[Shorewall-users] Config problems

daniel Griffith mechadaniel at yahoo.com
Mon Sep 13 11:58:05 PDT 2004


Hi,

I have a working test install of Shorewall 2.0.7 on a
32 bit install of Gentoo, it's working like a champ,
so i am making an install on a nice new Opteron
server, using 64bit Gentoo.

I have run into a problem which going by your FAQ
might be due to a missing module, but after a couple
of hours of fiddling I'm stumpted - I can't see any
options in the 2.6.8 kernel that apply to this
problem...

Shorewall check gives me:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
test64 root # shorewall check
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...

Notice:  The 'check' command is unsupported and
problem
         reports complaining about errors that it
didn't catch
         will not be accepted

Shorewall has detected the following
iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Not available
   Multi-port Match: Not available
   Connection Tracking Match: Not available
Verifying Configuration...
Determining Zones...
   Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
   Net Zone: eth0:0.0.0.0/0
Validating policy file...
   Policy for fw to net is ACCEPT using chain fw2net
   Policy for net to fw is DROP using chain net2all
Pre-validating Actions...
   Pre-processing
/usr/share/shorewall/action.DropSMB...
   Pre-processing
/usr/share/shorewall/action.RejectSMB...
   Pre-processing
/usr/share/shorewall/action.DropUPnP...
   Pre-processing
/usr/share/shorewall/action.RejectAuth...
   Pre-processing
/usr/share/shorewall/action.DropPing...
   Pre-processing
/usr/share/shorewall/action.DropDNSrep...
   Pre-processing
/usr/share/shorewall/action.AllowPing...
   Pre-processing
/usr/share/shorewall/action.AllowFTP...
   Pre-processing
/usr/share/shorewall/action.AllowDNS...
   Pre-processing
/usr/share/shorewall/action.AllowSSH...
   Pre-processing
/usr/share/shorewall/action.AllowWeb...
   Pre-processing
/usr/share/shorewall/action.AllowSMB...
   Pre-processing
/usr/share/shorewall/action.AllowAuth...
   Pre-processing
/usr/share/shorewall/action.AllowSMTP...
   Pre-processing
/usr/share/shorewall/action.AllowPOP3...
   Pre-processing
/usr/share/shorewall/action.AllowIMAP...
   Pre-processing
/usr/share/shorewall/action.AllowTelnet...
   Pre-processing
/usr/share/shorewall/action.AllowVNC...
   Pre-processing
/usr/share/shorewall/action.AllowVNCL...
   Pre-processing
/usr/share/shorewall/action.AllowNTP...
   Pre-processing
/usr/share/shorewall/action.AllowRdate...
   Pre-processing
/usr/share/shorewall/action.AllowNNTP...
   Pre-processing
/usr/share/shorewall/action.AllowTrcrt...
   Pre-processing
/usr/share/shorewall/action.AllowSNMP...
   Pre-processing
/usr/share/shorewall/action.AllowPCA...
   Pre-processing /usr/share/shorewall/action.Drop...
   Pre-processing
/usr/share/shorewall/action.Reject...
Validating rules file...
   Rule "ACCEPT net fw tcp 22" checked.
   Rule "ACCEPT net fw tcp 80" checked.
   Rule "ACCEPT net fw tcp 8080" checked.
   Rule "ACCEPT net fw tcp 10000" checked.
Validating Actions...
Processing /usr/share/shorewall/action.Drop...
   Rule "RejectAuth" checked.
   Rule "dropBcast" checked.
   Rule "dropInvalid" checked.
   Rule "DropSMB" checked.
   Rule "DropUPnP" checked.
   Rule "dropNotSyn" checked.
   Rule "DropDNSrep" checked.
Processing /usr/share/shorewall/action.Reject...
   Rule "RejectAuth" checked.
   Rule "dropBcast" checked.
   Rule "dropInvalid" checked.
   Rule "RejectSMB" checked.
   Rule "DropUPnP" checked.
   Rule "dropNotSyn" checked.
   Rule "DropDNSrep" checked.
Processing /usr/share/shorewall/action.RejectAuth...
   Rule "REJECT - - tcp 113" checked.
Processing /usr/share/shorewall/action.DropSMB...
   Rule "DROP - - udp 135" checked.
   Rule "DROP - - udp 137:139" checked.
   Rule "DROP - - udp 445" checked.
   Rule "DROP - - tcp 135" checked.
   Rule "DROP - - tcp 139" checked.
   Rule "DROP - - tcp 445" checked.
Processing /usr/share/shorewall/action.DropUPnP...
   Rule "DROP - - udp 1900" checked.
Processing /usr/share/shorewall/action.DropDNSrep...
   Rule "DROP - - udp - 53" checked.
Processing /usr/share/shorewall/action.RejectSMB...
   Rule "REJECT - - udp 135" checked.
   Rule "REJECT - - udp 137:139" checked.
   Rule "REJECT - - udp 445" checked.
   Rule "REJECT - - tcp 135" checked.
   Rule "REJECT - - tcp 139" checked.
   Rule "REJECT - - tcp 445" checked.
Configuration Validated
<<<<<<<<<<<<<<<<<<<<<<<

So that looks ok.

But starting fails, and a trace gives me:
>>>>>>>>>>>>>>>>>>>>>>>>
+ setcontinue FORWARD
+ run_iptables -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT
+ '[' -n '' ']'
+ iptables -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables: No chain/target/match by that name
<<<<<<<<<<<<<<<<<<<<<<<<<

The example in the FAQ makes sense to me, there is a
REJECT module, and it could be left out. But what on
earth could cause this?

The bit that has me concerned is that Shorewall is
listed as Unstable on amd64 on Gentoo...:(

TIA
daniel


	
	
		
___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun!  http://uk.messenger.yahoo.com


More information about the Shorewall-users mailing list