of loaded modules. -Tom------------------------------------------------------------------------------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
-- Patrick McNeil Université de Montréal - DGTIC PP, X-216 Téléphone: (514) 343-6111, poste 5247 Courriel: [EMAIL PROTECTED] Télécopie/FAX: (514) 343-2155 Téléavertisseur: (514) 480-3957, [EMAIL PROTECTED]
*raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :tcfor - [0:0] :tcout - [0:0] :tcpost - [0:0] :tcpre - [0:0] -A PREROUTING -j tcpre -A FORWARD -j tcfor -A OUTPUT -j tcout -A POSTROUTING -j tcpost COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :%Drop - [0:0] :%dropBcast - [0:0] :%dropInvalid - [0:0] :%dropNotSyn - [0:0] :Drop - [0:0] :Reject - [0:0] :all2all - [0:0] :dropBcast - [0:0] :dropInvalid - [0:0] :dropNotSyn - [0:0] :dynamic - [0:0] :eth0_fwd - [0:0] :eth0_in - [0:0] :eth0_out - [0:0] :fw2net - [0:0] :logdrop - [0:0] :logflags - [0:0] :logreject - [0:0] :net2all - [0:0] :net2fw - [0:0] :norfc1918 - [0:0] :reject - [0:0] :rfc1918 - [0:0] :smurfs - [0:0] :tcpflags - [0:0] -A INPUT -i eth0 -j eth0_in -A INPUT -i lo -j ACCEPT -A INPUT -j Reject -A INPUT -j ULOG --ulog-prefix "Shorewall:INPUT:REJECT:" -A INPUT -j reject -A FORWARD -i eth0 -j eth0_fwd -A FORWARD -j Reject -A FORWARD -j ULOG --ulog-prefix "Shorewall:FORWARD:REJECT:" -A FORWARD -j reject -A OUTPUT -o eth0 -j eth0_out -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j Reject -A OUTPUT -j ULOG --ulog-prefix "Shorewall:OUTPUT:REJECT:" -A OUTPUT -j reject -A %Drop -p 6 --dport 113 -j reject -A %Drop -j %dropBcast -A %Drop -p icmp --icmp-type 3/4 -j ACCEPT -A %Drop -p icmp --icmp-type 11 -j ACCEPT -A %Drop -j %dropInvalid -A %Drop -p 17 -m multiport --dports 135,445 -j DROP -A %Drop -p 17 --dport 137:139 -j DROP -A %Drop -p 17 --dport 1024:65535 --sport 137 -j DROP -A %Drop -p 6 -m multiport --dports 135,139,445 -j DROP -A %Drop -p 17 --dport 1900 -j DROP -A %Drop -p 6 -j %dropNotSyn -A %Drop -p 17 --sport 53 -j DROP -A %dropBcast -m addrtype --dst-type BROADCAST-j LOG --log-level ULOG! --log-prefix "Shorewall:dropBcast:DROP:" -A %dropBcast -d 224.0.0.0/4-j LOG --log-level ULOG! --log-prefix "Shorewall:dropBcast:DROP:" -A %dropBcast -m addrtype --dst-type BROADCAST -j DROP -A %dropBcast -d 224.0.0.0/4 -j DROP -A %dropInvalid -m state --state INVALID -j LOG --log-level ULOG! --log-prefix "Shorewall:dropInvalid:DROP:" -A %dropInvalid -m state --state INVALID -j DROP -A %dropNotSyn -p tcp ! --syn -j LOG --log-level ULOG! --log-prefix "Shorewall:dropNotSyn:DROP:" -A %dropNotSyn -p tcp ! --syn -j DROP -A Drop -p 6 --dport 113 -j reject -A Drop -j dropBcast -A Drop -p icmp --icmp-type 3/4 -j ACCEPT -A Drop -p icmp --icmp-type 11 -j ACCEPT -A Drop -j dropInvalid -A Drop -p 17 -m multiport --dports 135,445 -j DROP -A Drop -p 17 --dport 137:139 -j DROP -A Drop -p 17 --dport 1024:65535 --sport 137 -j DROP -A Drop -p 6 -m multiport --dports 135,139,445 -j DROP -A Drop -p 17 --dport 1900 -j DROP -A Drop -p 6 -j dropNotSyn -A Drop -p 17 --sport 53 -j DROP -A Reject -p 6 --dport 113 -j reject -A Reject -j dropBcast -A Reject -p icmp --icmp-type 3/4 -j ACCEPT -A Reject -p icmp --icmp-type 11 -j ACCEPT -A Reject -j dropInvalid -A Reject -p 17 -m multiport --dports 135,445 -j reject -A Reject -p 17 --dport 137:139 -j reject -A Reject -p 17 --dport 1024:65535 --sport 137 -j reject -A Reject -p 6 -m multiport --dports 135,139,445 -j reject -A Reject -p 17 --dport 1900 -j DROP -A Reject -p 6 -j dropNotSyn -A Reject -p 17 --sport 53 -j DROP -A all2all -m state --state ESTABLISHED,RELATED -j ACCEPT -A all2all -j Reject -A all2all -j ULOG --ulog-prefix "Shorewall:all2all:REJECT:" -A all2all -j reject -A dropBcast -m addrtype --dst-type BROADCAST -j DROP -A dropBcast -d 224.0.0.0/4 -j DROP -A dropInvalid -m state --state INVALID -j DROP -A dropNotSyn -p tcp ! --syn -j DROP -A eth0_fwd -m state --state NEW,INVALID -j dynamic -A eth0_fwd -m state --state NEW,INVALID -j smurfs -A eth0_fwd -m state --state NEW -j norfc1918 -A eth0_fwd -p tcp -j tcpflags -A eth0_in -m state --state NEW,INVALID -j dynamic -A eth0_in -m state --state NEW,INVALID -j smurfs -A eth0_in -p udp --dport 67:68 -j ACCEPT -A eth0_in -m state --state NEW -j norfc1918 -A eth0_in -p tcp -j tcpflags -A eth0_in -j net2fw -A eth0_out -p udp --dport 67:68 -j ACCEPT -A eth0_out -j fw2net -A fw2net -m state --state ESTABLISHED,RELATED -j ACCEPT -A fw2net -p 17 --dport 33434:33524 -j ACCEPT -A fw2net -p icmp --icmp-type 8 -j ACCEPT -A fw2net -j ACCEPT -A logdrop -j ULOG --ulog-prefix "Shorewall:logdrop:DROP:" -A logdrop -j DROP -A logflags -j ULOG --ulog-prefix "Shorewall:logflags:DROP:" -A logflags -j DROP -A logreject -j ULOG --ulog-prefix "Shorewall:logreject:REJECT:" -A logreject -j reject -A net2all -m state --state ESTABLISHED,RELATED -j ACCEPT -A net2all -j Drop -A net2all -j ULOG --ulog-prefix "Shorewall:net2all:DROP:" -A net2all -j DROP -A net2fw -m state --state ESTABLISHED,RELATED -j ACCEPT -A net2fw -p 17 -m multiport --dports 135,445 -j DROP -A net2fw -p 17 --dport 137:139 -j DROP -A net2fw -p 17 --dport 1024:65535 --sport 137 -j DROP -A net2fw -p 6 -m multiport --dports 135,139,445 -j DROP -A net2fw -s 132.204.10.53 -j Drop -A net2fw -s 132.204.10.36 -j Drop -A net2fw -p 6 --dport 1027 -j Drop -A net2fw -j %Drop -A net2fw -p icmp --icmp-type 8 -s 132.204.0.0/16 -j ACCEPT -A net2fw -p 17 --dport 123 -s 132.204.2.116 -j ACCEPT -A net2fw -p 17 --dport 123 -s 132.204.2.133 -j ACCEPT -A net2fw -s 132.204.10.40 -j ACCEPT -A net2fw -s 132.204.41.173 -j ACCEPT -A net2fw -s 132.204.41.125 -j ACCEPT -A net2fw -p 6 --dport 5555 -s 132.204.50.46 -j ACCEPT -A net2fw -p 6 --dport 7 -s 132.204.50.46 -j ACCEPT -A net2fw -p 6 --dport 514 -s 132.204.50.46 -j ACCEPT -A net2fw -p 6 --dport 22 -s 24.200.0.0/14 -j ACCEPT -A net2fw -p 6 --dport 22 -s 66.130.0.0/15 -j ACCEPT -A net2fw -p 6 --dport 22 -s 69.70.0.0/16 -j ACCEPT -A net2fw -p 6 --dport 22 -s 70.80.0.0/16 -j ACCEPT -A net2fw -p 6 --dport 22 -s 70.83.0.0/16 -j ACCEPT -A net2fw -p 6 --dport 22 -s 74.56.0.0/14 -j ACCEPT -A net2fw -p 6 --dport 22 -s 74.57.0.0/16 -j ACCEPT -A net2fw -p 6 --dport 22 -s 74.59.0.0/16 -j ACCEPT -A net2fw -p 6 --dport 22 -s 132.204.0.0/16 -j ACCEPT -A net2fw -p 6 --dport 22 -s 132.204.232.0/8 -j ACCEPT -A net2fw -p 6 --dport 22 -s 132.204.109.0/8 -j ACCEPT -A net2fw -p 6 --dport 22 -j ULOG --ulog-prefix "Shorewall:net2fw:reject:" -A net2fw -p 6 --dport 22 -j reject -A net2fw -p icmp --icmp-type 8 -s 10.113.48.0/24 -j ACCEPT -A net2fw -p icmp --icmp-type 8 -s 10.114.48.0/24 -j ACCEPT -A net2fw -p icmp --icmp-type 8 -s 10.115.48.0/24 -j ACCEPT -A net2fw -p 6 --dport 111 -s 10.113.48.11 -j ACCEPT -A net2fw -p 17 -s 10.113.48.11 -j ACCEPT -A net2fw -p 6 --dport 15001 -s 132.204.2.74 -j ACCEPT -A net2fw -j net2all -A norfc1918 -s 172.16.0.0/12 -j rfc1918 -A norfc1918 -m conntrack --ctorigdst 172.16.0.0/12 -j rfc1918 -A norfc1918 -s 192.168.0.0/16 -j rfc1918 -A norfc1918 -m conntrack --ctorigdst 192.168.0.0/16 -j rfc1918 -A norfc1918 -s 10.112.48.0/24 -j RETURN -A norfc1918 -m conntrack --ctorigdst 10.112.48.0/24 -j RETURN -A norfc1918 -s 10.112.50.0/24 -j RETURN -A norfc1918 -m conntrack --ctorigdst 10.112.50.0/24 -j RETURN -A norfc1918 -s 10.112.52.0/24 -j RETURN -A norfc1918 -m conntrack --ctorigdst 10.112.52.0/24 -j RETURN -A norfc1918 -s 10.112.54.0/24 -j RETURN -A norfc1918 -m conntrack --ctorigdst 10.112.54.0/24 -j RETURN -A norfc1918 -s 10.112.56.0/24 -j RETURN -A norfc1918 -m conntrack --ctorigdst 10.112.56.0/24 -j RETURN -A norfc1918 -s 10.112.58.0/24 -j RETURN -A norfc1918 -m conntrack --ctorigdst 10.112.58.0/24 -j RETURN -A norfc1918 -s 10.113.48.0/24 -j RETURN -A norfc1918 -m conntrack --ctorigdst 10.113.48.0/24 -j RETURN -A norfc1918 -s 10.113.50.0/24 -j RETURN -A norfc1918 -m conntrack --ctorigdst 10.113.50.0/24 -j RETURN -A norfc1918 -s 10.113.52.0/24 -j RETURN -A norfc1918 -m conntrack --ctorigdst 10.113.52.0/24 -j RETURN -A norfc1918 -s 10.113.54.0/24 -j RETURN -A norfc1918 -m conntrack --ctorigdst 10.113.54.0/24 -j RETURN -A norfc1918 -s 10.113.56.0/24 -j RETURN -A norfc1918 -m conntrack --ctorigdst 10.113.56.0/24 -j RETURN -A norfc1918 -s 10.113.58.0/24 -j RETURN -A norfc1918 -m conntrack --ctorigdst 10.113.58.0/24 -j RETURN -A norfc1918 -s 10.115.48.0/24 -j RETURN -A norfc1918 -m conntrack --ctorigdst 10.115.48.0/24 -j RETURN -A norfc1918 -s 10.0.0.0/8 -j rfc1918 -A norfc1918 -m conntrack --ctorigdst 10.0.0.0/8 -j rfc1918 -A reject -m addrtype --src-type BROADCAST -j DROP -A reject -s 224.0.0.0/4 -j DROP -A reject -p tcp -j REJECT --reject-with tcp-reset -A reject -p udp -j REJECT -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable -A reject -j REJECT --reject-with icmp-host-prohibited -A rfc1918 -j ULOG --ulog-prefix "Shorewall:rfc1918:DROP:" -A rfc1918 -j DROP -A smurfs -s 0.0.0.0 -j RETURN -A smurfs -m addrtype --src-type BROADCAST -j ULOG --ulog-prefix "Shorewall:smurfs:DROP:" -A smurfs -m addrtype --src-type BROADCAST -j DROP -A smurfs -s 224.0.0.0/4 -j ULOG --ulog-prefix "Shorewall:smurfs:DROP:" -A smurfs -s 224.0.0.0/4 -j DROP -A tcpflags -p tcp --tcp-flags ALL FIN,URG,PSH -j logflags -A tcpflags -p tcp --tcp-flags ALL NONE -j logflags -A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST -j logflags -A tcpflags -p tcp --tcp-flags SYN,FIN SYN,FIN -j logflags -A tcpflags -p tcp --syn --sport 0 -j logflags COMMIT
trace_27July2007.gz
Description: application/gunzip
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
