The new firewall I have been building for my Multi-ISP project is based on Centos 4.2. I am running into issues with capabilities as I want Contrack and IPSEC functionality. The kernel is 2.6.9-22.0.2.ELsmp and iptables is v1.2.11. I have downloaded the iptables source code 1.3.5 but I don''t see what file I should be patching. Can anyone give me some guidance? Do I need to recompile the kernel and what needs to be changed? [root@firewall ~]# shorewall show capabilities Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Not available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Not available Physdev Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Not available Connmark Match: Not available Raw Table: Available CLASSIFY Target: Available -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Chris Mason (Lists) wrote:> The new firewall I have been building for my Multi-ISP project is based > on Centos 4.2. I am running into issues with capabilities as I want > Contrack and IPSEC functionality. > The kernel is 2.6.9-22.0.2.ELsmp and iptables is v1.2.11. I have > downloaded the iptables source code 1.3.5 but I don''t see what file I > should be patching. Can anyone give me some guidance? > > Do I need to recompile the kernel and what needs to be changed? > > [root@firewall ~]# shorewall show capabilities > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Extended Multi-port Match: Not available > Connection Tracking Match: Available > Packet Type Match: Available > Policy Match: Not available > Physdev Match: Available > IP range Match: Available > Recent Match: Available > Owner Match: Available > Ipset Match: Not available > CONNMARK Target: Not available > Connmark Match: Not available > Raw Table: Available > CLASSIFY Target: Available >you have to recmopile your kernel and patch it with "Connmark" support for VPN stuff please run OpenVPN. ps: SUSE distro provides all what you need by default..
Cristian Rodriguez wrote:> > you have to recmopile your kernel and patch it with "Connmark" support >I was hoping for a little more specific instructions. How do I patch for Connmark support? Is that a patch-o-matic item? Which one? Do I need to recompile iptables?> for VPN stuff please run OpenVPN. >> ps: SUSE distro provides all what you need by default.. >Thanks but I don''t have any experience with SUSE. I use Redhat or Centos for everything. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Friday 24 February 2006 00:15, Chris Mason (Lists) wrote:> The new firewall I have been building for my Multi-ISP project is based > on Centos 4.2. I am running into issues with capabilities as I want > Contrack and IPSEC functionality. > The kernel is 2.6.9-22.0.2.ELsmp and iptables is v1.2.11. I have > downloaded the iptables source code 1.3.5 but I don''t see what file I > should be patching. Can anyone give me some guidance? >You need to download patch-o-matic-ng from the Netfilter site and follow the instructions included. The patches you need are in the ''extras'' group. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Chris Mason (Lists) wrote:> Cristian Rodriguez wrote: >> >> you have to recmopile your kernel and patch it with "Connmark" support >> > I was hoping for a little more specific instructions.1. This is not a iptables support list, so how to patch kernel and iptables is out of the scope.> Is that a patch-o-matic item?2. yes,. It''s patch-o-matic item> How do I patch for >> Connmark support? Which one?3. I have no idea, I use a well featured/enginnered distribution shipping all what I need.> Do I need to >> recompile iptables?Yes, and your kernel too.>> ps: SUSE distro provides all what you need by default.. >> > Thanks but I don''t have any experience with SUSE. I use Redhat or Centos > for everything. >good luck then.
Cristian Rodriguez wrote:> 3. I have no idea, I use a well featured/enginnered distribution > shipping all what I need. >>> ps: SUSE distro provides all what you need by default.. >>> >>> >> Thanks but I don''t have any experience with SUSE. I use Redhat or Centos >> for everything. >> >> > > good luck then. >Getting advice like this reminds me of the last time I toured Ireland. I was completely lost despite maps and a GPS. The signs seem to direct me in circles. I stopped next to a man sitting by the road smoking a pipe, and asked the direction to a well know attraction in that area. He scratch his head, took the pipe from his mouth, and uttered the immortal words "Well, if I was you, I would not start from here at all.." Can I suggest that Tom and the Shorewall team post a clear message on the Shorewall.net site: "Don''t use anything except SUSE because you won''t get any help if you do"? I''d prefer not to receive religious tantra, it''s not like I asked how to do it with Redhat 7.0 or some obscure OS. -- Chris Mason -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On Saturday 25 February 2006 05:44, Chris Mason (Lists) wrote:> > Can I suggest that Tom and the Shorewall team post a clear message on > the Shorewall.net site: "Don''t use anything except SUSE because you > won''t get any help if you do"? I''d prefer not to receive religious > tantra, it''s not like I asked how to do it with Redhat 7.0 or some > obscure OS.On the other hand, Kernel 2.6.9 isn''t exactly hot off the press. And combining it with iptables 1.3.5 is something that I''m willing to bet has not been tried by anyone on this list. So asking for help in trying to do what you are attempting is unlikely to get you any authoritative step-by-step instructions. I had previously offered you the suggestion to download patch-o-matic-ng from the netfilter site and follow the instructions included. Patch-o-matic-ng will try to patch your kernel appropriately. The five patches you are looking for are in the ''extras'' section. You seem to be looking for something more -- I don''t know what more I can tell you. I don''t know if the current patch-o-matic-ng is at all compatible with your 18-month old kernel so you might run into problems there. If so, upgrading to a current kernel will get you the CONNMARK/connmark changes without the need for patching but you will still need to patch for PFKEY ipsec/netfilter integration and policy match support. That requirement goes away in kernel 2.6.16 if you''re bold enough to try the current release candidate (I ran RC1 for a while on my firewall and it worked ok for me). Iptables 1.3.5 will not require patching but must be built *after* you have patched/built your kernel. Again, there are instructions included with the iptables source. Beware that, by default, iptables will install itself into /usr/local/sbin so you may need to adjust your PATH accordingly to avoid running your old 1.2.x version. Be sure to adjust PATH in /etc/shorewall/shorewall.conf so that Shorewall will use the correct version. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Saturday 25 February 2006 07:54, Tom Eastep wrote:> Be sure to adjust PATH > in /etc/shorewall/shorewall.conf so that Shorewall will use the correct > version.Or set IPTABLES=/usr/local/sbin/iptables -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Tom Eastep wrote:> On the other hand, Kernel 2.6.9 isn''t exactly hot off the press. And combining > it with iptables 1.3.5 is something that I''m willing to bet has not been > tried by anyone on this list. So asking for help in trying to do what you are > attempting is unlikely to get you any authoritative step-by-step > instructions. >I''m not expecting that, I just find that telling people they are not using the "BEST" distribution so they are on their own is not productive. CentOS 4.2 is recent, there is no more recent kernel released. Not everyone is willing to use short life releases such as Fedora. I am going to try to build the 2.6.11 kernel from fedora and see how that works. I will document and post a step by step if successful.> I had previously offered you the suggestion to download patch-o-matic-ng from > the netfilter site and follow the instructions included. Patch-o-matic-ng > will try to patch your kernel appropriately. The five patches you are looking > for are in the ''extras'' section. >-- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> > I had previously offered you the suggestion to download patch-o-matic-ng from > the netfilter site and follow the instructions included. Patch-o-matic-ng > will try to patch your kernel appropriately. The five patches you are looking > for are in the ''extras'' section.There are five patches for ipsec/policy match. There will also be a patch for CONNMARK target support and one for connmark match support. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEAILQO/MAbZfjDLIRAusZAJ9pr6a8o8Sct2D6w7DMbxb89uIy+QCfZO1r wtHH6KKRfd18D5GEhDxQ1J0=d5UM -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
I am trying the Fedora 3 kernel source rpm 2.6.12 and I have been able to apply the patches from shorewall and used patch-o-matic-ng to patch policy matching. I have renamed the release in kernel.spec and I am building the 1686-smp version of the kernel. Can I just rebuild the kernel and install the rpm? I''ll build iptables after that. Advice appreciated. -- Chris Mason -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Mason (Lists) wrote:> I am trying the Fedora 3 kernel source rpm 2.6.12 and I have been able > to apply the patches from shorewall and used patch-o-matic-ng to patch > policy matching. I have renamed the release in kernel.spec and I am > building the 1686-smp version of the kernel. Can I just rebuild the > kernel and install the rpm? > I''ll build iptables after that.Just don''t reboot until you have built and installed iptables. You will probably end up with a mis-matched kernel/iptables otherwise. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEAJFGO/MAbZfjDLIRAn2RAJ41kBkZfnsTuNsPLTjSxJv8pp2YVACghWa9 kUI1FsKAgfWrELvVE4mljJw=wpUj -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Chris Mason (Lists) wrote:> Can I suggest that Tom and the Shorewall team post a clear message on > the Shorewall.net site: "Don''t use anything except SUSE because you > won''t get any help if you do"? I''d prefer not to receive religious > tantra, it''s not like I asked how to do it with Redhat 7.0 or some > obscure OS.It has nothing to do with religion ,Shorewall should run in any distribution ..I just pointed you to the shortest, practical, quick solution ( and tested by us.BTW..) if you don''t want to do it in the short way , you need to follow Tom''s instructions metioned in other email on this thread, and read the iptables documentation, due to your distribution choose, you will need to do **a lot** of work.
Cristian Rodriguez wrote:> > if you don''t want to do it in the short way , you need to follow Tom''s > instructions metioned in other email on this thread, and read the > iptables documentation, due to your distribution choose, you will need > to do **a lot** of work. >Yep, I;m discovering that. But as the system is already installed with users behind it and lots of other packages such as squid installed and configured, changing and learning a new distribution isn''t an option. I am sure a lot of other people need to do this, I''ll document it IF I ever get through. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Mason (Lists) wrote:> Cristian Rodriguez wrote: >> >> if you don''t want to do it in the short way , you need to follow Tom''s >> instructions metioned in other email on this thread, and read the >> iptables documentation, due to your distribution choose, you will need >> to do **a lot** of work. >> > Yep, I;m discovering that. But as the system is already installed with > users behind it and lots of other packages such as squid installed and > configured, changing and learning a new distribution isn''t an option.I understand. My server ran Redhat then Fedora for years -- the conversion to SuSE was painful.> I am sure a lot of other people need to do this, I''ll document it IF I > ever get through.Thanks, Chris - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEAKlkO/MAbZfjDLIRAv3TAJ9EjsqP5pJUHr4+O3LqJ/UDAnQmdwCgkxsS df9H+BOSrVnzE3jiOEKzi+M=blEa -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Tom Eastep wrote:> > > There are five patches for ipsec/policy match. There will also be a > patch for CONNMARK target support and one for connmark match support. >The connmark match patch does not apply: "The connrate match is used to match against the current transfer speed of a connection. The algorithm averages transferred bytes over a time sliding window of constant size. The maximum and minimum rates measurable are explained in the code, along the algorithm used in the measurements. Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y cannot apply (3 rejects out of 4 hunks)" -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Chris Mason (Lists) wrote:> Tom Eastep wrote: >> >> >> There are five patches for ipsec/policy match. There will also be a >> patch for CONNMARK target support and one for connmark match support. >> > The connmark match patch does not apply: > > "The connrate match is used to match against the current transfer speed of a > connection. The algorithm averages transferred bytes over a time sliding > window > of constant size. The maximum and minimum rates measurable are explained > in the > code, along the algorithm used in the measurements. > > Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y > cannot apply (3 rejects out of 4 hunks)"From the kernel source directory, what does "ls net/ipv4/netfilter/*connmark*" show? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Chris Mason (Lists) wrote: >> Cristian Rodriguez wrote: >>> if you don''t want to do it in the short way , you need to follow Tom''s >>> instructions metioned in other email on this thread, and read the >>> iptables documentation, due to your distribution choose, you will need >>> to do **a lot** of work. >>> >> Yep, I;m discovering that. But as the system is already installed with >> users behind it and lots of other packages such as squid installed and >> configured, changing and learning a new distribution isn''t an option. > > I understand. My server ran Redhat then Fedora for years -- the > conversion to SuSE was painful. > >> I am sure a lot of other people need to do this, I''ll document it IF I >> ever get through. > > Thanks, Chris >This is a strange thread, Chris: wait for 2.6.16, then run that. It will be a while before you see a Redhat kernel with that, however, I''ld be willing to bet that they will back port the Policy Match support eventually. In any case, depending on your use-case, I have never had a problem with vanilla kernels under Redhat. [Save the 2.4 + NPTL debacle]. Sincerely, Joshua ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Chris Mason (Lists) wrote:> Cristian Rodriguez wrote: >> >> if you don''t want to do it in the short way , you need to follow Tom''s >> instructions metioned in other email on this thread, and read the >> iptables documentation, due to your distribution choose, you will need >> to do **a lot** of work. >> > Yep, I;m discovering that. But as the system is already installed with > users behind it and lots of other packages such as squid installed and > configured, changing and learning a new distribution isn''t an option. I > am sure a lot of other people need to do this, I''ll document it IF I > ever get through. >Chris, Why can''t you use a vanilla kernel? Why are you insisting on using a vendor kernel? I tend to use the vanilla kernels anyway, and the ''sucker patch set'' aka the stable series [2.6.1x.x] have been very good to me. If you want to use a non-mainline distro, try one of those kernels, Unless Centos is crazy, then Linux is Linux is Linux, and you should be able to sub in any kernel you want. [that supports the baseline model]. I would recommend junking the vendor trees - you''re wasting your time. Sincerely, Joshua ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Chris Mason (Lists) wrote:> Tom Eastep wrote: >> >> >> There are five patches for ipsec/policy match. There will also be a >> patch for CONNMARK target support and one for connmark match support. >> > The connmark match patch does not apply: > > "The connrate match is used to match against the current transfer speed of a > connection. The algorithm averages transferred bytes over a time sliding > window > of constant size. The maximum and minimum rates measurable are explained > in the > code, along the algorithm used in the measurements. > > Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y > cannot apply (3 rejects out of 4 hunks)"From the kernel source directory, what does "ls net/ipv4/netfilter/*connmark*" show? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> > From the kernel source directory, what does "ls > net/ipv4/netfilter/*connmark*" show? > >-rw-r--r-- 2 root root 2253 Jun 17 2005 net/ipv4/netfilter/ipt_connmark.c -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Joshua Schmidlkofer wrote:> > > Why can''t you use a vanilla kernel? Why are you insisting on using > a vendor kernel? I tend to use the vanilla kernels anyway, and the > ''sucker patch set'' aka the stable series [2.6.1x.x] have been very > good to me. If you want to use a non-mainline distro, try one of > those kernels, Unless Centos is crazy, then Linux is Linux is Linux, > and you should be able to sub in any kernel you want. [that supports > the baseline model]. > > I would recommend junking the vendor trees - you''re wasting your time. > > Sincerely, > Joshua >Centos is Redhat, I don''t want to think Redhat is now non-mainstream. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Joshua Schmidlkofer wrote:> > > Why can''t you use a vanilla kernel? Why are you insisting on using > a vendor kernel? I tend to use the vanilla kernels anyway, and the > ''sucker patch set'' aka the stable series [2.6.1x.x] have been very > good to me. If you want to use a non-mainline distro, try one of > those kernels, Unless Centos is crazy, then Linux is Linux is Linux, > and you should be able to sub in any kernel you want. [that supports > the baseline model]. >What would the advantage be? Could I bypass all the patching? -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Chris Mason (Lists) wrote:> Tom Eastep wrote: >> >> >> There are five patches for ipsec/policy match. There will also be a >> patch for CONNMARK target support and one for connmark match support. >> > The connmark match patch does not apply: > > "The connrate match is used to match against the current transfer speed of a > connection. The algorithm averages transferred bytes over a time sliding > window > of constant size. The maximum and minimum rates measurable are explained > in the > code, along the algorithm used in the measurements. > > Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y > cannot apply (3 rejects out of 4 hunks)"I just downloaded the 2.6.12 tarball -- looks like connmark match is already in that version. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Chris Mason (Lists) wrote:> Tom Eastep wrote: >> >> From the kernel source directory, what does "ls >> net/ipv4/netfilter/*connmark*" show? >> >> > -rw-r--r-- 2 root root 2253 Jun 17 2005 net/ipv4/netfilter/ipt_connmark.c >Your kernel source tree already contains connmark match support. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Chris Mason (Lists) wrote:> Tom Eastep wrote: > >> >> From the kernel source directory, what does "ls >> net/ipv4/netfilter/*connmark*" show? >> >> > > -rw-r--r-- 2 root root 2253 Jun 17 2005 net/ipv4/netfilter/ipt_connmark.c >If your starting with a 2.6.10+ kernel, as you stated in an earlier post, Tom''s "ls" test would confirm that the source for that modules is present, no patching needed for that module. Your just patching for PFKEY, for your ipsec support. Jerry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Tom Eastep wrote:> Chris Mason (Lists) wrote:>>> >> The connmark match patch does not apply: >> >> "The connrate match is used to match against the current transfer speed of a >> connection. The algorithm averages transferred bytes over a time sliding >> windowAlso, this is the *connrate match* patch, not the *connmark match* patch. You don''t need this patch anyway (Shorewall has no support for it). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> >>> window >>> > > Also, this is the *connrate match* patch, not the *connmark match* > patch. You don''t need this patch anyway (Shorewall has no support for it). > > -Tom >All the same in the dark... -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Tom Eastep wrote:> >> cannot apply (3 rejects out of 4 hunks)" >> > > I just downloaded the 2.6.12 tarball -- looks like connmark match is > already in that version. > > >So only the policy match is important? I don''t care so much about ipsec since I was pointed towards openvpn. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Jerry Vonau wrote:> >> > If your starting with a 2.6.10+ kernel, as you stated in an earlier > post, Tom''s "ls" test would confirm that the source for that modules > is present, no patching needed for that module. Your just patching for > PFKEY, for your ipsec support. > >How about policy routing? -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Building iptables did not go well. Suggestions? extensions/libipt_policy.c: In function `parse_direction'': extensions/libipt_policy.c:104: error: `POLICY_MATCH_IN'' undeclared (first use in this function) extensions/libipt_policy.c:104: error: (Each undeclared identifier is reported only once extensions/libipt_policy.c:104: error: for each function it appears in.) extensions/libipt_policy.c:106: error: `POLICY_MATCH_OUT'' undeclared (first use in this function) extensions/libipt_policy.c: In function `parse_policy'': extensions/libipt_policy.c:113: error: `POLICY_MATCH_NONE'' undeclared (first use in this function) extensions/libipt_policy.c: In function `parse_mode'': extensions/libipt_policy.c:122: error: `POLICY_MODE_TRANSPORT'' undeclared (first use in this function) extensions/libipt_policy.c:124: error: `POLICY_MODE_TUNNEL'' undeclared (first use in this function) extensions/libipt_policy.c: In function `parse'': extensions/libipt_policy.c:143: error: `POLICY_MATCH_IN'' undeclared (first use in this function) extensions/libipt_policy.c:143: error: `POLICY_MATCH_OUT'' undeclared (first use in this function) extensions/libipt_policy.c:160: error: `POLICY_MATCH_STRICT'' undeclared (first use in this function) extensions/libipt_policy.c:200: error: incompatible types in assignment extensions/libipt_policy.c:201: error: incompatible types in assignment extensions/libipt_policy.c:215: error: incompatible types in assignment extensions/libipt_policy.c:216: error: incompatible types in assignment extensions/libipt_policy.c:246: error: `POLICY_MAX_ELEM'' undeclared (first use in this function) extensions/libipt_policy.c: In function `final_check'': extensions/libipt_policy.c:268: error: `POLICY_MATCH_IN'' undeclared (first use in this function) extensions/libipt_policy.c:268: error: `POLICY_MATCH_OUT'' undeclared (first use in this function) extensions/libipt_policy.c:272: error: `POLICY_MATCH_NONE'' undeclared (first use in this function) extensions/libipt_policy.c:273: error: `POLICY_MATCH_STRICT'' undeclared (first use in this function) extensions/libipt_policy.c:290: error: `POLICY_MODE_TUNNEL'' undeclared (first use in this function) extensions/libipt_policy.c:291: error: `POLICY_MODE_TRANSPORT'' undeclared (first use in this function) extensions/libipt_policy.c: In function `print_mode'': extensions/libipt_policy.c:303: error: `POLICY_MODE_TRANSPORT'' undeclared (first use in this function) extensions/libipt_policy.c:306: error: `POLICY_MODE_TUNNEL'' undeclared (first use in this function) extensions/libipt_policy.c: In function `print_flags'': extensions/libipt_policy.c:369: error: `POLICY_MATCH_IN'' undeclared (first use in this function) extensions/libipt_policy.c:374: error: `POLICY_MATCH_NONE'' undeclared (first use in this function) extensions/libipt_policy.c:379: error: `POLICY_MATCH_STRICT'' undeclared (first use in this function) make: *** [extensions/libipt_policy_sh.o] Error 1 -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Tom Eastep wrote:> > Also, this is the *connrate match* patch, not the *connmark match* > patch. You don''t need this patch anyway (Shorewall has no support for it). >you said on the web site that iptables 1.3.1 was broken. Did it ever get fixed or do we need to patch for ever? -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Chris Mason (Lists) wrote:> Tom Eastep wrote: >> >>> cannot apply (3 rejects out of 4 hunks)" >>> >> >> I just downloaded the 2.6.12 tarball -- looks like connmark match is >> already in that version. >> >> >> > So only the policy match is important? I don''t care so much about ipsec > since I was pointed towards openvpn.If you can use OpenVPN, do so -- it doesn''t require any kernel patching. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Chris Mason (Lists) wrote:> Jerry Vonau wrote: >> >>> >> If your starting with a 2.6.10+ kernel, as you stated in an earlier >> post, Tom''s "ls" test would confirm that the source for that modules >> is present, no patching needed for that module. Your just patching for >> PFKEY, for your ipsec support. >> >> > How about policy routing? >You need policy routing for multi-ISP but it doesn''t require any patching. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Chris Mason (Lists) wrote:> Tom Eastep wrote: >> >> Also, this is the *connrate match* patch, not the *connmark match* >> patch. You don''t need this patch anyway (Shorewall has no support for >> it). >> > you said on the web site that iptables 1.3.1 was broken. Did it ever get > fixed or do we need to patch for ever? >It got fixed. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Chris Mason (Lists) wrote:> Building iptables did not go well. Suggestions? >My only suggestion is to search the archives of the Netfilter list to see of you can find anything similar. You might consider posting there as well -- a problem compiling iptables is pretty off-topic on this list. Looks like it''s failing compiling the policy match module. If you''re not going to run IPSEC, you could always remove extensions/ipt_policy.c and hack up extensions/Makefile to not try to build it (if necessary -- I don''t know if the Makefile mentions it by name or not). It''s been my experience that patch-o-matic and patch-o-matic-ng work one day and then the next day''s snapshot is totally broken. I''ve totally stopped using features that require me to patch and compile my own software; it''s just too much of a hassle. When a new kernel comes out, I usually build it and run it for a day or two to make sure that it plays Ok with Shorewall (I generally do that during the RC phase so I''m ahead of the final release); then I go back to my vendor-supplied kernel. That''s especially true now that my firewall runs under Xen since compiling Xen kernels with other patches isn''t something I''m wild about trying. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Chris Mason (Lists) wrote:> Building iptables did not go well. Suggestions? >FWIW, when policy match is available in the kernel, the missing declarations are in include/linux/netfilter_ipv4/ipt_policy.h in the kernel source tree. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Chris Mason (Lists) wrote: >> Building iptables did not go well. Suggestions? >> > > FWIW, when policy match is available in the kernel, the missing > declarations are in include/linux/netfilter_ipv4/ipt_policy.h in the > kernel source tree. >I''ve attached the file. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> I''ve totally > stopped using features that require me to patch and compile my own > software; it''s just too much of a hassle. When a new kernel comes out, I > usually build it and run it for a day or two to make sure that it plays > Ok with Shorewall (I generally do that during the RC phase so I''m ahead > of the final release); then I go back to my vendor-supplied kernel. > That''s especially true now that my firewall runs under Xen since > compiling Xen kernels with other patches isn''t something I''m wild about > trying. > >Just for my info, what distribution are you using? SUSE was mentioned earlier, is this your preference for Shorewall? -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
I was able to compile and install the iptables-1.3.0-2 rpm from fedora 4, and have compiled the kernel-2.6.12-1 rpm with ipsec patches and the policy match patch from patch-o-matic. I can''t find a later iptables rpm. If this box reboots with this kernel working, how far from being able to do Multi-ISP am I.? Obviously I would reboot and try it if I could but I am remote from it so I am not going to reboot it until I am there. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> From: shorewall-users-admin@lists.sourceforge.net > [mailto:shorewall-users-admin@lists.sourceforge.net]On Behalf Of Chris > Mason (Lists)> The new firewall I have been building for my Multi-ISP project is based > on Centos 4.2. I am running into issues with capabilities as I want > Contrack and IPSEC functionality. > The kernel is 2.6.9-22.0.2.ELsmp and iptables is v1.2.11. I have > downloaded the iptables source code 1.3.5 but I don''t see what file I > should be patching. Can anyone give me some guidance?I usually recompile CentOS and Fedora kernel and iptables RPMs with patch-o-matic (and other things useful to me) for my servers. I decided long ago, when the servers I was maintaing began to increase in number, to stay with RPM for manageability reasons. I personally think this was a good decision. I also decided to only modify CentoOS and Fedora original RPMs if possible, for the same reasons. I used to put them on my web site, but due to a combination of factors (lack of feedback, no one using them, + not plenty of spare time) I stopped publishing them. But I can reconsider it if someone is going to make use of these packages, give me some feedback and maybe help me in maintaining them. Disclaimer: my packages are likely buggy, surely poorly maintained etc.etc. All the other standard disclaimers apply. But they do their work, at least for my particular needs. Lux ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Lux wrote:> > I usually recompile CentOS and Fedora kernel and iptables RPMs with > patch-o-matic (and other things useful to me) for my servers. > I decided long ago, when the servers I was maintaing began to increase in > number, to stay with RPM for manageability reasons. I personally think this > was a good decision. I also decided to only modify CentoOS and Fedora > original RPMs if possible, for the same reasons. > I used to put them on my web site, but due to a combination of factors (lack > of feedback, no one using them, + not plenty of spare time) I stopped > publishing them. But I can reconsider it if someone is going to make use of > these packages, give me some feedback and maybe help me in maintaining them. > Disclaimer: my packages are likely buggy, surely poorly maintained etc.etc. > All the other standard disclaimers apply. But they do their work, at least > for my particular needs. > > Lux >I think what would be more useful would be to post and maintain a howto specific to shorewall''s requirements. If the kernel I am patching and compiling works, I have copious notes and will post them. If anyone wants to do the same, they can follow the notes. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Mason (Lists) wrote:> I was able to compile and install the iptables-1.3.0-2 rpm from fedora > 4, and have compiled the kernel-2.6.12-1 rpm with ipsec patches and the > policy match patch from patch-o-matic. I can''t find a later iptables rpm. > If this box reboots with this kernel working, how far from being able to > do Multi-ISP am I.?Depends on whether you included all of the options you need in the kernel. I won''t know for sure until you reboot and check the output of "shorewall show capabilities". - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEAck2O/MAbZfjDLIRAjMLAKCDycYd0pJDLrhL0ZFE3lKcZVClIgCfUyt3 QkDAmEj/xNQfVC3Ji2g0+A4=BGXL -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chris Mason (Lists) wrote:> Just for my info, what distribution are you using? SUSE was mentioned > earlier, is this your preference for Shorewall?I recently migrated to SuSE. I had been running SuSE on my desktop and laptop for some time and decided to avoid the hassle of maintaining multiple different environments. Before that, I used Debian which is also nice for firewalls (I love the simple and powerful network configuration system on Debian). I almost never ran Debian kernels though; I compiled my own from kernel.org sources (which was a nuisance). Once Kernel 2.6.16 is generally available in distributions, we should be past the need for patching except for corner cases -- currently ipsets and ipp2p. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEAcq7O/MAbZfjDLIRAhLhAJ0flrPnhfPr+2QlyDD1yvRAzZjoPgCcCxZZ o6ZHpXA1dIOUGcv4nKIkNrY=Jyjb -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
This is what you said Tom Eastep> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Chris Mason (Lists) wrote: >> I was able to compile and install the iptables-1.3.0-2 rpm from fedora >> 4, and have compiled the kernel-2.6.12-1 rpm with ipsec patches and the >> policy match patch from patch-o-matic. I can''t find a later iptables >> rpm. >> If this box reboots with this kernel working, how far from being able to >> do Multi-ISP am I.? > > Depends on whether you included all of the options you need in the > kernel. I won''t know for sure until you reboot and check the output of > "shorewall show capabilities". > > - -TomNot that I have any clue what I am doing, but because I am running CentOS 4.2 and was following this thread, I blindly went ahead and tried execute a patch-o-matic. The patch-o-matic html page says to use cvs, but that documentation is apparently outdated. I was not running svn, so I tried compling that, but I obviously forgot some options because I could not svn with SSL. I manually downloaded patch-o-matic and iptables 1.3.5. I am running kernel 2.6.13.4 (obviously compiled from vanilla sources). I ran patch-o-matic telling it where my kernel sources were located and where iptables was located. I rebuilt the kernel and rebooted. Which I am not sure anything changed. I recompiled iptables 1.3.5, and as Tom pointed out the default directory from source is different then what was installed. I tried to use the BINDIR= and KERNEL_DIR= options, but still ended up with iptables in /usr/local/bin. iptables in now in /sbin directory, in the location it was installed before I went down this path. If I run iptables -V from prompt it shows 1.3.5. I have no idea of what I did is correct, but the system does not appear to have any ill effects. I was confused by this thread because at the beginning it sounded like CentOS required an iptables upgrade along with some kernel patching. Later, as Tom pointed out, if you rolled your own kernel some of the modules needed were already present. Unfortunately I was already too deep in my experiment to turn back. The bottom line here is that I believe you can manually upgrade CentOS (kernel/iptables/patch-o-matic) without too much trouble (for a single box). As others have mentioned, if this process needed to be rolled out to the enterprise the management would be a nightmare. I know my contribution is weak, but I thought I would pass along my experiences with this experiment and let you know CentOS can be upgraded with patch-o-matic. -Scott ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Chris Mason (Lists) wrote: > > >> Just for my info, what distribution are you using? SUSE was mentioned >> earlier, is this your preference for Shorewall? >> > > I recently migrated to SuSE. I had been running SuSE on my desktop and > laptop for some time and decided to avoid the hassle of maintaining > multiple different environments. Before that, I used Debian which is > also nice for firewalls (I love the simple and powerful network > configuration system on Debian). I almost never ran Debian kernels > though; I compiled my own from kernel.org sources (which was a nuisance). > > Once Kernel 2.6.16 is generally available in distributions, we should be > past the need for patching except for corner cases -- currently ipsets > and ipp2p. >Just to confirm before I spend time installing it, SUSE 10 works beautifully for Multi-ISP shorewall installations? -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Chris Mason (Lists) wrote:> Tom Eastep wrote:> Just to confirm before I spend time installing it, SUSE 10 works > beautifully for Multi-ISP shorewall installations?I have no idea -- I can only afford one ISP. I do know that it contains all of the kernel and iptables features that are required to run the Shorewall Multi-ISP hack. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> > I have no idea -- I can only afford one ISP.Ouch...feel for you...but then again, you probably have one that works well. All of this is because I can''t get a decent feed at a decent price so I have to resort to spreading the traffic across a bunch of feeds of varying quality and price. Just to give you an idea, a T1 data feed here is $11,000/month. Not really an option.> I do know that it contains > all of the kernel and iptables features that are required to run the > Shorewall Multi-ISP hack. > >Hack, eh? Now I feel more comfortable! -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Tom Eastep schrieb:>Chris Mason (Lists) wrote: > > >>Tom Eastep wrote: >> >> > > > >>Just to confirm before I spend time installing it, SUSE 10 works >>beautifully for Multi-ISP shorewall installations? >> >> > >I have no idea -- I can only afford one ISP. I do know that it contains >all of the kernel and iptables features that are required to run the >Shorewall Multi-ISP hack. > >-Tom > >Yes it does, at least no kernel recompile needed. Alex ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Chris Mason (Lists) wrote:> >> I do know that it contains >> all of the kernel and iptables features that are required to run the >> Shorewall Multi-ISP hack. >> >> > Hack, eh? Now I feel more comfortable! >I don''t know what else to call it. Anyone who was really serious about having two uplinks for load-balancing and redundancy wouldn''t be using static routing. But to get good dynamic routing, you need two commercial-grade uplinks that support a routing protocol like BGP. There was a shell script posted on the list a while back that used ''ping'' to monitor the health of the two gateways and attempted to reconfigure if one of the uplinks failed. That''s great so long as all uplink failures happen between you and your ISP''s gateway router; the last time I lost Internet access, I could ping my ISP''s router the whole time. The other hackish aspect to it is that it is integrated with the packet filter -- routing should be established when the network is started and should not be a function of starting the packet filter. If I could justify having two uplinks (which I can''t), I would probably break the providers stuff off into a separate product so it could be started, stopped and reconfigured separately. But without a way to run the product in a live environment, I would be shamming folks if I claimed to have a routing product of any kind. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Chris Mason (Lists) wrote: > > >>> I do know that it contains >>> all of the kernel and iptables features that are required to run the >>> Shorewall Multi-ISP hack. >>> >>> >>> >> Hack, eh? Now I feel more comfortable! >> >> > > Anyone who was really serious about > having two uplinks for load-balancing and redundancy wouldn''t be using > static routing. But to get good dynamic routing, you need two > commercial-grade uplinks that support a routing protocol like BGP.Well, in my case I don''t want dynamic routing. All I want to do is determine some traffic is better suited for the less reliable route and route accordingly. I am not looking for failover either. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Chris Mason (Lists) wrote:> Tom Eastep wrote: >> Chris Mason (Lists) wrote: >> >> >>>> I do know that it contains >>>> all of the kernel and iptables features that are required to run the >>>> Shorewall Multi-ISP hack. >>>> >>>> >>>> >>> Hack, eh? Now I feel more comfortable! >>> >>> >> >> Anyone who was really serious about >> having two uplinks for load-balancing and redundancy wouldn''t be using >> static routing. But to get good dynamic routing, you need two >> commercial-grade uplinks that support a routing protocol like BGP. > Well, in my case I don''t want dynamic routing. All I want to do is > determine some traffic is better suited for the less reliable route and > route accordingly. > I am not looking for failover either. >Then the Shorewall stuff should work OK for you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Depends on whether you included all of the options you need in the > kernel. I won''t know for sure until you reboot and check the output of > "shorewall show capabilities". > > - -Tom >Hi Tom, I setup a small test box and followed my own instructions, I have the 2.6.12 kenel and iptables 1.4.5, and I applied the policy route patch. Here is the output. Are we there yet? Chris Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Not available Physdev Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Available Connmark Match: Available Raw Table: Available CLASSIFY Target: Available -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
One more problem you might have insight into: Building iptables after patching, I get Making dependencies: please wait... In file included from /usr/src/linux/include/linux/netfilter_ipv4.h:8, from /usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:26, from include/libiptc/libiptc.h:6, from libiptc/libip4tc.c:29: /usr/src/linux/include/linux/config.h:6:2: #error including kernel header in userspace; use the glibc headers instead! If I don''t patch and build the iptables from the source rpm, it is fine, but then there is no patches. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Chris Mason (Lists) wrote:> Tom Eastep wrote: >> Depends on whether you included all of the options you need in the >> kernel. I won''t know for sure until you reboot and check the output of >> "shorewall show capabilities". >> >> - -Tom >> > Hi Tom, > I setup a small test box and followed my own instructions, I have the > 2.6.12 kenel and iptables 1.4.5, and I applied the policy route patch. > Here is the output. Are we there yet? > Chris > > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Extended Multi-port Match: Available > Connection Tracking Match: Available > Packet Type Match: Available > Policy Match: Not available > Physdev Match: Available > IP range Match: Available > Recent Match: Available > Owner Match: Available > Ipset Match: Not available > CONNMARK Target: Available > Connmark Match: Available > Raw Table: Available > CLASSIFY Target: Available >Looks good, provided that you don''t need IPSEC. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Chris Mason (Lists) wrote:> One more problem you might have insight into: > Building iptables after patching, I get > > Making dependencies: please wait... > In file included from /usr/src/linux/include/linux/netfilter_ipv4.h:8, > from > /usr/src/linux/include/linux/netfilter_ipv4/ip_tables.h:26, > from include/libiptc/libiptc.h:6, > from libiptc/libip4tc.c:29: > /usr/src/linux/include/linux/config.h:6:2: #error including kernel > header in userspace; use the glibc headers instead! > > > If I don''t patch and build the iptables from the source rpm, it is fine, > but then there is no patches. >You might see if the 5th patch from my set of IPSEC patches helps. I had similar problems but the symptoms weren''t quite the same. I thought that the Netfilter guys has picked up that patch. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
One more problem ( I solved the last) - the policy match patch doesn''t build: extensions/libipt_policy.c: In function `parse_direction'': extensions/libipt_policy.c:104: error: `POLICY_MATCH_IN'' undeclared (first use in this function) extensions/libipt_policy.c:104: error: (Each undeclared identifier is reported only once extensions/libipt_policy.c:104: error: for each function it appears in.) extensions/libipt_policy.c:106: error: `POLICY_MATCH_OUT'' undeclared (first use in this function) extensions/libipt_policy.c: In function `parse_policy'': extensions/libipt_policy.c:113: error: `POLICY_MATCH_NONE'' undeclared (first use in this function) extensions/libipt_policy.c: In function `parse_mode'': extensions/libipt_policy.c:122: error: `POLICY_MODE_TRANSPORT'' undeclared (first use in this function) extensions/libipt_policy.c:124: error: `POLICY_MODE_TUNNEL'' undeclared (first use in this function) extensions/libipt_policy.c: In function `parse'': extensions/libipt_policy.c:143: error: `POLICY_MATCH_IN'' undeclared (first use in this function) extensions/libipt_policy.c:143: error: `POLICY_MATCH_OUT'' undeclared (first use in this function) extensions/libipt_policy.c:160: error: `POLICY_MATCH_STRICT'' undeclared (first use in this function) extensions/libipt_policy.c:200: error: incompatible types in assignment extensions/libipt_policy.c:201: error: incompatible types in assignment extensions/libipt_policy.c:215: error: incompatible types in assignment extensions/libipt_policy.c:216: error: incompatible types in assignment extensions/libipt_policy.c:246: error: `POLICY_MAX_ELEM'' undeclared (first use in this function) extensions/libipt_policy.c: In function `final_check'': extensions/libipt_policy.c:268: error: `POLICY_MATCH_IN'' undeclared (first use in this function) extensions/libipt_policy.c:268: error: `POLICY_MATCH_OUT'' undeclared (first use in this function) extensions/libipt_policy.c:272: error: `POLICY_MATCH_NONE'' undeclared (first use in this function) extensions/libipt_policy.c:273: error: `POLICY_MATCH_STRICT'' undeclared (first use in this function) extensions/libipt_policy.c:290: error: `POLICY_MODE_TUNNEL'' undeclared (first use in this function) extensions/libipt_policy.c:291: error: `POLICY_MODE_TRANSPORT'' undeclared (first use in this function) extensions/libipt_policy.c: In function `print_mode'': extensions/libipt_policy.c:303: error: `POLICY_MODE_TRANSPORT'' undeclared (first use in this function) extensions/libipt_policy.c:306: error: `POLICY_MODE_TUNNEL'' undeclared (first use in this function) extensions/libipt_policy.c: In function `print_flags'': extensions/libipt_policy.c:369: error: `POLICY_MATCH_IN'' undeclared (first use in this function) extensions/libipt_policy.c:374: error: `POLICY_MATCH_NONE'' undeclared (first use in this function) extensions/libipt_policy.c:379: error: `POLICY_MATCH_STRICT'' undeclared (first use in this function) make: *** [extensions/libipt_policy_sh.o] Error 1 error: Bad exit status from /var/tmp/rpm-tmp.86614 (%build) -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Chris Mason wrote:> One more problem ( I solved the last) - the policy match patch doesn''t > build: >Chris -- I told you about that one last night (even sent you a header file to correct it). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>Chris Mason wrote: > > >>One more problem ( I solved the last) - the policy match patch doesn''t >>build: >> >> >> > >Chris -- I told you about that one last night (even sent you a header >file to correct it). > >-Tom > >Yes, you did, sorry. Does it go in the kernel source or the iptables source? Or both? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Chris Mason wrote:> Tom Eastep wrote: > >> Chris Mason wrote: >> >> >>> One more problem ( I solved the last) - the policy match patch doesn''t >>> build: >>> >>> >> >> Chris -- I told you about that one last night (even sent you a header >> file to correct it). >> >> -Tom >> >> > Yes, you did, sorry. Does it go in the kernel source or the iptables > source? Or both? >Check my messages -- it goes in the kernel source tree but I don''t off-hand recall where. I mentioned it in the message before the one that included the file itself. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>Check my messages -- it goes in the kernel source tree but I don''t >off-hand recall where. I mentioned it in the message before the one that >included the file itself. > >-Tom > >I tried that first but it didn''t improve the problem. However, all these patches are only for ipsec, right? I don''t need them. I am rebuilding the rpms and will install without patches. The 2.6.16 kernel should be in the fedora updates soon, right? Chris -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Chris Mason wrote:> >> Check my messages -- it goes in the kernel source tree but I don''t >> off-hand recall where. I mentioned it in the message before the one that >> included the file itself. >> >> -Tom >> >> > I tried that first but it didn''t improve the problem. However, all these > patches are only for ipsec, right? I don''t need them. I am rebuilding > the rpms and will install without patches. > The 2.6.16 kernel should be in the fedora updates soon, right?I would think so. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I promised to post my summary of setting up a Centos 4.2 server kernel to be able to use the Multi ISP features. I never got the IPSEC patches in place so it is not complete but I don''t need IPSEC anyway so I don''t care. I installed Centos 4.2 Single Server disk. I don''t see any reason to bother with the multi disk setup since yum will add groups as needed. Then I ran yum update and brought the server up to date. I downloaded Shorewall 3.05 rpm and installed. Since the object is to be able to use the Multi-ISP features, the stock kernel is not adequate as it does not include the routing policy patch. We download the 2.6.12 kernel to get the features we need. # wget http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/SRPMS/kernel-2.6.12-1.1381_FC3.src.rpm rpm -i kernel-2.6.12-1.1381_FC3.src.rpm cd /usr/src/redhat/SPECS/ vi kernel.spec %define release %(R="$Revision: 1.1381 $"; RR="${R##: }"; echo ${RR%%?})_FC3%{rhbsys} And change to %define release %(R="$Revision: 1.1381 $"; RR="${R##: }"; echo ${RR%%?})_FC3CM%{rhbsys} So the kernel version is marked as yours. # rpmbuild -bp --target=i686 kernel-2.6.spec Copy the correct config file to .config # cd /usr/src/redhat/BUILD/kernel-2.6.12/linux-2.6.12 # cp configs/kernel-2.6.12-i686-smp.config .config Get iptables rpm wget ftp://download.fedora.redhat.com/pub/fedora/linux/core/development/SRPMS/iptables-1.3.5-1.2.src.rpm Get patch-o-matic browse ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ , find and download the tarball tar -C /var/tmp -jxvf patch-o-matic-ng-20060224.tar.bz2 cd /var/tmp/patch-o-matic-ng-20060224/ Setup the patch-o-matic-ng environment # KERNEL_DIR=/usr/src/redhat/BUILD/kernel-2.6.12/linux-2.6.12 \ IPTABLES_DIR=/usr/src/redhat/BUILD/iptables-1.3.5 \ ./runme extra Apply patch policy This should have the necessary patches to the kernel source. Copy the correct config file to .config # cd /usr/src/redhat/BUILD/kernel-2.6.12/linux-2.6.12 # cp configs/kernel-2.6.12-i686-smp.config .config # or the right file for your config # make oldconfig (answer "m" to any changes) build the kernel and modules make all install the modules into place /lib/modules # make modules_install install kernel # make install ll Edit /boot/grub/grub.conf, you''ll find that the kernel has already been added, but the default=1 points to your previous kernel. Set default=0. After the reboot, providing it does reboot, you should see the required option: # shorewall show capabilities Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Not available Physdev Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Available Connmark Match: Available Raw Table: Available CLASSIFY Target: Available Note that you won''t have ipsec without some additional patches. After that, follow the Multi ISP tutorial at http://www.shorewall.net/MultiISP.html I find it wonderful for controlling which service uses which interface, i.e, sending web browsing traffic out the cheaper ADSL connection and saving dedicated links for voice. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Wednesday 15 March 2006 05:31, Chris Mason (Lists) wrote:> I promised to post my summary of setting up a Centos 4.2 server kernel > to be able to use the Multi ISP features. I never got the IPSEC patches > in place so it is not complete but I don''t need IPSEC anyway so I don''t > care.Thanks, Chris! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key