Shorewall users - Jul 2007 - Shorewall 4.0.0 + Kernel 2.6.21.5-grsec

Hello,

My hoster updated its kernel packages... It contained some old problems 
that should have been fixed. My servers have now a wonderful 2.6.21.5 
kernel + grsec running.
Both are running Debian 4.0 (stable release).

mx:/etc/shorewall# iptables --version
iptables v1.3.6
mx:/etc/shorewall# uname -a
Linux mx.network-hosting.com 2.6.21.5-grsec-xxxx-grs-ipv4-32 #1 SMP Fri 
Jul 27 17:18:23 CEST 2007 i686 GNU/Linux

Shorewall 3.4.3 failed to start and crashed... I removed it as it was a 
little bit old. (./uninstall.sh from the source folder)
I installed Shorewall 4.0.0 (shorewall-perl and shorewall-common)
I modified configuration files to meet my requirements (based on the old 
files, in order not to miss anything)

When I want to start shorewall, I have the following message:

==========================================================================mx:/usr/share/shorewall#
shorewall -vvvvv safe-start
Compiling...
Processing /etc/shorewall/params ...
Loading Modules...
Opening /proc/modules: No such file or directory
Shorewall has detected the following capabilities:
   Address Type Match: Available
   CLASSIFY Target: Available
   CONNMARK Target: Not Available
   Capability Version: 3.4.5
   Comments: Available
   Connection Tracking Match: Not Available
   Connmark Match: Not Available
   Extended CONNMARK Target: Not Available
   Extended Connmark Match: Not Available
   Extended Mark Target: Available
   Extended Multi-port Match: Available
   Extended Reject: Available
   IP Range Match: Available
   IPP2P Match: Not Available
   Ipset Match: Not Available
   MARK Target: Available
   Mangle FORWARD Chain: Available
   Multi-port Match: Available
   NAT: Not Available
   Owner Match: Available
   Packet Mangling: Available
   Packet Type Match: Available
   Packet length Match: Available
   Physdev Match: Not Available
   Policy Match: Available
   Raw Table: Available
   Recent Match: Available
   Repeat match: Available
   TCP MSS: Available
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
 Interface "wan eth0 detect blacklist,tcpflags" Validated
Determining Hosts in Zones...
 fw (firewall)
 wan (ipv4)
 eth0:0.0.0.0/0
Preprocessing Action Files...
   Pre-processing /usr/share/shorewall/action.Drop...
 ..Expanding Macro /usr/share/shorewall/macro.Auth...
 ..End Macro /usr/share/shorewall/macro.Auth
 ..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
 ..End Macro /usr/share/shorewall/macro.AllowICMPs
 ..Expanding Macro /usr/share/shorewall/macro.SMB...
 ..End Macro /usr/share/shorewall/macro.SMB
 ..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
 ..End Macro /usr/share/shorewall/macro.DropUPnP
 ..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
 ..End Macro /usr/share/shorewall/macro.DropDNSrep
   Pre-processing /usr/share/shorewall/action.Reject...
 ..Expanding Macro /usr/share/shorewall/macro.Auth...
 ..End Macro /usr/share/shorewall/macro.Auth
 ..Expanding Macro /usr/share/shorewall/macro.SMB...
 ..End Macro /usr/share/shorewall/macro.SMB
Compiling /etc/shorewall/policy...
 Policy for fw to wan is ACCEPT using chain fw2wan
 Policy for fw to wan is DROP using chain all2all
 Policy for wan to fw is DROP using chain all2all
Processing /etc/shorewall/initdone...
 Blacklisting enabled on eth0:0.0.0.0/0
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling MAC Filtration -- Phase 1...
 Compiling MAC Verification for -- Phase 1...
Compiling /etc/shorewall/rules...
 Rule "ACCEPT wan fw tcp 
imap,imaps,pop3,smtp,http,domain,8000:8050,5060" Compiled
 Rule "ACCEPT wan fw udp domain,5060" Compiled
 Rule "ACCEPT wan:82.231.94.173 fw tcp ssh" Compiled
 Rule "ACCEPT wan:82.236.63.169 fw tcp ssh" Compiled
 Rule "ACCEPT wan fw icmp" Compiled
 Rule "ACCEPT wan:cache.ovh.net fw tcp ssh" Compiled
 Rule "ACCEPT wan:91.121.21.217 fw all" Compiled
Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Reject for chain Reject...
..Expanding Macro /usr/share/shorewall/macro.Auth...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.SMB...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
..End Macro
Processing /usr/share/shorewall/action.Drop for chain Drop...
..Expanding Macro /usr/share/shorewall/macro.Auth...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.AllowICMPs...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.SMB...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropUPnP...
..End Macro
..Expanding Macro /usr/share/shorewall/macro.DropDNSrep...
..End Macro
Compiling MAC Filtration -- Phase 2...
 Compiling MAC Verification for -- Phase 2...
Applying Policies...
 Policy ACCEPT from fw to wan using chain fw2wan
 Policy DROP from wan to fw using chain all2all
Generating Rule Matrix...
Creating iptables-restore input...
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting...
Processing /etc/shorewall/params ...
Starting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Setting up ARP filtering...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up Proxy ARP...
Setting up Traffic Control...
Preparing iptables-restore input...
Running iptables-restore...
iptables-restore: line 124 failed
   ERROR: iptables-restore Failed. Input is in 
/var/lib/shorewall/.iptables-restore-input
Processing /etc/shorewall/stop ...
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
Processing /etc/shorewall/stopped ...
Shorewall Cleared
/sbin/shorewall: line 816: 25971 Complété                
${VARDIR}/.$command $command
==========================================================================mx:/usr/share/shorewall#
wc -l /var/lib/shorewall/.iptables-restore-input
124 /var/lib/shorewall/.iptables-restore-input

mx:/usr/share/shorewall# more /var/lib/shorewall/.iptables-restore-input
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:tcfor - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING  -j tcpre
-A FORWARD -j tcfor
-A OUTPUT  -j tcout
-A POSTROUTING -j tcpost
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Drop - [0:0]
:Reject - [0:0]
:all2all - [0:0]
:blacklst - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:eth0_fwd - [0:0]
:eth0_in - [0:0]
:eth0_out - [0:0]
:fw2wan - [0:0]
:logdrop - [0:0]
:logflags - [0:0]
:logreject - [0:0]
:reject - [0:0]
:smurfs - [0:0]
:tcpflags - [0:0]
:wan2fw - [0:0]
-A INPUT -i eth0 -j eth0_in
-A INPUT -i lo -j ACCEPT
-A INPUT -j Drop
-A INPUT -j DROP
-A FORWARD -i eth0 -j eth0_fwd
-A FORWARD -j Drop
-A FORWARD -j DROP
-A OUTPUT -o eth0 -j eth0_out
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j Drop
-A OUTPUT -j DROP
-A Drop -p 6 --dport 113 -j reject
-A Drop -j dropBcast
-A Drop -p icmp --icmp-type 3/4 -j ACCEPT
-A Drop -p icmp --icmp-type 11 -j ACCEPT
-A Drop -j dropInvalid
-A Drop -p 17 -m multiport --dports 135,445 -j DROP
-A Drop -p 17 --dport 137:139 -j DROP
-A Drop -p 17 --dport 1024:65535 --sport 137 -j DROP
-A Drop -p 6 -m multiport --dports 135,139,445 -j DROP
-A Drop -p 17 --dport 1900 -j DROP
-A Drop -p 6 -j dropNotSyn
-A Drop -p 17 --sport 53 -j DROP
-A Reject -p 6 --dport 113 -j reject
-A Reject -j dropBcast
-A Reject -p icmp --icmp-type 3/4 -j ACCEPT
-A Reject -p icmp --icmp-type 11 -j ACCEPT
-A Reject -j dropInvalid
-A Reject -p 17 -m multiport --dports 135,445 -j reject
-A Reject -p 17 --dport 137:139 -j reject
-A Reject -p 17 --dport 1024:65535 --sport 137 -j reject
-A Reject -p 6 -m multiport --dports 135,139,445 -j reject
-A Reject -p 17 --dport 1900 -j DROP
-A Reject -p 6 -j dropNotSyn
-A Reject -p 17 --sport 53 -j DROP
-A all2all -m state --state ESTABLISHED,RELATED -j ACCEPT
-A all2all -j Drop
-A all2all -j DROP
-A dropBcast -m addrtype --dst-type BROADCAST -j DROP
-A dropBcast -d 224.0.0.0/4 -j DROP
-A dropInvalid -m state --state INVALID -j DROP
-A dropNotSyn -p tcp ! --syn -j DROP
-A eth0_fwd -m state --state NEW,INVALID  -j dynamic
-A eth0_fwd -m state --state NEW,INVALID -j blacklst
-A eth0_fwd -p tcp -j tcpflags
-A eth0_in -m state --state NEW,INVALID  -j dynamic
-A eth0_in -m state --state NEW,INVALID -j blacklst
-A eth0_in -p tcp -j tcpflags
-A eth0_in -j wan2fw
-A eth0_out -j fw2wan
-A fw2wan -m state --state ESTABLISHED,RELATED -j ACCEPT
-A fw2wan -j ACCEPT
-A logdrop  -j DROP
-A logflags -j LOG --log-ip-options --log-level 6 --log-prefix 
"Shorewall:logflags:DROP:"
-A logflags -j DROP
-A logreject  -j reject
-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A smurfs -s 0.0.0.0 -j RETURN
-A smurfs -m addrtype --src-type BROADCAST -j LOG --log-level 6 
--log-prefix "Shorewall:smurfs:DROP:"
-A smurfs -m addrtype --src-type BROADCAST -j DROP
-A smurfs -s 224.0.0.0/4 -j LOG --log-level 6 --log-prefix 
"Shorewall:smurfs:DROP:"
-A smurfs -s 224.0.0.0/4 -j DROP
-A tcpflags -p tcp --tcp-flags ALL FIN,URG,PSH -j logflags
-A tcpflags -p tcp --tcp-flags ALL NONE        -j logflags
-A tcpflags -p tcp --tcp-flags SYN,RST SYN,RST -j logflags
-A tcpflags -p tcp --tcp-flags SYN,FIN SYN,FIN -j logflags
-A tcpflags -p tcp --syn --sport 0 -j logflags
-A wan2fw -m state --state ESTABLISHED,RELATED -j ACCEPT
-A wan2fw -p 6 -m multiport --dports 143,993,110,25,80,53,8000:8050,5060 
-j ACCEPT
-A wan2fw -p 17 -m multiport --dports 53,5060 -j ACCEPT
-A wan2fw -p 6 --dport 22 -s 82.231.94.173 -j ACCEPT
-A wan2fw -p 6 --dport 22 -s 82.236.63.169 -j ACCEPT
-A wan2fw -p icmp -j ACCEPT
-A wan2fw -p 6 --dport 22 -s cache.ovh.net -j ACCEPT
-A wan2fw -p all -s 91.121.21.217 -j ACCEPT
-A wan2fw -j all2all
COMMIT

==========================================================================
The line 124 is the last one... "COMMIT"... If i try to remove it, you
can guess that it yells that he wants a COMMIT line !
If I do a shorewall start, the firewall starts, but I cannot connect to 
the host anymore... Not very useful, as you can guess :)

Which tests could I perform to find the way to go on to solve this 
issue? I googled a bit and saw that lot of things have changed since the 
old kernel I had (2.6.18.1) and the one I have now (2.6.21.5)... But I 
found no case with the specific error I''m faced with...

Any help will be greatly appreciated :)

Have a nice day.. Or evening... Or night...
Jerome Blion.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Jérôme Blion wrote:
> 
> Any help will be greatly appreciated :)
>
Does ''shorewall start -C shell'' work?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom Eastep a écrit :
> Jérôme Blion wrote:
>
>   
>> Any help will be greatly appreciated :)
>>
>>     
>
> Does ''shorewall start -C shell'' work?
>
> -Tom
>   
I want to use shorewall-perl, but it does not cost anything to test 
shorewall-shell...

mx:~# shorewall safe-start -C shell
Compiling...
   ERROR: SHOREWALL_COMPILER=shell requires the shorewall-shell package 
which is not installed
==> So I installed it :-)

mx:/usr/share/shorewall-shell# shorewall safe-start
[ ... quite 30sec to wait the answer ... ]
Giving up on lock file /var/lib/shorewall/lock
Compiling...
Opening /proc/modules: No such file or directory
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Determining Hosts in Zones...
Preprocessing Action Files...
   Pre-processing /usr/share/shorewall/action.Drop...
   Pre-processing /usr/share/shorewall/action.Reject...
Compiling /etc/shorewall/policy...
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Reject for chain Reject...
Processing /usr/share/shorewall/action.Drop for chain Drop...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Generating Rule Matrix...
Creating iptables-restore input...
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting...
Processing /etc/shorewall/params ...
Starting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Setting up ARP filtering...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up Proxy ARP...
Setting up Traffic Control...
Preparing iptables-restore input...
Running iptables-restore...
iptables-restore: line 124 failed
   ERROR: iptables-restore Failed. Input is in 
/var/lib/shorewall/.iptables-restore-input
Processing /etc/shorewall/stop ...
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
Processing /etc/shorewall/stopped ...
Shorewall Cleared
/sbin/shorewall: line 816:  6074 Complété                
${VARDIR}/.$command $command

Not better...

Another idea in mind? :)
Jerome Blion.



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Jérôme Blion wrote:
> Tom Eastep a écrit :
>> Jérôme Blion wrote:
>>
>>   
>>> Any help will be greatly appreciated :)
>>>
>>>     
>>
>> Does ''shorewall start -C shell'' work?
>>
>> -Tom
>>   
> I want to use shorewall-perl, but it does not cost anything to test
> shorewall-shell...
> 
> mx:~# shorewall safe-start -C shell
> Compiling...
>    ERROR: SHOREWALL_COMPILER=shell requires the shorewall-shell package
> which is not installed
> ==> So I installed it :-)
> 
> mx:/usr/share/shorewall-shell# shorewall safe-start
> [ ... quite 30sec to wait the answer ... ]
> Giving up on lock file /var/lib/shorewall/lock
> Compiling...
> Opening /proc/modules: No such file or directory
> Compiling /etc/shorewall/zones...
> Compiling /etc/shorewall/interfaces...
> Determining Hosts in Zones...
> Preprocessing Action Files...
>    Pre-processing /usr/share/shorewall/action.Drop...
>    Pre-processing /usr/share/shorewall/action.Reject...
> Compiling /etc/shorewall/policy...
> Compiling TCP Flags filtering...
> Compiling Kernel Route Filtering...
> Compiling Martian Logging...
> Compiling MAC Filtration -- Phase 1...
> Compiling /etc/shorewall/rules...
> Generating Transitive Closure of Used-action List...
> Processing /usr/share/shorewall/action.Reject for chain Reject...
> Processing /usr/share/shorewall/action.Drop for chain Drop...
> Compiling MAC Filtration -- Phase 2...
> Applying Policies...
> Generating Rule Matrix...
> Creating iptables-restore input...
> Shorewall configuration compiled to /var/lib/shorewall/.start
> Starting...
> Processing /etc/shorewall/params ...
> Starting Shorewall....
> Initializing...
> Processing /etc/shorewall/init ...
> Setting up ARP filtering...
> Setting up Route Filtering...
> Setting up Martian Logging...
> Setting up Accept Source Routing...
> Setting up Proxy ARP...
> Setting up Traffic Control...
> Preparing iptables-restore input...
> Running iptables-restore...
> iptables-restore: line 124 failed
>    ERROR: iptables-restore Failed. Input is in
> /var/lib/shorewall/.iptables-restore-input
> Processing /etc/shorewall/stop ...
> iptables: No chain/target/match by that name
> iptables: No chain/target/match by that name
> Processing /etc/shorewall/stopped ...
> Shorewall Cleared
> /sbin/shorewall: line 816:  6074 Complété               
> ${VARDIR}/.$command $command
> 
> Not better...
>
You still haven''t tested Shorewall-shell.

Please ''shorewall start -C shorewall-shell'' or if you insist
on using
safe-start, then ''shorewall safe-start -C shorewall-shell''

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom Eastep a écrit :
> Jérôme Blion wrote:
>   
>> Tom Eastep a écrit :
>>     
>>> Jérôme Blion wrote:
>>>
>>>   
>>>       
>>>> Any help will be greatly appreciated :)
>>>>
>>>>     
>>>>         
>>> Does ''shorewall start -C shell'' work?
>>>
>>> -Tom
>>>   
>>>       
>> I want to use shorewall-perl, but it does not cost anything to test
>> shorewall-shell...
>>
>> mx:~# shorewall safe-start -C shell
>> Compiling...
>>    ERROR: SHOREWALL_COMPILER=shell requires the shorewall-shell package
>> which is not installed
>> ==> So I installed it :-)
>>
>> mx:/usr/share/shorewall-shell# shorewall safe-start
>> [ ... quite 30sec to wait the answer ... ]
>> Giving up on lock file /var/lib/shorewall/lock
>> Compiling...
>> Opening /proc/modules: No such file or directory
>> Compiling /etc/shorewall/zones...
>> Compiling /etc/shorewall/interfaces...
>> Determining Hosts in Zones...
>> Preprocessing Action Files...
>>    Pre-processing /usr/share/shorewall/action.Drop...
>>    Pre-processing /usr/share/shorewall/action.Reject...
>> Compiling /etc/shorewall/policy...
>> Compiling TCP Flags filtering...
>> Compiling Kernel Route Filtering...
>> Compiling Martian Logging...
>> Compiling MAC Filtration -- Phase 1...
>> Compiling /etc/shorewall/rules...
>> Generating Transitive Closure of Used-action List...
>> Processing /usr/share/shorewall/action.Reject for chain Reject...
>> Processing /usr/share/shorewall/action.Drop for chain Drop...
>> Compiling MAC Filtration -- Phase 2...
>> Applying Policies...
>> Generating Rule Matrix...
>> Creating iptables-restore input...
>> Shorewall configuration compiled to /var/lib/shorewall/.start
>> Starting...
>> Processing /etc/shorewall/params ...
>> Starting Shorewall....
>> Initializing...
>> Processing /etc/shorewall/init ...
>> Setting up ARP filtering...
>> Setting up Route Filtering...
>> Setting up Martian Logging...
>> Setting up Accept Source Routing...
>> Setting up Proxy ARP...
>> Setting up Traffic Control...
>> Preparing iptables-restore input...
>> Running iptables-restore...
>> iptables-restore: line 124 failed
>>    ERROR: iptables-restore Failed. Input is in
>> /var/lib/shorewall/.iptables-restore-input
>> Processing /etc/shorewall/stop ...
>> iptables: No chain/target/match by that name
>> iptables: No chain/target/match by that name
>> Processing /etc/shorewall/stopped ...
>> Shorewall Cleared
>> /sbin/shorewall: line 816:  6074 Complété               
>> ${VARDIR}/.$command $command
>>
>> Not better...
>>
>>     
>
> You still haven''t tested Shorewall-shell.
>
> Please ''shorewall start -C shorewall-shell'' or if you
insist on using
> safe-start, then ''shorewall safe-start -C
shorewall-shell''
>
> -Tom
>   
Sorry,

I installed the shell version, but not forced it to run...
It gives me the following results:

mx:/usr/local/src/shorewall-shell-4.0.0# ./install.sh
Installing Shorewall-shell Version 4.0.0

/usr/share/shorewall-shell saved to /usr/share/shorewall-shell-4.0.0.bkout

Compiler installed in /usr/share/shorewall-shell/compiler
Library accounting file installed as 
/usr/share/shorewall-shell/lib.accounting
Library actions file installed as /usr/share/shorewall-shell/lib.actions
Library maclist file installed as /usr/share/shorewall-shell/lib.maclist
Library nat file installed as /usr/share/shorewall-shell/lib.nat
Library providers file installed as /usr/share/shorewall-shell/lib.providers
Library proxyarp file installed as /usr/share/shorewall-shell/lib.proxyarp
Library tc file installed as /usr/share/shorewall-shell/lib.tc
Library tcrules file installed as /usr/share/shorewall-shell/lib.tcrules
Library tunnels file installed as /usr/share/shorewall-shell/lib.tunnels
Program skeleton file footer installed as 
/usr/share/shorewall-shell/prog.footer
Program skeleton file header installed as 
/usr/share/shorewall-shell/prog.header
shorewall-shell Version 4.0.0 Installed
mx:/usr/local/src/shorewall-shell-4.0.0# shorewall safe-start -C shell
Giving up on lock file /var/lib/shorewall/lock
Compiling...
Initializing...
Determining Zones...
   IPv4 Zones: wan
   Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Pre-processing Actions...
   Pre-processing /usr/share/shorewall/action.Drop...
   Pre-processing /usr/share/shorewall/action.Reject...
Validating Policy file...
Determining Hosts in Zones...
   wan Zone: eth0:0.0.0.0/0
Deleting user chains...
Compiling /etc/shorewall/routestopped ...
Creating Interface Chains...
Compiling Common Rules
Compiling TCP Flags checking...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling IP Forwarding...
Compiling /etc/shorewall/rules...
Compiling Actions...
Compiling /usr/share/shorewall/action.Drop for Chain Drop...
Compiling /usr/share/shorewall/action.Reject for Chain Reject...
Compiling /etc/shorewall/policy...
Compiling Traffic Control Rules...
Compiling Rule Activation...
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting...
Processing /etc/shorewall/params ...
Starting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Clearing Traffic Control/QOS
Deleting user chains...
iptables: No chain/target/match by that name
   ERROR: Command "/sbin/iptables -A FORWARD -m state --state 
ESTABLISHED,RELATED -j ACCEPT" Failed
Processing /etc/shorewall/stop ...
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
Processing /etc/shorewall/stopped ...
Shorewall Cleared
/sbin/shorewall: line 816: 13209 Complété                
${VARDIR}/.$command $command

Is there something wrong with this line?

Best regards.
Jerome Blion.



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Jérôme Blion wrote:
> iptables: No chain/target/match by that name
>    ERROR: Command "/sbin/iptables -A FORWARD -m state --state
> ESTABLISHED,RELATED -j ACCEPT" Failed
> Processing /etc/shorewall/stop ...
> iptables: No chain/target/match by that name
> iptables: No chain/target/match by that name
> Processing /etc/shorewall/stopped ...
> Shorewall Cleared
> /sbin/shorewall: line 816: 13209 Complété               
> ${VARDIR}/.$command $command
> 
> Is there something wrong with this line?
No. It looks like the kernel your hoster installed doesn''t include
state
match support.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Jérôme Blion wrote:
> mx:/usr/local/src/shorewall-shell-4.0.0# shorewall safe-start -C shell
> Giving up on lock file /var/lib/shorewall/lock
Also looks like you have a stale lock file. Get rid of it with "rm
/var/lib/shorewall/lock"

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom Eastep a écrit :
> Jérôme Blion wrote:
>
>   
>> mx:/usr/local/src/shorewall-shell-4.0.0# shorewall safe-start -C shell
>> Giving up on lock file /var/lib/shorewall/lock
>>     
>
> Also looks like you have a stale lock file. Get rid of it with "rm
> /var/lib/shorewall/lock"
>
> -Tom
>   
The behaviour is strange...
I have the problem only when I install shorewall-perl AND 
shorewall-shell at the same time.
When I have only shorewall-perl, everything works fine...

I will look for the other message... It''s possible that some features 
have been forgotten...

Thanks for advices :) I appreciate your help.

Jerome Blion.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Hi,

After having removed all lines trying to create rules with "-m state",
I
have the following thing:

mx:/var/lib/shorewall# iptables-restore < 
/var/lib/shorewall/.iptables-restore-input
mx:/var/lib/shorewall# echo $?
0

serveur:~# nmap mx.network-hosting.com -p22,25,80,143,8080 -sV

Starting Nmap 4.20 ( http://insecure.org ) at 2007-07-30 01:14 CEST
Interesting ports on mx.network-hosting.com (87.98.219.114):
PORT     STATE    SERVICE    VERSION
22/tcp   open     ssh        OpenSSH 4.3p2 Debian 9 (protocol 2.0)
25/tcp   filtered smtp
80/tcp   open     http       Apache httpd 2.2.4 ((Unix) DAV/2 PHP/5.2.1)
143/tcp  open     imap       Courier Imapd (released 2004)
8080/tcp filtered http-proxy
Service Info: OS: Linux

Service detection performed. Please report any incorrect results at 
http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 7.826 seconds

I think you found the real problem on the server... The kernel does not 
include enough modules...
And as it has been built with security in mind, I can not insert the 
needed modules... A new kernel is needed.

==> Is there a way to work without state match?
I asked my hoster to add all Netfilter''s modules, but I don''t
know if he
would do it...

Thank you for your help :)
Jerome Blion.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Jérôme Blion a écrit :
> Hi,
>
> After having removed all lines trying to create rules with "-m
state", I
> have the following thing:
>
> mx:/var/lib/shorewall# iptables-restore < 
> /var/lib/shorewall/.iptables-restore-input
> mx:/var/lib/shorewall# echo $?
> 0
>   
It was really a bad idea :) The server was unable to reach others servers...
Shorewall clear cleaned the situation...

Wait & See :)
Jerome.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Jérôme Blion wrote:
> 
> I think you found the real problem on the server... The kernel does not 
> include enough modules...
> And as it has been built with security in mind, I can not insert the 
> needed modules... A new kernel is needed.
> 
> ==> Is there a way to work without state match?
No. Shorewall implements a stateful firewall.
> I asked my hoster to add all Netfilter''s modules, but I
don''t know if he
> would do it...
Good luck,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Tom Eastep a écrit :
> Jérôme Blion wrote:
>   
>> I asked my hoster to add all Netfilter''s modules, but I
don''t know if he
>> would do it...
>>     
>
> Good luck,
> -Tom
>   
It''s done :)
Everything works fine now.
Thank you for the diagnostic.

Best regards.
Jerome Blion.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Jérôme Blion wrote:
> It''s done :)
> Everything works fine now.
> Thank you for the diagnostic.
You are welcome. Glad to hear that it is working now.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/