> This is an OpenPGP/MIME signed message (RFC 2440 and 3156) > > David Mathog wrote: > > > > > Rebuilding the kernel is not a good option here, is there some other > > way to work around this? > > > > It appears that the kernel was built with CONFIG_NETFILTER_XT_MATCH_STATE=n > (or whatever the option was called back in 2.6.16; I have no systems running > a kernel that old).
You are correct, it is not set. However, another thing I do not understand is why shorewall is setting the rule that triggers this problem. Reviewing, it came down to: shorewall stop shorewall clear iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables: No chain/target/match by that name Whereas on all other systems the /sbin/iptables command worked at the same point. I already tried setting IP_FORWARDING=Off and it still did that /sbin/iptables command. What I really want here is just: Chain FORWARD (policy DROP) target prot opt source destination The two relevant pieces from policy are: loc net REJECT net loc DROP I wonder, is it maybe the REJECT in the first line (no matter what the /sbin/iptables command was doing)? Changed that to DROP. Hey, shorewall started! Nmap indicates that it's working. Thanks, David Mathog [EMAIL PROTECTED] Manager, Sequence Analysis Facility, Biology Division, Caltech ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
