Hi,
yesterday I got a very strange error on our productive firewall when I
tried a "shorewall restart".
Following the output:
....
Processing /etc/shorewall/init ...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Proxy ARP...
Adding Providers...
Setting up Traffic Control...
Preparing iptables-restore input...
Running /sbin/iptables-restore...
iptables-restore v1.4.2: Can't use -A with -A
Error occurred at line: 182
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
ERROR: iptables-restore Failed. Input is in
/var/lib/shorewall/.iptables-restore-input
Processing /etc/shorewall/stop ...
Running /sbin/iptables-restore...
IPv4 Forwarding Enabled
Processing /etc/shorewall/stopped ...
...
When looking at /var/lib/shorewall/.iptables-restore-input, I saw lines
with a double -A :
-A setsticky -A -p 6 -m multiport --dports 22,5000:10000 -s 10.1.0.49 -d
212.202.229.26 -m mark --mark 0x2/0xFF -m recent --name sticky001 --set
instead of:
-A setsticky -p 6 -m multiport --dports 22,5000:10000 -s 10.1.0.49 -d
212.202.229.26 -m mark --mark 0x2/0xFF -m recent --name sticky001 --set
I tried shorewall restore, shorewall safe-restart, all without luck.
Finally I decided to install an older version of shorewall, and that did
the trick - by installing the deb file, shorewall started up with
correct ruleset.
Today the same event happened. What the heck is going on on my firewall?
This time I solved the problem with installing the newer deb file again.
Very strange.
System is Debian Lenny with Kernel 2.6.26-2-686. Shorewall debian
package was 4.4.11.4-1 and then 4.4.10.3-1. iptables is version 1.4.2-6.
What further info do you need to examine this problem? Would a shorewall
dump help?
What steps can I take to prevent not getting the firewall up again?
Thank you very much for your help,
Christian
# shorewall show capabilities
Shorewall has detected the following iptables/netfilter capabilities:
NAT: Available
Packet Mangling: Available
Multi-port Match: Available
Extended Multi-port Match: Available
Connection Tracking Match: Available
Extended Connection Tracking Match Support: Available
Packet Type Match: Available
Policy Match: Available
Physdev Match: Available
Physdev-is-bridged Support: Available
Packet length Match: Available
IP range Match: Available
Recent Match: Available
Owner Match: Available
Ipset Match: Not available
CONNMARK Target: Available
Extended CONNMARK Target: Available
Connmark Match: Available
Extended Connmark Match: Available
Raw Table: Available
IPP2P Match: Not available
CLASSIFY Target: Available
Extended REJECT: Available
Repeat match: Available
MARK Target: Available
Extended MARK Target: Available
Extended MARK Target 2: Available
Mangle FORWARD Chain: Available
Comments: Available
Address Type Match: Available
TCPMSS Match: Available
Hashlimit Match: Available
NFQUEUE Target: Available
Realm Match: Available
Helper Match: Available
Connlimit Match: Available
Time Match: Available
Goto Support: Available
LOGMARK Target: Not available
IPMARK Target: Not available
LOG Target: Available
Persistent SNAT: Not available
TPROXY Target: Not available
FLOW Classifier: Available
fwmark route mask: Available
------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
Spend less time writing and rewriting code and more time creating great
experiences on the web. Be a part of the beta today.
http://p.sf.net/sfu/beautyoftheweb
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
