Shorewall users - Feb 2006 - Centos Kernel for multi ISP

The new firewall I have been building for my Multi-ISP project is based 
on Centos 4.2. I am running into issues with capabilities as I want 
Contrack and IPSEC functionality.
The kernel is 2.6.9-22.0.2.ELsmp and iptables is v1.2.11. I have 
downloaded the iptables source code 1.3.5 but I don''t see what file I 
should be patching. Can anyone give me some guidance?

Do I need to recompile the kernel and what needs to be changed?

[root@firewall ~]# shorewall show capabilities
Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Not available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Not available
   Physdev Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   CONNMARK Target: Not available
   Connmark Match: Not available
   Raw Table: Available
   CLASSIFY Target: Available

-- 
Chris Mason
NetConcepts
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Chris Mason (Lists) wrote:
> The new firewall I have been building for my Multi-ISP project is based
> on Centos 4.2. I am running into issues with capabilities as I want
> Contrack and IPSEC functionality.
> The kernel is 2.6.9-22.0.2.ELsmp and iptables is v1.2.11. I have
> downloaded the iptables source code 1.3.5 but I don''t see what
file I
> should be patching. Can anyone give me some guidance?
> 
> Do I need to recompile the kernel and what needs to be changed?
> 
> [root@firewall ~]# shorewall show capabilities
> Shorewall has detected the following iptables/netfilter capabilities:
>   NAT: Available
>   Packet Mangling: Available
>   Multi-port Match: Available
>   Extended Multi-port Match: Not available
>   Connection Tracking Match: Available
>   Packet Type Match: Available
>   Policy Match: Not available
>   Physdev Match: Available
>   IP range Match: Available
>   Recent Match: Available
>   Owner Match: Available
>   Ipset Match: Not available
>   CONNMARK Target: Not available
>   Connmark Match: Not available
>   Raw Table: Available
>   CLASSIFY Target: Available
> 
you have to recmopile your kernel and patch it with "Connmark" 
support
for VPN stuff please run OpenVPN.

ps: SUSE distro provides all what you need by default..

Cristian Rodriguez wrote:
>
> you have to recmopile your kernel and patch it with "Connmark" 
support
>   
I was hoping for a little more specific instructions. How do I patch for 
Connmark support? Is that a patch-o-matic item? Which one? Do I need to 
recompile iptables?
> for VPN stuff please run OpenVPN.
>   
> ps: SUSE distro provides all what you need by default..
>   
Thanks but I don''t have any experience with SUSE. I use Redhat or
Centos
for everything.


-- 
Chris Mason
NetConcepts
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

On Friday 24 February 2006 00:15, Chris Mason (Lists)
wrote:
> The new firewall I have been building for my Multi-ISP project is based
> on Centos 4.2. I am running into issues with capabilities as I want
> Contrack and IPSEC functionality.
> The kernel is 2.6.9-22.0.2.ELsmp and iptables is v1.2.11. I have
> downloaded the iptables source code 1.3.5 but I don''t see what
file I
> should be patching. Can anyone give me some guidance?
>
You need to download patch-o-matic-ng from the Netfilter site and follow the 
instructions included. The patches you need are in the
''extras'' group.

-Tom 
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Chris Mason (Lists) wrote:
> Cristian Rodriguez wrote:
>>
>> you have to recmopile your kernel and patch it with
"Connmark"  support
>>   
> I was hoping for a little more specific instructions.  
1. This is not a iptables support list, so how to patch kernel and
iptables is out of the scope.
> Is that a patch-o-matic item?
2. yes,. It''s patch-o-matic item
> How do I patch for
>> Connmark support?  Which one?
3. I have no idea, I use a well featured/enginnered distribution
shipping all what I need.
> Do I need to
>> recompile iptables?
Yes, and your kernel too.
>> ps: SUSE distro provides all what you need by default..
>>   
> Thanks but I don''t have any experience with SUSE. I use Redhat or
Centos
> for everything.
> 
good luck then.

Cristian Rodriguez wrote:
> 3. I have no idea, I use a well featured/enginnered distribution
> shipping all what I need.
>>> ps: SUSE distro provides all what you need by default..
>>>   
>>>       
>> Thanks but I don''t have any experience with SUSE. I use Redhat
or Centos
>> for everything.
>>
>>     
>
> good luck then.
>   
Getting advice like this reminds me of the last time I toured Ireland. I 
was completely lost despite maps and a GPS. The signs seem to direct me 
in circles. I stopped next to a man sitting by the road smoking a pipe, 
and asked the direction to a well know attraction in that area. He 
scratch his head, took the pipe from his mouth, and uttered the immortal 
words "Well, if I was you, I would not start from here at all.."

Can I suggest that Tom and the Shorewall team post a clear message on 
the Shorewall.net site: "Don''t use anything except SUSE because
you
won''t get any help if you do"? I''d prefer not to receive
religious
tantra, it''s not like I asked how to do it with Redhat 7.0 or some 
obscure OS.

-- 
Chris Mason



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

On Saturday 25 February 2006 05:44, Chris Mason (Lists) wrote:
>
> Can I suggest that Tom and the Shorewall team post a clear message on
> the Shorewall.net site: "Don''t use anything except SUSE
because you
> won''t get any help if you do"? I''d prefer not to
receive religious
> tantra, it''s not like I asked how to do it with Redhat 7.0 or some
> obscure OS.
On the other hand, Kernel 2.6.9 isn''t exactly hot off the press. And
combining
it with iptables 1.3.5 is something that I''m willing to bet has not
been
tried by anyone on this list. So asking for help in trying to do what you are 
attempting is unlikely to get you any authoritative step-by-step 
instructions.

I had previously offered you the suggestion to download patch-o-matic-ng from 
the netfilter site and follow the instructions included. Patch-o-matic-ng 
will try to patch your kernel appropriately. The five patches you are looking 
for are in the ''extras'' section. 

You seem to be looking for something more -- I don''t know what more I
can tell
you. I don''t know if the current patch-o-matic-ng is at all compatible
with
your 18-month old kernel so you might run into problems there. If so, 
upgrading to a current kernel will get you the CONNMARK/connmark changes 
without the need for patching but you will still need to patch for PFKEY 
ipsec/netfilter integration and policy match support. That requirement goes 
away in kernel 2.6.16 if you''re bold enough to try the current release 
candidate (I ran RC1 for a while on my firewall and it worked ok for me).

Iptables 1.3.5 will not require patching but must be built *after* you have 
patched/built your kernel. Again, there are instructions included with the 
iptables source. Beware that, by default, iptables will install itself 
into /usr/local/sbin so you may need to adjust your PATH accordingly to avoid 
running your old 1.2.x version. Be sure to adjust PATH 
in /etc/shorewall/shorewall.conf so that Shorewall will use the correct 
version.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

On Saturday 25 February 2006 07:54, Tom Eastep wrote:
> Be sure to adjust PATH
> in /etc/shorewall/shorewall.conf so that Shorewall will use the correct
> version.
Or set IPTABLES=/usr/local/sbin/iptables

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Tom Eastep wrote:
> On the other hand, Kernel 2.6.9 isn''t exactly hot off the press.
And combining
> it with iptables 1.3.5 is something that I''m willing to bet has
not been
> tried by anyone on this list. So asking for help in trying to do what you
are
> attempting is unlikely to get you any authoritative step-by-step 
> instructions.
>   
I''m not expecting that, I just find that telling people they are not 
using the "BEST" distribution so they are on their own is not
productive.
CentOS 4.2 is recent, there is no more recent kernel released. Not 
everyone is willing to use short life releases such as Fedora.

I am going to try to build the 2.6.11 kernel from fedora and see how 
that works. I will document and post a step by step if
successful.
> I had previously offered you the suggestion to download patch-o-matic-ng
from
> the netfilter site and follow the instructions included. Patch-o-matic-ng 
> will try to patch your kernel appropriately. The five patches you are
looking
> for are in the ''extras'' section. 
>   
-- 
Chris Mason
NetConcepts
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
> 
> I had previously offered you the suggestion to download patch-o-matic-ng
from
> the netfilter site and follow the instructions included. Patch-o-matic-ng 
> will try to patch your kernel appropriately. The five patches you are
looking
> for are in the ''extras'' section. 
There are five patches for ipsec/policy match. There will also be a
patch for CONNMARK target support and one for connmark match support.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEAILQO/MAbZfjDLIRAusZAJ9pr6a8o8Sct2D6w7DMbxb89uIy+QCfZO1r
wtHH6KKRfd18D5GEhDxQ1J0=d5UM
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

I am trying the Fedora 3 kernel source rpm 2.6.12 and I have been able 
to apply the patches from shorewall and used patch-o-matic-ng to patch 
policy matching. I have renamed the release in kernel.spec and I am 
building the 1686-smp version of the kernel. Can I just rebuild the 
kernel and install the rpm?
I''ll build iptables after that.

Advice appreciated.

-- 
Chris Mason



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Mason (Lists) wrote:
> I am trying the Fedora 3 kernel source rpm 2.6.12 and I have been able
> to apply the patches from shorewall and used patch-o-matic-ng to patch
> policy matching. I have renamed the release in kernel.spec and I am
> building the 1686-smp version of the kernel. Can I just rebuild the
> kernel and install the rpm?
> I''ll build iptables after that.
Just don''t reboot until you have built and installed iptables. You will
probably end up with a mis-matched kernel/iptables otherwise.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEAJFGO/MAbZfjDLIRAn2RAJ41kBkZfnsTuNsPLTjSxJv8pp2YVACghWa9
kUI1FsKAgfWrELvVE4mljJw=wpUj
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Chris Mason (Lists) wrote:
> Can I suggest that Tom and the Shorewall team post a clear message on
> the Shorewall.net site: "Don''t use anything except SUSE
because you
> won''t get any help if you do"? I''d prefer not to
receive religious
> tantra, it''s not like I asked how to do it with Redhat 7.0 or some
> obscure OS.
It has nothing to do with religion ,Shorewall should run in any
distribution ..I just pointed you to the shortest, practical, quick
solution ( and tested by us.BTW..)

if you don''t want to do it in the short way , you need to follow
Tom''s
instructions metioned in other email on this thread, and read the
iptables documentation, due to your distribution choose,  you will need
to do **a lot** of work.

Cristian Rodriguez wrote:
>
> if you don''t want to do it in the short way , you need to follow
Tom''s
> instructions metioned in other email on this thread, and read the
> iptables documentation, due to your distribution choose,  you will need
> to do **a lot** of work.
>   
Yep, I;m discovering that. But as the system is already installed with 
users behind it and lots of other packages such as squid installed and 
configured, changing and learning a new distribution isn''t an option. I
am sure a lot of other people need to do this, I''ll document it IF I 
ever get through.

-- 
Chris Mason
NetConcepts
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Mason (Lists) wrote:
> Cristian Rodriguez wrote:
>>
>> if you don''t want to do it in the short way , you need to
follow Tom''s
>> instructions metioned in other email on this thread, and read the
>> iptables documentation, due to your distribution choose,  you will need
>> to do **a lot** of work.
>>   
> Yep, I;m discovering that. But as the system is already installed with
> users behind it and lots of other packages such as squid installed and
> configured, changing and learning a new distribution isn''t an
option.
I understand. My server ran Redhat then Fedora for years -- the
conversion to SuSE was painful.
> I am sure a lot of other people need to do this, I''ll document it
IF I
> ever get through.
Thanks, Chris

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEAKlkO/MAbZfjDLIRAv3TAJ9EjsqP5pJUHr4+O3LqJ/UDAnQmdwCgkxsS
df9H+BOSrVnzE3jiOEKzi+M=blEa
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Tom Eastep wrote:
>
>
> There are five patches for ipsec/policy match. There will also be a
> patch for CONNMARK target support and one for connmark match support.
>   
The connmark match patch does not apply:

"The connrate match is used to match against the current transfer speed of
a
connection. The algorithm averages transferred bytes over a time sliding 
window
of constant size. The maximum and minimum rates measurable are explained 
in the
code, along the algorithm used in the measurements.

Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
cannot apply (3 rejects out of 4 hunks)"

-- 
Chris Mason
NetConcepts
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Chris Mason (Lists) wrote:
> Tom Eastep wrote:
>>
>>
>> There are five patches for ipsec/policy match. There will also be a
>> patch for CONNMARK target support and one for connmark match support.
>>   
> The connmark match patch does not apply:
> 
> "The connrate match is used to match against the current transfer
speed of a
> connection. The algorithm averages transferred bytes over a time sliding
> window
> of constant size. The maximum and minimum rates measurable are explained
> in the
> code, along the algorithm used in the measurements.
> 
> Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
> cannot apply (3 rejects out of 4 hunks)"
From the kernel source directory, what does "ls
net/ipv4/netfilter/*connmark*" show?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Chris Mason (Lists) wrote:
>> Cristian Rodriguez wrote:
>>> if you don''t want to do it in the short way , you need to
follow Tom''s
>>> instructions metioned in other email on this thread, and read the
>>> iptables documentation, due to your distribution choose,  you will
need
>>> to do **a lot** of work.
>>>   
>> Yep, I;m discovering that. But as the system is already installed with
>> users behind it and lots of other packages such as squid installed and
>> configured, changing and learning a new distribution isn''t an
option.
> 
> I understand. My server ran Redhat then Fedora for years -- the
> conversion to SuSE was painful.
> 
>> I am sure a lot of other people need to do this, I''ll document
it IF I
>> ever get through.
> 
> Thanks, Chris
> 
This is a strange thread, Chris:  wait for 2.6.16, then run that.  It will be a
while before you see a Redhat kernel
with that, however, I''ld be willing to bet that they will back port the
Policy Match support eventually.  In any case,
depending on your use-case, I have never had a problem with vanilla kernels
under Redhat. [Save the 2.4 + NPTL debacle].

Sincerely,
   Joshua


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Chris Mason (Lists) wrote:
> Cristian Rodriguez wrote:
>>
>> if you don''t want to do it in the short way , you need to
follow Tom''s
>> instructions metioned in other email on this thread, and read the
>> iptables documentation, due to your distribution choose,  you will need
>> to do **a lot** of work.
>>   
> Yep, I;m discovering that. But as the system is already installed with 
> users behind it and lots of other packages such as squid installed and 
> configured, changing and learning a new distribution isn''t an
option. I
> am sure a lot of other people need to do this, I''ll document it IF
I
> ever get through.
> 

Chris,

   Why can''t you use a vanilla kernel?  Why are you insisting on using
a vendor kernel?  I tend to use the vanilla
kernels anyway, and the ''sucker patch set'' aka the stable
series [2.6.1x.x] have been very good to me.   If you want to
use a non-mainline distro, try one of those kernels,   Unless Centos is crazy,
then Linux is Linux is Linux, and you
should be able to sub in any kernel you want.  [that supports the baseline
model].

   I would recommend junking the vendor trees - you''re wasting your
time.

Sincerely,
   Joshua


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Chris Mason (Lists) wrote:
> Tom Eastep wrote:
>>
>>
>> There are five patches for ipsec/policy match. There will also be a
>> patch for CONNMARK target support and one for connmark match support.
>>   
> The connmark match patch does not apply:
> 
> "The connrate match is used to match against the current transfer
speed of a
> connection. The algorithm averages transferred bytes over a time sliding
> window
> of constant size. The maximum and minimum rates measurable are explained
> in the
> code, along the algorithm used in the measurements.
> 
> Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
> cannot apply (3 rejects out of 4 hunks)"
From the kernel source directory, what does "ls
net/ipv4/netfilter/*connmark*" show?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>
> From the kernel source directory, what does "ls
> net/ipv4/netfilter/*connmark*" show?
>
>   
-rw-r--r--  2 root root 2253 Jun 17  2005 net/ipv4/netfilter/ipt_connmark.c

-- 
Chris Mason
NetConcepts
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Joshua Schmidlkofer wrote:
>
>
>   Why can''t you use a vanilla kernel?  Why are you insisting on
using
> a vendor kernel?  I tend to use the vanilla kernels anyway, and the 
> ''sucker patch set'' aka the stable series [2.6.1x.x] have
been very
> good to me.   If you want to use a non-mainline distro, try one of 
> those kernels,   Unless Centos is crazy, then Linux is Linux is Linux, 
> and you should be able to sub in any kernel you want.  [that supports 
> the baseline model].
>
>   I would recommend junking the vendor trees - you''re wasting your
time.
>
> Sincerely,
>   Joshua
>
Centos is Redhat, I don''t want to think Redhat is now non-mainstream.

-- 
Chris Mason
NetConcepts
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Joshua Schmidlkofer wrote:
>
>
>   Why can''t you use a vanilla kernel?  Why are you insisting on
using
> a vendor kernel?  I tend to use the vanilla kernels anyway, and the 
> ''sucker patch set'' aka the stable series [2.6.1x.x] have
been very
> good to me.   If you want to use a non-mainline distro, try one of 
> those kernels,   Unless Centos is crazy, then Linux is Linux is Linux, 
> and you should be able to sub in any kernel you want.  [that supports 
> the baseline model].
>
What would the advantage be? Could I bypass all the patching?

-- 
Chris Mason
NetConcepts
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Chris Mason (Lists) wrote:
> Tom Eastep wrote:
>>
>>
>> There are five patches for ipsec/policy match. There will also be a
>> patch for CONNMARK target support and one for connmark match support.
>>   
> The connmark match patch does not apply:
> 
> "The connrate match is used to match against the current transfer
speed of a
> connection. The algorithm averages transferred bytes over a time sliding
> window
> of constant size. The maximum and minimum rates measurable are explained
> in the
> code, along the algorithm used in the measurements.
> 
> Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y
> cannot apply (3 rejects out of 4 hunks)"
I just downloaded the 2.6.12 tarball -- looks like connmark match is
already in that version.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Chris Mason (Lists) wrote:
> Tom Eastep wrote:
>>
>> From the kernel source directory, what does "ls
>> net/ipv4/netfilter/*connmark*" show?
>>
>>   
> -rw-r--r--  2 root root 2253 Jun 17  2005 net/ipv4/netfilter/ipt_connmark.c
> 
Your kernel source tree already contains connmark match support.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Chris Mason (Lists) wrote:
> Tom Eastep wrote:
> 
>>
>> From the kernel source directory, what does "ls
>> net/ipv4/netfilter/*connmark*" show?
>>
>>   
> 
> -rw-r--r--  2 root root 2253 Jun 17  2005 net/ipv4/netfilter/ipt_connmark.c
> 
If your starting with a 2.6.10+ kernel, as you stated in an earlier 
post, Tom''s "ls" test would confirm that the source for that
modules is
present, no patching needed for that module. Your just patching for 
PFKEY, for your ipsec support.


Jerry


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Tom Eastep wrote:
> Chris Mason (Lists) wrote:
>>>   
>> The connmark match patch does not apply:
>>
>> "The connrate match is used to match against the current transfer
speed of a
>> connection. The algorithm averages transferred bytes over a time
sliding
>> window
Also, this is the *connrate match* patch, not the *connmark match*
patch. You don''t need this patch anyway (Shorewall has no support for
it).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>
>>> window
>>>       
>
> Also, this is the *connrate match* patch, not the *connmark match*
> patch. You don''t need this patch anyway (Shorewall has no support
for it).
>
> -Tom
>   
All the same in the dark...

-- 
Chris Mason
NetConcepts
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Tom Eastep wrote:
>
>> cannot apply (3 rejects out of 4 hunks)"
>>     
>
> I just downloaded the 2.6.12 tarball -- looks like connmark match is
> already in that version.
>
>
>   
So only the policy match is important? I don''t care so much about ipsec
since I was pointed towards openvpn.


-- 
Chris Mason
NetConcepts
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Jerry Vonau wrote:
>
>>
> If your starting with a 2.6.10+ kernel, as you stated in an earlier 
> post, Tom''s "ls" test would confirm that the source for
that modules
> is present, no patching needed for that module. Your just patching for 
> PFKEY, for your ipsec support.
>
>
How about policy routing?

-- 
Chris Mason
NetConcepts
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Building iptables did not go well. Suggestions?


extensions/libipt_policy.c: In function `parse_direction'':
extensions/libipt_policy.c:104: error: `POLICY_MATCH_IN'' undeclared 
(first use in this function)
extensions/libipt_policy.c:104: error: (Each undeclared identifier is 
reported only once
extensions/libipt_policy.c:104: error: for each function it appears in.)
extensions/libipt_policy.c:106: error: `POLICY_MATCH_OUT'' undeclared 
(first use in this function)
extensions/libipt_policy.c: In function `parse_policy'':
extensions/libipt_policy.c:113: error: `POLICY_MATCH_NONE'' undeclared 
(first use in this function)
extensions/libipt_policy.c: In function `parse_mode'':
extensions/libipt_policy.c:122: error: `POLICY_MODE_TRANSPORT'' 
undeclared (first use in this function)
extensions/libipt_policy.c:124: error: `POLICY_MODE_TUNNEL'' undeclared 
(first use in this function)
extensions/libipt_policy.c: In function `parse'':
extensions/libipt_policy.c:143: error: `POLICY_MATCH_IN'' undeclared 
(first use in this function)
extensions/libipt_policy.c:143: error: `POLICY_MATCH_OUT'' undeclared 
(first use in this function)
extensions/libipt_policy.c:160: error: `POLICY_MATCH_STRICT'' undeclared
(first use in this function)
extensions/libipt_policy.c:200: error: incompatible types in assignment
extensions/libipt_policy.c:201: error: incompatible types in assignment
extensions/libipt_policy.c:215: error: incompatible types in assignment
extensions/libipt_policy.c:216: error: incompatible types in assignment
extensions/libipt_policy.c:246: error: `POLICY_MAX_ELEM'' undeclared 
(first use in this function)
extensions/libipt_policy.c: In function `final_check'':
extensions/libipt_policy.c:268: error: `POLICY_MATCH_IN'' undeclared 
(first use in this function)
extensions/libipt_policy.c:268: error: `POLICY_MATCH_OUT'' undeclared 
(first use in this function)
extensions/libipt_policy.c:272: error: `POLICY_MATCH_NONE'' undeclared 
(first use in this function)
extensions/libipt_policy.c:273: error: `POLICY_MATCH_STRICT'' undeclared
(first use in this function)
extensions/libipt_policy.c:290: error: `POLICY_MODE_TUNNEL'' undeclared 
(first use in this function)
extensions/libipt_policy.c:291: error: `POLICY_MODE_TRANSPORT'' 
undeclared (first use in this function)
extensions/libipt_policy.c: In function `print_mode'':
extensions/libipt_policy.c:303: error: `POLICY_MODE_TRANSPORT'' 
undeclared (first use in this function)
extensions/libipt_policy.c:306: error: `POLICY_MODE_TUNNEL'' undeclared 
(first use in this function)
extensions/libipt_policy.c: In function `print_flags'':
extensions/libipt_policy.c:369: error: `POLICY_MATCH_IN'' undeclared 
(first use in this function)
extensions/libipt_policy.c:374: error: `POLICY_MATCH_NONE'' undeclared 
(first use in this function)
extensions/libipt_policy.c:379: error: `POLICY_MATCH_STRICT'' undeclared
(first use in this function)
make: *** [extensions/libipt_policy_sh.o] Error 1

-- 
Chris Mason
NetConcepts
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Tom Eastep wrote:
>
> Also, this is the *connrate match* patch, not the *connmark match*
> patch. You don''t need this patch anyway (Shorewall has no support
for it).
>   
you said on the web site that iptables 1.3.1 was broken. Did it ever get 
fixed or do we need to patch for ever?

-- 
Chris Mason
NetConcepts
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Chris Mason (Lists) wrote:
> Tom Eastep wrote:
>>
>>> cannot apply (3 rejects out of 4 hunks)"
>>>     
>>
>> I just downloaded the 2.6.12 tarball -- looks like connmark match is
>> already in that version.
>>
>>
>>   
> So only the policy match is important? I don''t care so much about
ipsec
> since I was pointed towards openvpn.
If you can use OpenVPN, do so -- it doesn''t require any kernel
patching.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Chris Mason (Lists) wrote:
> Jerry Vonau wrote:
>>
>>>
>> If your starting with a 2.6.10+ kernel, as you stated in an earlier
>> post, Tom''s "ls" test would confirm that the source
for that modules
>> is present, no patching needed for that module. Your just patching for
>> PFKEY, for your ipsec support.
>>
>>
> How about policy routing?
> 
You need policy routing for multi-ISP but it doesn''t require any
patching.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Chris Mason (Lists) wrote:
> Tom Eastep wrote:
>>
>> Also, this is the *connrate match* patch, not the *connmark match*
>> patch. You don''t need this patch anyway (Shorewall has no
support for
>> it).
>>   
> you said on the web site that iptables 1.3.1 was broken. Did it ever get
> fixed or do we need to patch for ever?
> 
It got fixed.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Chris Mason (Lists) wrote:
> Building iptables did not go well. Suggestions?
> 
My only suggestion is to search the archives of the Netfilter list to
see of you can find anything similar. You might consider posting there
as well -- a problem compiling iptables is pretty off-topic on this list.

Looks like it''s failing compiling the policy match module. If
you''re not
going to run IPSEC, you could always remove extensions/ipt_policy.c and
hack up extensions/Makefile to not try to build it (if necessary -- I
don''t know if the Makefile mentions it by name or not).

It''s been my experience that patch-o-matic and patch-o-matic-ng work
one
day and then the next day''s snapshot is totally broken. I''ve
totally
stopped using features that require me to patch and compile my own
software; it''s just too much of a hassle. When a new kernel comes out,
I
usually build it and run it for a day or two to make sure that it plays
Ok with Shorewall (I generally do that during the RC phase so I''m ahead
of the final release); then I go back to my vendor-supplied kernel.
That''s especially true now that my firewall runs under Xen since
compiling Xen kernels with other patches isn''t something I''m
wild about
trying.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Chris Mason (Lists) wrote:
> Building iptables did not go well. Suggestions?
> 
FWIW, when policy match is available in the kernel, the missing
declarations are in include/linux/netfilter_ipv4/ipt_policy.h in the
kernel source tree.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> Chris Mason (Lists) wrote:
>> Building iptables did not go well. Suggestions?
>>
> 
> FWIW, when policy match is available in the kernel, the missing
> declarations are in include/linux/netfilter_ipv4/ipt_policy.h in the
> kernel source tree.
> 
I''ve attached the file.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>  I''ve totally
> stopped using features that require me to patch and compile my own
> software; it''s just too much of a hassle. When a new kernel comes
out, I
> usually build it and run it for a day or two to make sure that it plays
> Ok with Shorewall (I generally do that during the RC phase so I''m
ahead
> of the final release); then I go back to my vendor-supplied kernel.
> That''s especially true now that my firewall runs under Xen since
> compiling Xen kernels with other patches isn''t something
I''m wild about
> trying.
>
>   
Just for my info, what distribution are you using? SUSE was mentioned 
earlier, is this your preference for Shorewall?

-- 
Chris Mason
NetConcepts
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

I was able to compile and install the iptables-1.3.0-2 rpm from fedora 
4, and have compiled the kernel-2.6.12-1 rpm with ipsec patches and the 
policy match patch from patch-o-matic. I can''t find a later iptables
rpm.
If this box reboots with this kernel working, how far from being able to 
do Multi-ISP am I.?

Obviously I would reboot and try it if I could but I am remote from it 
so I am not going to reboot it until I am there.

-- 
Chris Mason
NetConcepts
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

> From: shorewall-users-admin@lists.sourceforge.net
> [mailto:shorewall-users-admin@lists.sourceforge.net]On Behalf Of Chris
> Mason (Lists)
> The new firewall I have been building for my Multi-ISP project is based
> on Centos 4.2. I am running into issues with capabilities as I want
> Contrack and IPSEC functionality.
> The kernel is 2.6.9-22.0.2.ELsmp and iptables is v1.2.11. I have
> downloaded the iptables source code 1.3.5 but I don''t see what
file I
> should be patching. Can anyone give me some guidance?
I usually recompile CentOS and Fedora kernel and iptables RPMs with
patch-o-matic (and other things useful to me) for my servers.
I decided long ago, when the servers I was maintaing began to increase in
number, to stay with RPM for manageability reasons. I personally think this
was a good decision. I also decided to only modify CentoOS and Fedora
original RPMs if possible, for the same reasons.
I used to put them on my web site, but due to a combination of factors (lack
of feedback, no one using them, + not plenty of spare time) I stopped
publishing them. But I can reconsider it if someone is going to make use of
these packages, give me some feedback and maybe help me in maintaining them.
Disclaimer: my packages are likely buggy, surely poorly maintained etc.etc.
All the other standard disclaimers apply. But they do their work, at least
for my particular needs.

Lux



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Lux wrote:
>
> I usually recompile CentOS and Fedora kernel and iptables RPMs with
> patch-o-matic (and other things useful to me) for my servers.
> I decided long ago, when the servers I was maintaing began to increase in
> number, to stay with RPM for manageability reasons. I personally think this
> was a good decision. I also decided to only modify CentoOS and Fedora
> original RPMs if possible, for the same reasons.
> I used to put them on my web site, but due to a combination of factors
(lack
> of feedback, no one using them, + not plenty of spare time) I stopped
> publishing them. But I can reconsider it if someone is going to make use of
> these packages, give me some feedback and maybe help me in maintaining
them.
> Disclaimer: my packages are likely buggy, surely poorly maintained etc.etc.
> All the other standard disclaimers apply. But they do their work, at least
> for my particular needs.
>
> Lux
>   
I think what would be more useful would be to post and maintain a howto 
specific to shorewall''s requirements. If the kernel I am patching and 
compiling works, I have copious notes and will post them. If anyone 
wants to do the same, they can follow the notes.

-- 
Chris Mason
NetConcepts
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Mason (Lists) wrote:
> I was able to compile and install the iptables-1.3.0-2 rpm from fedora
> 4, and have compiled the kernel-2.6.12-1 rpm with ipsec patches and the
> policy match patch from patch-o-matic. I can''t find a later
iptables rpm.
> If this box reboots with this kernel working, how far from being able to
> do Multi-ISP am I.?
Depends on whether you included all of the options you need in the
kernel. I won''t know for sure until you reboot and check the output of
"shorewall show capabilities".

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEAck2O/MAbZfjDLIRAjMLAKCDycYd0pJDLrhL0ZFE3lKcZVClIgCfUyt3
QkDAmEj/xNQfVC3Ji2g0+A4=BGXL
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Mason (Lists) wrote:
> Just for my info, what distribution are you using? SUSE was mentioned
> earlier, is this your preference for Shorewall?
I recently migrated to SuSE. I had been running SuSE on my desktop and
laptop for some time and decided to avoid the hassle of maintaining
multiple different environments. Before that, I used Debian which is
also nice for firewalls (I love the simple and powerful network
configuration system on Debian). I almost never ran Debian kernels
though; I compiled my own from kernel.org sources (which was a nuisance).

Once Kernel 2.6.16 is generally available in distributions, we should be
past the need for patching except for corner cases -- currently ipsets
and ipp2p.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEAcq7O/MAbZfjDLIRAhLhAJ0flrPnhfPr+2QlyDD1yvRAzZjoPgCcCxZZ
o6ZHpXA1dIOUGcv4nKIkNrY=Jyjb
-----END PGP SIGNATURE-----


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

This is what you said Tom Eastep
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chris Mason (Lists) wrote:
>> I was able to compile and install the iptables-1.3.0-2 rpm from fedora
>> 4, and have compiled the kernel-2.6.12-1 rpm with ipsec patches and the
>> policy match patch from patch-o-matic. I can''t find a later
iptables
>> rpm.
>> If this box reboots with this kernel working, how far from being able
to
>> do Multi-ISP am I.?
>
> Depends on whether you included all of the options you need in the
> kernel. I won''t know for sure until you reboot and check the
output of
> "shorewall show capabilities".
>
> - -Tom
Not that I have any clue what I am doing, but because I am running CentOS
4.2 and was following this thread, I blindly went ahead and tried execute
a patch-o-matic.

The patch-o-matic html page says to use cvs, but that documentation is
apparently outdated.  I was not running svn, so I tried compling that, but
I obviously forgot some options because I could not svn with SSL.

I manually downloaded patch-o-matic and iptables 1.3.5.  I am running
kernel 2.6.13.4 (obviously compiled from vanilla sources).

I ran patch-o-matic telling it where my kernel sources were located and
where iptables was located.  I rebuilt the kernel and rebooted.  Which I
am not sure anything changed.

I recompiled iptables 1.3.5, and as Tom pointed out the default directory
from source is different then what was installed.  I tried to use the
BINDIR= and KERNEL_DIR= options, but still ended up with iptables in
/usr/local/bin.

iptables in now in /sbin directory, in the location it was installed
before I went down this path.  If I run iptables -V from prompt it shows
1.3.5.

I have no idea of what I did is correct, but the system does not appear to
have any ill effects.

I was confused by this thread because at the beginning it sounded like
CentOS required an iptables upgrade along with some kernel patching. 
Later, as Tom pointed out, if you rolled your own kernel some of the
modules needed were already present.

Unfortunately I was already too deep in my experiment to turn back.

The bottom line here is that I believe you can manually upgrade CentOS
(kernel/iptables/patch-o-matic) without too much trouble (for a single
box).  As others have mentioned, if this process needed to be rolled out
to the enterprise the management would be a nightmare.

I know my contribution is weak, but I thought I would pass along my
experiences with this experiment and let you know CentOS can be upgraded
with patch-o-matic.

-Scott


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Tom Eastep wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chris Mason (Lists) wrote:
>
>   
>> Just for my info, what distribution are you using? SUSE was mentioned
>> earlier, is this your preference for Shorewall?
>>     
>
> I recently migrated to SuSE. I had been running SuSE on my desktop and
> laptop for some time and decided to avoid the hassle of maintaining
> multiple different environments. Before that, I used Debian which is
> also nice for firewalls (I love the simple and powerful network
> configuration system on Debian). I almost never ran Debian kernels
> though; I compiled my own from kernel.org sources (which was a nuisance).
>
> Once Kernel 2.6.16 is generally available in distributions, we should be
> past the need for patching except for corner cases -- currently ipsets
> and ipp2p.
>   
Just to confirm before I spend time installing it, SUSE 10 works 
beautifully for Multi-ISP shorewall installations?

-- 
Chris Mason
NetConcepts
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Chris Mason (Lists) wrote:
> Tom Eastep wrote:
> Just to confirm before I spend time installing it, SUSE 10 works
> beautifully for Multi-ISP shorewall installations?
I have no idea -- I can only afford one ISP. I do know that it contains
all of the kernel and iptables features that are required to run the
Shorewall Multi-ISP hack.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>
> I have no idea -- I can only afford one ISP. 
Ouch...feel for you...but then again, you probably have one that works 
well. All of this is because I can''t get a decent feed at a decent
price
so I have to resort to spreading the traffic across a bunch of feeds of 
varying quality and price.
Just to give you an idea, a T1 data feed here is $11,000/month. Not 
really an option.
> I do know that it contains
> all of the kernel and iptables features that are required to run the
> Shorewall Multi-ISP hack.
>
>   
Hack, eh? Now I feel more comfortable!

-- 
Chris Mason
NetConcepts
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Tom Eastep schrieb:
>Chris Mason (Lists) wrote:
>  
>
>>Tom Eastep wrote:
>>    
>>
>
>  
>
>>Just to confirm before I spend time installing it, SUSE 10 works
>>beautifully for Multi-ISP shorewall installations?
>>    
>>
>
>I have no idea -- I can only afford one ISP. I do know that it contains
>all of the kernel and iptables features that are required to run the
>Shorewall Multi-ISP hack.
>
>-Tom
>  
>
Yes it does, at least no kernel recompile needed.

Alex


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Chris Mason (Lists) wrote:
> 
>> I do know that it contains
>> all of the kernel and iptables features that are required to run the
>> Shorewall Multi-ISP hack.
>>
>>   
> Hack, eh? Now I feel more comfortable!
> 
I don''t know what else to call it. Anyone who was really serious about
having two uplinks for load-balancing and redundancy wouldn''t be using
static routing. But to get good dynamic routing, you need two
commercial-grade uplinks that support a routing protocol like BGP. There
was a shell script posted on the list a while back that used
''ping'' to
monitor the health of the two gateways and attempted to reconfigure if
one of the uplinks failed. That''s great so long as all uplink failures
happen between you and your ISP''s gateway router; the last time I lost
Internet access, I could ping my ISP''s router the whole time.

The other hackish aspect to it is that it is integrated with the packet
filter -- routing should be established when the network is started and
should not be a function of starting the packet filter. If I could
justify having two uplinks (which I can''t), I would probably break the
providers stuff off into a separate product so it could be started,
stopped and reconfigured separately. But without a way to run the
product in a live environment, I would be shamming folks if I claimed to
have a routing product of any kind.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> Chris Mason (Lists) wrote:
>
>   
>>> I do know that it contains
>>> all of the kernel and iptables features that are required to run
the
>>> Shorewall Multi-ISP hack.
>>>
>>>   
>>>       
>> Hack, eh? Now I feel more comfortable!
>>
>>     
>
> Anyone who was really serious about
> having two uplinks for load-balancing and redundancy wouldn''t be
using
> static routing. But to get good dynamic routing, you need two
> commercial-grade uplinks that support a routing protocol like BGP. 
Well, in my case I don''t want dynamic routing. All I want to do is 
determine some traffic is better suited for the less reliable route and 
route accordingly.
I am not looking for failover either.

-- 
Chris Mason
NetConcepts
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Chris Mason (Lists) wrote:
> Tom Eastep wrote:
>> Chris Mason (Lists) wrote:
>>
>>   
>>>> I do know that it contains
>>>> all of the kernel and iptables features that are required to
run the
>>>> Shorewall Multi-ISP hack.
>>>>
>>>>   
>>>>       
>>> Hack, eh? Now I feel more comfortable!
>>>
>>>     
>>
>> Anyone who was really serious about
>> having two uplinks for load-balancing and redundancy wouldn''t
be using
>> static routing. But to get good dynamic routing, you need two
>> commercial-grade uplinks that support a routing protocol like BGP. 
> Well, in my case I don''t want dynamic routing. All I want to do is
> determine some traffic is better suited for the less reliable route and
> route accordingly.
> I am not looking for failover either.
>
Then the Shorewall stuff should work OK for you.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> Depends on whether you included all of the options you need in the
> kernel. I won''t know for sure until you reboot and check the
output of
> "shorewall show capabilities".
>
> - -Tom
>   
Hi Tom,
I setup a small test box and followed my own instructions, I have the 
2.6.12 kenel and iptables 1.4.5, and I applied the policy route patch.
Here is the output. Are we there yet?
Chris

Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Not available
   Physdev Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   CONNMARK Target: Available
   Connmark Match: Available
   Raw Table: Available
   CLASSIFY Target: Available

-- 
Chris Mason
NetConcepts
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

One more problem you might have insight into:
Building iptables after patching, I get

Making dependencies: please wait...
In file included from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
                 from 
/usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:26,
                 from include/libiptc/libiptc.h:6,
                 from libiptc/libip4tc.c:29:
/usr/src/linux/include/linux/config.h:6:2: #error including kernel 
header in userspace; use the glibc headers instead!


If I don''t patch and build the iptables from the source rpm, it is
fine,
but then there is no patches.

-- 
Chris Mason
NetConcepts
(264) 497-5670 Fax: (264) 497-8463
Int:  (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271
Cell: 264-235-5670
Yahoo IM: netconcepts_anguilla@yahoo.com 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Chris Mason (Lists) wrote:
> Tom Eastep wrote:
>> Depends on whether you included all of the options you need in the
>> kernel. I won''t know for sure until you reboot and check the
output of
>> "shorewall show capabilities".
>>
>> - -Tom
>>   
> Hi Tom,
> I setup a small test box and followed my own instructions, I have the
> 2.6.12 kenel and iptables 1.4.5, and I applied the policy route patch.
> Here is the output. Are we there yet?
> Chris
> 
> Shorewall has detected the following iptables/netfilter capabilities:
>   NAT: Available
>   Packet Mangling: Available
>   Multi-port Match: Available
>   Extended Multi-port Match: Available
>   Connection Tracking Match: Available
>   Packet Type Match: Available
>   Policy Match: Not available
>   Physdev Match: Available
>   IP range Match: Available
>   Recent Match: Available
>   Owner Match: Available
>   Ipset Match: Not available
>   CONNMARK Target: Available
>   Connmark Match: Available
>   Raw Table: Available
>   CLASSIFY Target: Available
> 
Looks good, provided that you don''t need IPSEC.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Chris Mason (Lists) wrote:
> One more problem you might have insight into:
> Building iptables after patching, I get
> 
> Making dependencies: please wait...
> In file included from /usr/src/linux/include/linux/netfilter_ipv4.h:8,
>                 from
> /usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:26,
>                 from include/libiptc/libiptc.h:6,
>                 from libiptc/libip4tc.c:29:
> /usr/src/linux/include/linux/config.h:6:2: #error including kernel
> header in userspace; use the glibc headers instead!
> 
> 
> If I don''t patch and build the iptables from the source rpm, it is
fine,
> but then there is no patches.
> 
You might see if the 5th patch from my set of IPSEC patches helps. I had
similar problems but the symptoms weren''t quite the same. I thought
that
the Netfilter guys has picked up that patch.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

One more problem ( I solved the last) - the policy match patch doesn''t 
build:

extensions/libipt_policy.c: In function `parse_direction'':
extensions/libipt_policy.c:104: error: `POLICY_MATCH_IN'' undeclared 
(first use in this function)
extensions/libipt_policy.c:104: error: (Each undeclared identifier is 
reported only once
extensions/libipt_policy.c:104: error: for each function it appears in.)
extensions/libipt_policy.c:106: error: `POLICY_MATCH_OUT'' undeclared 
(first use in this function)
extensions/libipt_policy.c: In function `parse_policy'':
extensions/libipt_policy.c:113: error: `POLICY_MATCH_NONE'' undeclared 
(first use in this function)
extensions/libipt_policy.c: In function `parse_mode'':
extensions/libipt_policy.c:122: error: `POLICY_MODE_TRANSPORT'' 
undeclared (first use in this function)
extensions/libipt_policy.c:124: error: `POLICY_MODE_TUNNEL'' undeclared 
(first use in this function)
extensions/libipt_policy.c: In function `parse'':
extensions/libipt_policy.c:143: error: `POLICY_MATCH_IN'' undeclared 
(first use in this function)
extensions/libipt_policy.c:143: error: `POLICY_MATCH_OUT'' undeclared 
(first use in this function)
extensions/libipt_policy.c:160: error: `POLICY_MATCH_STRICT'' undeclared
(first use in this function)
extensions/libipt_policy.c:200: error: incompatible types in assignment
extensions/libipt_policy.c:201: error: incompatible types in assignment
extensions/libipt_policy.c:215: error: incompatible types in assignment
extensions/libipt_policy.c:216: error: incompatible types in assignment
extensions/libipt_policy.c:246: error: `POLICY_MAX_ELEM'' undeclared 
(first use in this function)
extensions/libipt_policy.c: In function `final_check'':
extensions/libipt_policy.c:268: error: `POLICY_MATCH_IN'' undeclared 
(first use in this function)
extensions/libipt_policy.c:268: error: `POLICY_MATCH_OUT'' undeclared 
(first use in this function)
extensions/libipt_policy.c:272: error: `POLICY_MATCH_NONE'' undeclared 
(first use in this function)
extensions/libipt_policy.c:273: error: `POLICY_MATCH_STRICT'' undeclared
(first use in this function)
extensions/libipt_policy.c:290: error: `POLICY_MODE_TUNNEL'' undeclared 
(first use in this function)
extensions/libipt_policy.c:291: error: `POLICY_MODE_TRANSPORT'' 
undeclared (first use in this function)
extensions/libipt_policy.c: In function `print_mode'':
extensions/libipt_policy.c:303: error: `POLICY_MODE_TRANSPORT'' 
undeclared (first use in this function)
extensions/libipt_policy.c:306: error: `POLICY_MODE_TUNNEL'' undeclared 
(first use in this function)
extensions/libipt_policy.c: In function `print_flags'':
extensions/libipt_policy.c:369: error: `POLICY_MATCH_IN'' undeclared 
(first use in this function)
extensions/libipt_policy.c:374: error: `POLICY_MATCH_NONE'' undeclared 
(first use in this function)
extensions/libipt_policy.c:379: error: `POLICY_MATCH_STRICT'' undeclared
(first use in this function)
make: *** [extensions/libipt_policy_sh.o] Error 1
error: Bad exit status from /var/tmp/rpm-tmp.86614 (%build)

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Chris Mason wrote:
> One more problem ( I solved the last) - the policy match patch
doesn''t
> build:
>
Chris -- I told you about that one last night (even sent you a header
file to correct it).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>Chris Mason wrote:
>  
>
>>One more problem ( I solved the last) - the policy match patch
doesn''t
>>build:
>>
>>    
>>
>
>Chris -- I told you about that one last night (even sent you a header
>file to correct it).
>
>-Tom
>  
>
Yes, you did, sorry. Does it go in the kernel source or the iptables 
source? Or both?

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Chris Mason wrote:
> Tom Eastep wrote:
> 
>> Chris Mason wrote:
>>  
>>
>>> One more problem ( I solved the last) - the policy match patch
doesn''t
>>> build:
>>>
>>>   
>>
>> Chris -- I told you about that one last night (even sent you a header
>> file to correct it).
>>
>> -Tom
>>  
>>
> Yes, you did, sorry. Does it go in the kernel source or the iptables
> source? Or both?
> 
Check my messages -- it goes in the kernel source tree but I don''t
off-hand recall where. I mentioned it in the message before the one that
included the file itself.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

>Check my messages -- it goes in the kernel source tree but I don''t
>off-hand recall where. I mentioned it in the message before the one that
>included the file itself.
>
>-Tom
>  
>
I tried that first but it didn''t improve the problem. However, all
these
patches are only for ipsec, right? I don''t need them. I am rebuilding 
the rpms and will install without patches.
The 2.6.16 kernel should be in the fedora updates soon, right?

Chris

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Chris Mason wrote:
> 
>> Check my messages -- it goes in the kernel source tree but I
don''t
>> off-hand recall where. I mentioned it in the message before the one
that
>> included the file itself.
>>
>> -Tom
>>  
>>
> I tried that first but it didn''t improve the problem. However, all
these
> patches are only for ipsec, right? I don''t need them. I am
rebuilding
> the rpms and will install without patches.
> The 2.6.16 kernel should be in the fedora updates soon, right?
I would think so.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

I promised to post my summary of setting up a Centos 4.2 server kernel 
to be able to use the Multi ISP features. I never got the IPSEC patches 
in place so it is not complete but I don''t need IPSEC anyway so I
don''t
care.

I installed Centos 4.2 Single Server disk. I don''t see any reason to 
bother with the multi disk setup since yum will add groups as needed.
Then I ran yum update and brought the server up to date.

I downloaded Shorewall 3.05 rpm and installed.

Since the object is to be able to use the Multi-ISP features, the stock 
kernel is not adequate as it does not include the routing policy patch.

We download the 2.6.12 kernel to get the features we need.

# wget 
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/SRPMS/kernel-2.6.12-1.1381_FC3.src.rpm

 

rpm -i kernel-2.6.12-1.1381_FC3.src.rpm

 

cd /usr/src/redhat/SPECS/

 

vi kernel.spec

 

%define release %(R="$Revision: 1.1381 $"; RR="${R##: }";
echo
${RR%%?})_FC3%{rhbsys}

 

And change to

%define release %(R="$Revision: 1.1381 $"; RR="${R##: }";
echo
${RR%%?})_FC3CM%{rhbsys}

 

So the kernel version is marked as yours.


# rpmbuild -bp --target=i686 kernel-2.6.spec


Copy the correct config file to .config

# cd /usr/src/redhat/BUILD/kernel-2.6.12/linux-2.6.12

# cp configs/kernel-2.6.12-i686-smp.config .config


Get iptables rpm
wget 
ftp://download.fedora.redhat.com/pub/fedora/linux/core/development/SRPMS/iptables-1.3.5-1.2.src.rpm

 

Get patch-o-matic

browse ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ , find and 
download the tarball

 

tar -C /var/tmp -jxvf patch-o-matic-ng-20060224.tar.bz2

 

cd /var/tmp/patch-o-matic-ng-20060224/


Setup the patch-o-matic-ng environment 

# KERNEL_DIR=/usr/src/redhat/BUILD/kernel-2.6.12/linux-2.6.12 \

IPTABLES_DIR=/usr/src/redhat/BUILD/iptables-1.3.5 \

./runme extra

Apply patch policy

 

This should have the necessary patches to the kernel source.

Copy the correct config file to .config

# cd /usr/src/redhat/BUILD/kernel-2.6.12/linux-2.6.12

# cp configs/kernel-2.6.12-i686-smp.config .config # or the right file 
for your config

 

# make oldconfig

(answer "m" to any changes)


build the kernel and modules

make all

 

install the modules into place /lib/modules

# make modules_install

 

install kernel

# make install

ll

 

Edit /boot/grub/grub.conf, you''ll find that the kernel has already been
added, but the default=1 points to your previous kernel. Set default=0.

After the reboot, providing it does reboot, you should see the required 
option:
# shorewall show capabilities

Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
   Packet Type Match: Available
   Policy Match: Not available
   Physdev Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Not available
   CONNMARK Target: Available
   Connmark Match: Available
   Raw Table: Available
   CLASSIFY Target: Available


Note that you won''t have ipsec without some additional patches.

After that, follow the Multi ISP tutorial at 
http://www.shorewall.net/MultiISP.html
I find it wonderful for controlling which service uses which interface, 
i.e, sending web browsing traffic out the cheaper ADSL connection and 
saving dedicated links for voice.





-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

On Wednesday 15 March 2006 05:31, Chris Mason (Lists)
wrote:
> I promised to post my summary of setting up a Centos 4.2 server kernel
> to be able to use the Multi ISP features. I never got the IPSEC patches
> in place so it is not complete but I don''t need IPSEC anyway so I
don''t
> care.
Thanks, Chris!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key