Hey, I was reading about some people here in the mailing lists that repackaged some Kernel RPMs for Fedora Core, RHEL and CentOS that have built-in Policy Match etc. Since I am a newbie with Kernel and I don''t know how to compile my own, with running CentOS 4.3, I was wondering if somebody could send me the RPM that was repackaged and includes all the patches needed for ipsec? Thanks in advance! -- greetings, benni. -SDG- ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Benjamin Mack wrote:> Hey, > > I was reading about some people here in the mailing lists that > repackaged some Kernel RPMs for Fedora Core, RHEL and CentOS that have > built-in Policy Match etc. > > Since I am a newbie with Kernel and I don''t know how to compile my own, > with running CentOS 4.3, I was wondering if somebody could send me the > RPM that was repackaged and includes all the patches needed for ipsec? > > Thanks in advance! >This is from my Fedora 5 box: [root@squid jerry]# uname -a Linux squid 2.6.16-1.2080_FC5 #1 Tue Mar 28 03:38:34 EST 2006 i686 i686 i386 GNU /Linux [root@squid jerry]# [root@squid jerry]# /sbin/shorewall show capabilities Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Available Physdev Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Available Connmark Match: Available Raw Table: Available CLASSIFY Target: Available [root@squid jerry]# The only thing that is missing is the ipset support, with this kernel available from the update repos. Jerry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Hey Jerry, first of all: thanks for your answer. yeah, I know that policy match is now available in the Fedora Core 5 (since 2.6.16) kernels. But: My server / gateway / fw runs CentOS and I cannot use the FC5 kernels in CentOS. I also cannot install another distribution on that machine. So I was wondering if somebody actually has CentOS or RHEL kernel packages? thanks again! greetings, benni. -SDG- Jerry Vonau wrote:> Benjamin Mack wrote: >> Hey, >> >> I was reading about some people here in the mailing lists that >> repackaged some Kernel RPMs for Fedora Core, RHEL and CentOS that have >> built-in Policy Match etc. >> >> Since I am a newbie with Kernel and I don''t know how to compile my >> own, with running CentOS 4.3, I was wondering if somebody could send >> me the RPM that was repackaged and includes all the patches needed for >> ipsec? >> >> Thanks in advance! >> > > This is from my Fedora 5 box: > > [root@squid jerry]# uname -a > Linux squid 2.6.16-1.2080_FC5 #1 Tue Mar 28 03:38:34 EST 2006 i686 i686 > i386 GNU /Linux > [root@squid jerry]# > > [root@squid jerry]# /sbin/shorewall show capabilities > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Extended Multi-port Match: Available > Connection Tracking Match: Available > Packet Type Match: Available > Policy Match: Available > Physdev Match: Available > IP range Match: Available > Recent Match: Available > Owner Match: Available > Ipset Match: Not available > CONNMARK Target: Available > Connmark Match: Available > Raw Table: Available > CLASSIFY Target: Available > [root@squid jerry]# > > The only thing that is missing is the ipset support, with this kernel > available from the update repos. > > Jerry > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live > webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> From: shorewall-users-admin@lists.sourceforge.net > [mailto:shorewall-users-admin@lists.sourceforge.net]On Behalf Of > Benjamin Mack > Sent: Thursday, April 06, 2006 10:11 AM> I was reading about some people here in the mailing lists that > repackaged some Kernel RPMs for Fedora Core, RHEL and CentOS that have > built-in Policy Match etc.Sorry for replying so late. Maybe you refer to a post sent by me, http://sourceforge.net/mailarchive/message.php?msg_id=14925533 . I''m putting back online my rpms now. You can find them in http://repo.iotti.biz/ . Please be patient, I haven''t got so much time, but you can find wht you need if you want to run the IPSec and policy extensions needed for Shorewall. Be also patient because, since I was the only one using them in the last year, I wrote the comments in the modified spec files in plain Italian, my mother language. If someone is going to use them, I''ll be happy to translate my commets to English ang to write the changelog, which at the moment I maintain only in my mind :( I''ll be happy to hear suggestions about them. Disclaimer: my packages are likely buggy, are surely poorly maintained etc.etc. If you use them, you do it at your own risk. All the other standard disclaimers apply. Luigi ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Benjamin Mack wrote:> Hey, > > I was reading about some people here in the mailing lists that > repackaged some Kernel RPMs for Fedora Core, RHEL and CentOS that have > built-in Policy Match etc. > > Since I am a newbie with Kernel and I don''t know how to compile my > own, with running CentOS 4.3, I was wondering if somebody could send > me the RPM that was repackaged and includes all the patches needed for > ipsec?You can roll your own pretty easily by follow the directions I posted recently, repeated below: I promised to post my summary of setting up a Centos 4.2 server kernel to be able to use the Multi ISP features. I never got the IPSEC patches in place so it is not complete but I don''t need IPSEC anyway so I don''t care. I installed Centos 4.2 Single Server disk. I don''t see any reason to bother with the multi disk setup since yum will add groups as needed. Then I ran yum update and brought the server up to date. I downloaded Shorewall 3.05 rpm and installed. Since the object is to be able to use the Multi-ISP features, the stock kernel is not adequate as it does not include the routing policy patch. We download the 2.6.12 kernel to get the features we need. # wget http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/SRPMS/kernel-2.6.12-1.1381_FC3.src.rpm rpm -i kernel-2.6.12-1.1381_FC3.src.rpm cd /usr/src/redhat/SPECS/ vi kernel.spec %define release %(R="$Revision: 1.1381 $"; RR="${R##: }"; echo ${RR%%?})_FC3%{rhbsys} And change to %define release %(R="$Revision: 1.1381 $"; RR="${R##: }"; echo ${RR%%?})_FC3CM%{rhbsys} So the kernel version is marked as yours. # rpmbuild -bp --target=i686 kernel-2.6.spec Copy the correct config file to .config # cd /usr/src/redhat/BUILD/kernel-2.6.12/linux-2.6.12 # cp configs/kernel-2.6.12-i686-smp.config .config Get iptables rpm wget ftp://download.fedora.redhat.com/pub/fedora/linux/core/development/SRPMS/iptables-1.3.5-1.2.src.rpm Get patch-o-matic browse ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/ , find and download the tarball tar -C /var/tmp -jxvf patch-o-matic-ng-20060224.tar.bz2 cd /var/tmp/patch-o-matic-ng-20060224/ Setup the patch-o-matic-ng environment # KERNEL_DIR=/usr/src/redhat/BUILD/kernel-2.6.12/linux-2.6.12 \ IPTABLES_DIR=/usr/src/redhat/BUILD/iptables-1.3.5 \ ./runme extra Apply patch policy This should have the necessary patches to the kernel source. Copy the correct config file to .config # cd /usr/src/redhat/BUILD/kernel-2.6.12/linux-2.6.12 # cp configs/kernel-2.6.12-i686-smp.config .config # or the right file for your config # make oldconfig (answer "m" to any changes) build the kernel and modules make all install the modules into place /lib/modules # make modules_install install kernel # make install ll Edit /boot/grub/grub.conf, you''ll find that the kernel has already been added, but the default=1 points to your previous kernel. Set default=0. After the reboot, providing it does reboot, you should see the required option: # shorewall show capabilities Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Not available Physdev Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Available Connmark Match: Available Raw Table: Available CLASSIFY Target: Available Note that you won''t have ipsec without some additional patches. After that, follow the Multi ISP tutorial at http://www.shorewall.net/MultiISP.html I find it wonderful for controlling which service uses which interface, i.e, sending web browsing traffic out the cheaper ADSL connection and saving dedicated links for voice. -- Chris Mason NetConcepts (264) 497-5670 Fax: (264) 497-8463 Int: (305) 704-7249 Fax: (815)301-9759 UK 44.207.183.0271 Cell: 264-235-5670 Yahoo IM: netconcepts_anguilla@yahoo.com -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Hey, Thanks, luigi, I''m trying your packages as soon as I get to it. Thank you very much!! greetings, benni. -SDG- Lux wrote:>> From: shorewall-users-admin@lists.sourceforge.net >> [mailto:shorewall-users-admin@lists.sourceforge.net]On Behalf Of >> Benjamin Mack >> Sent: Thursday, April 06, 2006 10:11 AM > >> I was reading about some people here in the mailing lists that >> repackaged some Kernel RPMs for Fedora Core, RHEL and CentOS that have >> built-in Policy Match etc. > > Sorry for replying so late. > Maybe you refer to a post sent by me, > http://sourceforge.net/mailarchive/message.php?msg_id=14925533 . > I''m putting back online my rpms now. You can find them in > http://repo.iotti.biz/ . > Please be patient, I haven''t got so much time, but you can find wht you need > if you want to run the IPSec and policy extensions needed for Shorewall. > Be also patient because, since I was the only one using them in the last > year, I wrote the comments in the modified spec files in plain Italian, my > mother language. If someone is going to use them, I''ll be happy to translate > my commets to English ang to write the changelog, which at the moment I > maintain only in my mind :( > I''ll be happy to hear suggestions about them. > Disclaimer: my packages are likely buggy, are surely poorly maintained > etc.etc. If you use them, you do it at your own risk. All the other standard > disclaimers apply. > > Luigi > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642