Shorewall users - Jul 2007 - Shorewall 4.0.0.-1 and Suse 10

Greatings!
 
I am using Shorewall version 4.0.0-1 on Suse 10.
When I start/restart shorewall i get error:
FATAL: Error inserting nf_conntrack_ipv4
(/lib/modules/2.6.13-15-default/kernel/net/ipv4/netfilter/nf_conntrack_ipv4.
ko): Device or resource busy
 
Shorewall works I guess but I dont know which part of Shorewall isnt working
because of this error. Can sbd sugest me what to do to fix this?
 
I also have question relating /var/log/messages file. In previous versions
this file contained all the date relavent to hack attemps. Now it shows
nothing. Is this maybe related to the problem mentioned above?
 
Thanks for you help.
 
Scorpy


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Scorpy wrote:
> I am using Shorewall version 4.0.0-1 on Suse 10.
Are you using shorewall-shell or shorewall-perl? Is this SEL 10.0? OpenSuSE
10.0, ???
> When I start/restart shorewall i get error:
> FATAL: Error inserting nf_conntrack_ipv4
>
(/lib/modules/2.6.13-15-default/kernel/net/ipv4/netfilter/nf_conntrack_ipv4.ko):
> Device or resource busy
I suggest that you copy /usr/share/shorewall/modules to
/etc/shorewall/modules and modify the copy to the bare minimum (those
modules from the ''helper'' section that you actually use such
as
ip_conntrack_ftp, ip_nat_ftp, ...).
>  
> Shorewall works I guess but I dont know which part of Shorewall isnt
> working because of this error.
If shorewall start/restart succeeds then Shorewall is working.
> I also have question relating /var/log/messages file. In previous
> versions
Previous versions of what? Shorewall? SuSE?
> this file contained all the date relavent to hack attemps. Now
> it shows nothing.
The reason that I''ve been asking about your SuSE version is that SuSE
switched to using syslog_ng somewhere in the 10 series; with syslog_ng, all
netfilter messages (including Shorewall''s) are logged to
/var/log/firewall
rather than /var/log/messages. Remember -- Shorewall has no control over
where messages are logged; the LOGFILE setting in shorewall.conf merely
tells /sbin/shorewall where to look for the messages when processing the
''show log'', ''logwatch'' and
''dump'' commands. See
http://www.shorewall.net/shorewall_logging.html.

Is this maybe related to the problem mentioned above?

No. The module loading message has to do with different kernel versions
having different valid combinations of loaded modules.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Good afternoon,

I figured that since i was putting along with 3.4 and had not had time 
to upgrade to 4.0 yet, that i would do it this morning and see if i 
could add any input.  I had two problems, both concerning starting 
Shorewall.

I am running SuSE Linux 10.0 on an i586:

 > cat /etc/SuSE-release
SUSE LINUX 10.0 (i586)
VERSION = 10.0

The installation is pretty well out-of-the-box, meaning i have only 
installed patches from SuSE, have not recompiled the kernel, etc.

I upgraded to 4.0 this morning using rpm''s (installed common and both 
compilers), redid the configuration files (.rpmnew) and everything went 
fine until i did a ''shorewall check'' to verify the
configuration before
restarting.  The machine froze, for the most part (only the mouse 
pointer and, strangely, the kde volume control worked).  I had no 
response otherwise and had to power off the machine to get any control. 
I had the same result with both compilers.

Since the other question was about modules and Tom had a suggestion on 
that one, i took an old /usr/share/shorewall/modules, copied in into 
/etc/shorewall and i could  once again at least try to start shorewall.  
I can offer very little information about that problem as the machine 
locks up - any attempt to generate a trace file fails.  The last line 
printed on the screen from ''shorewall debug check''  was
"Loading
modules...".  That was also the last line of a debug print from 
/usr/share/shorewall/lib.base.

I have another ''shorewall start'' problem that i believe i have
seen
before but i do not seem to remember seeing a solution:  there is an 
error in a line in the /var/lib/shorewall/.iptables-restore-input file:

iptables-restore v1.3.3: addrtype: bad type `BROADCAST-j''
Error occurred at line: 80
Try `iptables-restore -h'' or ''iptables-restore
--help'' for more information.
   ERROR: iptables-restore Failed. Input is in 
/var/lib/shorewall/.iptables-restore-input
/sbin/shorewall: line 375: 11947 Terminated              
${VARDIR}/.start $debugging start

The problem is that there is a space missing between "BROADCAST" and 
"-j", but there are other lines which are correct (ie: "BROADCAST
-j").

I have attached a trace file and the restore file just in case. 

Thanks, and have a good weekend.

Patrick



Tom Eastep wrote:
> Scorpy wrote:
>
>   
>> I am using Shorewall version 4.0.0-1 on Suse 10.
>>     
>
> Are you using shorewall-shell or shorewall-perl? Is this SEL 10.0? OpenSuSE
> 10.0, ???
>
>   
>> When I start/restart shorewall i get error:
>> FATAL: Error inserting nf_conntrack_ipv4
>>
(/lib/modules/2.6.13-15-default/kernel/net/ipv4/netfilter/nf_conntrack_ipv4.ko):
>> Device or resource busy
>>     
>
> I suggest that you copy /usr/share/shorewall/modules to
> /etc/shorewall/modules and modify the copy to the bare minimum (those
> modules from the ''helper'' section that you actually use
such as
> ip_conntrack_ftp, ip_nat_ftp, ...).
>
>   
>>  
>> Shorewall works I guess but I dont know which part of Shorewall isnt
>> working because of this error.
>>     
>
> If shorewall start/restart succeeds then Shorewall is working.
>
>   
>> I also have question relating /var/log/messages file. In previous
>> versions
>>     
>
> Previous versions of what? Shorewall? SuSE?
>
>   
>> this file contained all the date relavent to hack attemps. Now
>> it shows nothing.
>>     
>
> The reason that I''ve been asking about your SuSE version is that
SuSE
> switched to using syslog_ng somewhere in the 10 series; with syslog_ng, all
> netfilter messages (including Shorewall''s) are logged to
/var/log/firewall
> rather than /var/log/messages. Remember -- Shorewall has no control over
> where messages are logged; the LOGFILE setting in shorewall.conf merely
> tells /sbin/shorewall where to look for the messages when processing the
> ''show log'', ''logwatch'' and
''dump'' commands. See
> http://www.shorewall.net/shorewall_logging.html.
>
> Is this maybe related to the problem mentioned above?
>
> No. The module loading message has to do with different kernel versions
> having different valid combinations of loaded modules.
>
> -Tom
>   
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   
-- 
Patrick McNeil Université de Montréal - DGTIC
PP, X-216  Téléphone: (514) 343-6111, poste 5247
Courriel: Patrick.McNeil@umontreal.ca
Télécopie/FAX: (514) 343-2155
Téléavertisseur: (514) 480-3957,
   mcneilp@paget.dgtic.umontreal.ca




-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Patrick McNeil wrote:
> 
> I am running SuSE Linux 10.0 on an i586:
> 
>> cat /etc/SuSE-release
> SUSE LINUX 10.0 (i586)
> VERSION = 10.0
> 
> The installation is pretty well out-of-the-box, meaning i have only
> installed patches from SuSE, have not recompiled the kernel, etc.
> 
> I upgraded to 4.0 this morning using rpm''s (installed common and
both
> compilers), redid the configuration files (.rpmnew) and everything went
> fine until i did a ''shorewall check'' to verify the
configuration before
> restarting.  The machine froze, for the most part (only the mouse
> pointer and, strangely, the kde volume control worked).  I had no
> response otherwise and had to power off the machine to get any control.
> I had the same result with both compilers.
> 
> Since the other question was about modules and Tom had a suggestion on
> that one, i took an old /usr/share/shorewall/modules, copied in into
> /etc/shorewall and i could  once again at least try to start shorewall.
I didn''t completely follow that; you are saying that the machine froze
unconditionally when you used the 4.0.0 modules file (which hasn''t
changed
since 3.4.2) but did not experience this problem when using some other
modules file?
> I can offer very little information about that problem as the machine
> locks up - any attempt to generate a trace file fails.  The last line
> printed on the screen from ''shorewall debug check''  was
"Loading
> modules...".  That was also the last line of a debug print from
> /usr/share/shorewall/lib.base.
I can offer little advice either. Shell scripts, even those that invoke
modprobe should not be capable of freezing the system.
> 
> I have another ''shorewall start'' problem that i believe i
have seen
> before but i do not seem to remember seeing a solution:  there is an
> error in a line in the /var/lib/shorewall/.iptables-restore-input file:
> 
> iptables-restore v1.3.3: addrtype: bad type `BROADCAST-j''
> Error occurred at line: 80
> Try `iptables-restore -h'' or ''iptables-restore
--help'' for more
> information.
>   ERROR: iptables-restore Failed. Input is in
> /var/lib/shorewall/.iptables-restore-input
> /sbin/shorewall: line 375: 11947 Terminated             
> ${VARDIR}/.start $debugging start
> 
> The problem is that there is a space missing between "BROADCAST"
and
> "-j", but there are other lines which are correct (ie:
"BROADCAST -j").
> 
Attached is a patch that should correct the problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom Eastep wrote:
> 
> I can offer little advice either. Shell scripts, even those that invoke
> modprobe should not be capable of freezing the system.
> 
I guess that one thing you could try would be to:

cd /tmp
cp /usr/share/shorewall/modules .
perl -i -p -e ''s/loadmodule/modprobe --verbose/'' modules
. modules

You''ll get a bunch of messages like this:

FATAL: Module xt_hashlimit not found.

but it might also show us where things go south. At any rate, it should give
you something to report to SuSE/Novell.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom Eastep escribió:
> but it might also show us where things go south. At any rate, it should
give
> you something to report to SuSE/Novell.

I suggest him to upgrade, SUSE 10.0 is reaching EOL on Oct and is
extremely unlikely that non security realated bugs will be ever fixed.





-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On Fri, 2007-07-27 at 15:19 -0700, Tom Eastep wrote:
> 
> Attached is a patch that should correct the problem.
> 
That patch is bogus -- see
http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.5/known_problems.txt
for two patches that together correct the problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

On Sat, 2007-07-28 at 15:49 -0700, Tom Eastep wrote:
> On Fri, 2007-07-27 at 15:19 -0700, Tom Eastep wrote:
> 
> > 
> > Attached is a patch that should correct the problem.
> > 
> 
> That patch is bogus -- see
>
http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.5/known_problems.txt
for two patches that together correct the problem.
> 
Gee, I''m having a good weekend -- can''t even copy and paste
the right
link.

Here''s the correct link:

http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.0/known_problems.txt

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Thanks Tom.

Have a good (what's left of your) weekend.

Patrick


Tom Eastep wrote:
> On Sat, 2007-07-28 at 15:49 -0700, Tom Eastep wrote:
>   
>> On Fri, 2007-07-27 at 15:19 -0700, Tom Eastep wrote:
>>
>>     
>>> Attached is a patch that should correct the problem.
>>>
>>>       
>> That patch is bogus -- see
>>
http://www1.shorewall.net/pub/shorewall/3.4/shorewall-3.4.5/known_problems.txt
for two patches that together correct the problem.
>>
>>     
>
> Gee, I'm having a good weekend -- can't even copy and paste the
right
> link.
>
> Here's the correct link:
>
>
http://www1.shorewall.net/pub/shorewall/4.0/shorewall-4.0.0/known_problems.txt
>
> -Tom
>   
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   
-- 
Patrick McNeil Université de Montréal - DGTIC
PP, X-216  Téléphone: (514) 343-6111, poste 5247
Courriel: Patrick.McNeil@umontreal.ca
Télécopie/FAX: (514) 343-2155
Téléavertisseur: (514) 480-3957,
   mcneilp@paget.dgtic.umontreal.ca


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Good afternoon,

Here is just a bit more information for those who may be interested.

Suse 10.0 hangs when trying to load the nf_conntrack module, either 
using Shorewall or manually.  The strange part is that i don''t think 
that it should try - it should select ip_conntrack rather than the nf_ 
style module , if i  am not mistaken.

It works correctly in Opensuse 10.2, but in a simple default install 
only the ip_ style modules are installed, so the nf_ module is never called.

Thanks for your help.

Patrick


Tom Eastep wrote:
> Tom Eastep wrote:
>
>   
>> I can offer little advice either. Shell scripts, even those that invoke
>> modprobe should not be capable of freezing the system.
>>
>>     
>
> I guess that one thing you could try would be to:
>
> cd /tmp
> cp /usr/share/shorewall/modules .
> perl -i -p -e ''s/loadmodule/modprobe --verbose/'' modules
> . modules
>
> You''ll get a bunch of messages like this:
>
> FATAL: Module xt_hashlimit not found.
>
> but it might also show us where things go south. At any rate, it should
give
> you something to report to SuSE/Novell.
>
> -Tom
>   
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   
-- 
Patrick McNeil Université de Montréal - DGTIC
PP, X-216  Téléphone: (514) 343-6111, poste 5247
Courriel: Patrick.McNeil@umontreal.ca
Télécopie/FAX: (514) 343-2155
Téléavertisseur: (514) 480-3957,
   mcneilp@paget.dgtic.umontreal.ca


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Patrick McNeil wrote:
> Good afternoon,
> 
> Here is just a bit more information for those who may be interested.
> 
> Suse 10.0 hangs when trying to load the nf_conntrack module, either 
> using Shorewall or manually.  The strange part is that i don''t
think
> that it should try - it should select ip_conntrack rather than the nf_ 
> style module , if i  am not mistaken.
> 
> It works correctly in Opensuse 10.2, but in a simple default install 
> only the ip_ style modules are installed, so the nf_ module is never
called.
> 
> Thanks for your help.
I don''t understand what help you are looking for. You can copy
/usr/share/shorewall/modules to /etc/shorewall/modules and change it any way
that you feel that you need to.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Hi Tom,

I am not looking for help, really.  It is just that on my last post 
(last Friday i believe), i mentioned that i would, for posterity''s
sake,
tell which module was causing problems.

I did indeed do as suggested (made a copy of modules in /usr/shorewall) 
and i commented out all nf_ style modules and everything works fine.

The important part is that people using Suse 10.0 might need to make 
this change before upgrading to Shorewall 4.

Thanks again.

Patrick


Tom Eastep wrote:
> Patrick McNeil wrote:
>   
>> Good afternoon,
>>
>> Here is just a bit more information for those who may be interested.
>>
>> Suse 10.0 hangs when trying to load the nf_conntrack module, either 
>> using Shorewall or manually.  The strange part is that i don''t
think
>> that it should try - it should select ip_conntrack rather than the nf_ 
>> style module , if i  am not mistaken.
>>
>> It works correctly in Opensuse 10.2, but in a simple default install 
>> only the ip_ style modules are installed, so the nf_ module is never
called.
>>
>> Thanks for your help.
>>     
>
> I don''t understand what help you are looking for. You can copy
> /usr/share/shorewall/modules to /etc/shorewall/modules and change it any
way
> that you feel that you need to.
>
> -Tom
>   
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   
-- 
Patrick McNeil Université de Montréal - DGTIC
PP, X-216  Téléphone: (514) 343-6111, poste 5247
Courriel: Patrick.McNeil@umontreal.ca
Télécopie/FAX: (514) 343-2155
Téléavertisseur: (514) 480-3957,
   mcneilp@paget.dgtic.umontreal.ca


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Patrick McNeil wrote:
> Hi Tom,
> 
> I am not looking for help, really.  It is just that on my last post 
> (last Friday i believe), i mentioned that i would, for posterity''s
sake,
> tell which module was causing problems.
> 
> I did indeed do as suggested (made a copy of modules in /usr/shorewall) 
> and i commented out all nf_ style modules and everything works fine.
> 
> The important part is that people using Suse 10.0 might need to make 
> this change before upgrading to Shorewall 4.
> 
Hi Patrick,

Thanks for the clarification and for following up.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/