[Shorewall-users] Shorewall 4.0.0 + Kernel 2.6.21.5-grsec

Sun, 29 Jul 2007 12:14:17 -0700 

Hello,

My hoster updated its kernel packages... It contained some old problems 
that should have been fixed. My servers have now a wonderful 2.6.21.5 
kernel + grsec running.
Both are running Debian 4.0 (stable release).

mx:/etc/shorewall# iptables --version
iptables v1.3.6
mx:/etc/shorewall# uname -a
Linux mx.network-hosting.com 2.6.21.5-grsec-xxxx-grs-ipv4-32 #1 SMP Fri 
Jul 27 17:18:23 CEST 2007 i686 GNU/Linux

Shorewall 3.4.3 failed to start and crashed... I removed it as it was a 
little bit old. (./uninstall.sh from the source folder)
I installed Shorewall 4.0.0 (shorewall-perl and shorewall-common)
I modified configuration files to meet my requirements (based on the old 
files, in order not to miss anything)

When I want to start shorewall, I have the following message:

===========================================================================
mx:/usr/share/shorewall# shorewall -vvvvv safe-start
Compiling...
Processing /etc/shorewall/params ...
Loading Modules...
Opening /proc/modules: No such file or directory
Shorewall has detected the following capabilities:
   Address Type Match: Available
   CLASSIFY Target: Available
   CONNMARK Target: Not Available
   Capability Version: 3.4.5
   Comments: Available
   Connection Tracking Match: Not Available
   Connmark Match: Not Available
   Extended CONNMARK Target: Not Available
   Extended Connmark Match: Not Available
   Extended Mark Target: Available
   Extended Multi-port Match: Available
   Extended Reject: Available
   IP Range Match: Available
   IPP2P Match: Not Available
   Ipset Match: Not Available
   MARK Target: Available
   Mangle FORWARD Chain: Available
   Multi-port Match: Available
   NAT: Not Available
   Owner Match: Available
   Packet Mangling: Available
   Packet Type Match: Available
   Packet length Match: Available
   Physdev Match: Not Available
   Policy Match: Available
   Raw Table: Available
   Recent Match: Available
   Repeat match: Available
   TCP MSS: Available
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
 Interface "wan eth0 detect blacklist,tcpflags" Validated
Determining Hosts in Zones...
 fw (firewall)
 wan (ipv4)
 eth0:0.0.0.0/0
Preprocessing Action Files...
   Pre-processing /usr/share/shorewall/action.Drop...
 ..Expanding Macro /usr/share/shorewall/macro.Auth...
 ..End Macro /usr/share/shorewall/macro.Auth
 ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
 ..End Macro /usr/share/shorewall/macro.AllowICMPs
 ..Expanding Macro /usr/share/shorewall/macro.SMB...
 ..End Macro /usr/share/shorewall/macro.SMB
 ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
 ..End Macro /usr/share/shorewall/macro.DropUPnP
 ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
 ..End Macro /usr/share/shorewall/macro.DropDNSrep
   Pre-processing /usr/share/shorewall/action.Reject...
 ..Expanding Macro /usr/share/shorewall/macro.Auth...
 ..End Macro /usr/share/shorewall/macro.Auth
 ..Expanding Macro /usr/share/shorewall/macro.SMB...
 ..End Macro /usr/share/shorewall/macro.SMB
Compiling /etc/shorewall/policy...
 Policy for fw to wan is ACCEPT using chain fw2wan
 Policy for fw to wan is DROP using chain all2all
 Policy for wan to fw is DROP using chain all2all
Processing /etc/shorewall/initdone...
 Blacklisting enabled on eth0:0.0.0.0/0
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling MAC Filtration -- Phase 1...
 Compiling MAC Verification for -- Phase 1...
Compiling /etc/shorewall/rules...
 Rule "ACCEPT wan fw tcp 
imap,imaps,pop3,smtp,http,domain,8000:8050,5060" Compiled
 Rule "ACCEPT wan fw udp domain,5060" Compiled
 Rule "ACCEPT wan:82.231.94.173 fw tcp ssh" Compiled
 Rule "ACCEPT wan:82.236.63.169 fw tcp ssh" Compiled
 Rule "ACCEPT wan fw icmp" Compiled
 Rule "ACCEPT wan:cache.ovh.net fw tcp ssh" Compiled
 Rule "ACCEPT wan:91.121.21.217 fw all" Compiled
Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Reject for chain Reject...
..Expanding Macro /usr/share/shorewall/macro.Auth...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.SMB...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
..End Macro
Processing /usr/share/shorewall/action.Drop for chain Drop...
..Expanding Macro /usr/share/shorewall/macro.Auth...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.SMB...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
..End Macro
Compiling MAC Filtration -- Phase 2...
 Compiling MAC Verification for -- Phase 2...
Applying Policies...
 Policy ACCEPT from fw to wan using chain fw2wan
 Policy DROP from wan to fw using chain all2all
Generating Rule Matrix...
Creating iptables-restore input...
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting...
Processing /etc/shorewall/params ...
Starting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Setting up ARP filtering...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up Proxy ARP...
Setting up Traffic Control...
Preparing iptables-restore input...
Running iptables-restore...
iptables-restore: line 124 failed
   ERROR: iptables-restore Failed. Input is in 
/var/lib/shorewall/.iptables-restore-input
Processing /etc/shorewall/stop ...
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
Processing /etc/shorewall/stopped ...
Shorewall Cleared
/sbin/shorewall: line 816: 25971 Complété                
${VARDIR}/.$command $command
===========================================================================
mx:/usr/share/shorewall# wc -l /var/lib/shorewall/.iptables-restore-input
124 /var/lib/shorewall/.iptables-restore-input

mx:/usr/share/shorewall# more /var/lib/shorewall/.iptables-restore-input
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:tcfor - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING  -j tcpre
-A FORWARD -j tcfor
-A OUTPUT  -j tcout
-A POSTROUTING -j tcpost
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Drop - [0:0]
:Reject - [0:0]
:all2all - [0:0]
:blacklst - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:eth0_fwd - [0:0]
:eth0_in - [0:0]
:eth0_out - [0:0]
:fw2wan - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:reject - [0:0]
:smurfs - [0:0]
:tcpflags - [0:0]
:wan2fw - [0:0]
-A INPUT -i eth0 -j eth0_in
-A INPUT -i lo -j ACCEPT
-A INPUT -j Drop
-A INPUT -j DROP
-A FORWARD -i eth0 -j eth0_fwd
-A FORWARD -j Drop
-A FORWARD -j DROP
-A OUTPUT -o eth0 -j eth0_out
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j Drop
-A OUTPUT -j DROP
-A Drop -p 6 --dport 113 -j reject
-A Drop -j dropBcast
-A Drop -p icmp --icmp-type 3/4 -j ACCEPT
-A Drop -p icmp --icmp-type 11 -j ACCEPT
-A Drop -j dropInvalid
-A Drop -p 17 -m multiport --dports 135,445 -j DROP
-A Drop -p 17 --dport 137:139 -j DROP
-A Drop -p 17 --dport 1024:65535 --sport 137 -j DROP
-A Drop -p 6 -m multiport --dports 135,139,445 -j DROP
-A Drop -p 17 --dport 1900 -j DROP
-A Drop -p 6 -j dropNotSyn
-A Drop -p 17 --sport 53 -j DROP
-A Reject -p 6 --dport 113 -j reject
-A Reject -j dropBcast
-A Reject -p icmp --icmp-type 3/4 -j ACCEPT
-A Reject -p icmp --icmp-type 11 -j ACCEPT
-A Reject -j dropInvalid
-A Reject -p 17 -m multiport --dports 135,445 -j reject
-A Reject -p 17 --dport 137:139 -j reject
-A Reject -p 17 --dport 1024:65535 --sport 137 -j reject
-A Reject -p 6 -m multiport --dports 135,139,445 -j reject
-A Reject -p 17 --dport 1900 -j DROP
-A Reject -p 6 -j dropNotSyn
-A Reject -p 17 --sport 53 -j DROP
-A all2all -m state --state ESTABLISHED,RELATED -j ACCEPT
-A all2all -j Drop
-A all2all -j DROP
-A dropBcast -m addrtype --dst-type BROADCAST -j DROP
-A dropBcast -d 224.0.0.0/4 -j DROP
-A dropInvalid -m state --state INVALID -j DROP
-A dropNotSyn -p tcp ! --syn -j DROP
-A eth0_fwd -m state --state NEW,INVALID  -j dynamic
-A eth0_fwd -m state --state NEW,INVALID -j blacklst
-A eth0_fwd -p tcp -j tcpflags
-A eth0_in -m state --state NEW,INVALID  -j dynamic
-A eth0_in -m state --state NEW,INVALID -j blacklst
-A eth0_in -p tcp -j tcpflags
-A eth0_in -j wan2fw
-A eth0_out -j fw2wan
-A fw2wan -m state --state ESTABLISHED,RELATED -j ACCEPT
-A fw2wan -j ACCEPT
-A logdrop  -j DROP
-A logflags -j LOG --log-ip-options --log-level 6 --log-prefix 
"Shorewall:logflags:DROP:"
-A logflags -j DROP
-A logreject  -j reject
-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A smurfs -s 0.0.0.0 -j RETURN
-A smurfs -m addrtype --src-type BROADCAST -j LOG --log-level 6 
--log-prefix "Shorewall:smurfs:DROP:"
-A smurfs -m addrtype --src-type BROADCAST -j DROP
-A smurfs -s 224.0.0.0/4 -j LOG --log-level 6 --log-prefix 
"Shorewall:smurfs:DROP:"
-A smurfs -s 224.0.0.0/4 -j DROP
-A tcpflags -p tcp --tcp-flags ALL FIN,URG,PSH -j logflags
-A tcpflags -p tcp --tcp-flags ALL NONE        -j logflags
-A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST -j logflags
-A tcpflags -p tcp --tcp-flags SYN,FIN SYN,FIN -j logflags
-A tcpflags -p tcp --syn --sport 0 -j logflags
-A wan2fw -m state --state ESTABLISHED,RELATED -j ACCEPT
-A wan2fw -p 6 -m multiport --dports 143,993,110,25,80,53,8000:8050,5060 
-j ACCEPT
-A wan2fw -p 17 -m multiport --dports 53,5060 -j ACCEPT
-A wan2fw -p 6 --dport 22 -s 82.231.94.173 -j ACCEPT
-A wan2fw -p 6 --dport 22 -s 82.236.63.169 -j ACCEPT
-A wan2fw -p icmp -j ACCEPT
-A wan2fw -p 6 --dport 22 -s cache.ovh.net -j ACCEPT
-A wan2fw -p all -s 91.121.21.217 -j ACCEPT
-A wan2fw -j all2all
COMMIT

===========================================================================

The line 124 is the last one... "COMMIT"... If i try to remove it, you 
can guess that it yells that he wants a COMMIT line !
If I do a shorewall start, the firewall starts, but I cannot connect to 
the host anymore... Not very useful, as you can guess :)

Which tests could I perform to find the way to go on to solve this 
issue? I googled a bit and saw that lot of things have changed since the 
old kernel I had (2.6.18.1) and the one I have now (2.6.21.5)... But I 
found no case with the specific error I'm faced with...

Any help will be greatly appreciated :)

Have a nice day.. Or evening... Or night...
Jerome Blion.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to