I just upgraded to Shorewall 4.0.6 from 3.2.1. I am using the shorewall-perl compiler. With my old config I had the following in my rules file: # forward FTP traffic to the FTP server FTP/DNAT- inet loc:192.168.1.50 # slow down Brute Force attacks. Limit the number # of connections per minute that can occur. Limit:ULOG:FTPBFA,4,120 inet loc:192.168.1.50 tcp 21 - $ETH2_IP I now get this error when running ''shorewall restart'' ERROR: Limit rules require Recent Match in your kernel and iptables If I run ''shorewall show capabilities'' I receive the following: Recent Match: Not available Here is the output from ''lsmod'': sudo lsmod | grep recent ipt_recent 11608 0 ip_tables 22720 46 iptable_raw,ipt_ULOG,ipt_ttl,ipt_TOS,ipt_tos,ipt_TCPMSS,ipt_tcpmss,ipt_sctp,ipt_SAME,ipt_REDIRECT,ipt_recent,ipt_realm,ipt_pkttype,ipt_physdev,ipt_owner,ipt_NOTRACK,ipt_NETMAP,ipt_multiport,ipt_MASQUERADE,ipt_MARK,ipt_mark,ipt_mac,ipt_LOG,ipt_limit,ipt_length,ipt_iprange,ipt_helper,ipt_hashlimit,ipt_esp,ipt_ECN,ipt_ecn,ipt_DSCP,ipt_dscp,ipt_conntrack,ipt_CONNMARK,ipt_connmark,ipt_comment,ipt_CLUSTERIP,ipt_CLASSIFY,ipt_ah,ipt_addrtype,iptable_nat,iptable_mangle,ipt_REJECT,ipt_state,iptable_filter I assume ipt_recent is the module for Recent Match support?? My iptables version is iptables v1.3.5 and my kernel is 2.6.13.4 (compiled from source). Is ipt_recent the correct module for Recent Match support? Do I not have something enabled in iptables? I am re-reading the port knocking docs with the shorewall-shell stuff but I have not wrapped my head around everything. I am looking for some advice on where I should be looking to nail down this error. Thanks. -- ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
Tom Eastep
2007-Nov-28 23:20 UTC
Re: Limit Rule, Recent Match support, & shorewall upgrade
Scott Ruckh wrote:> > If I run ''shorewall show capabilities'' I receive the following: > Recent Match: Not availablePlease try this: iptables -N foo iptables -A foo -m recent --update -j ACCEPT What happens? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
Scott Ruckh
2007-Nov-28 23:35 UTC
Re: Limit Rule, Recent Match support, & shorewall upgrade
This is what you said Tom Eastep> Scott Ruckh wrote: > >> >> If I run ''shorewall show capabilities'' I receive the following: >> Recent Match: Not available > > Please try this: > > iptables -N foo > iptables -A foo -m recent --update -j ACCEPT > > What happens?$ sudo iptables -N foo $ sudo iptables -A foo -m recent --update -j ACCEPT iptables v1.3.5: Couldn''t load match `recent'':/usr/lib/iptables/libipt_recent.so: cannot open shared object file: No such file or directory Try `iptables -h'' or ''iptables --help'' for more information. $ sudo locate libipt_recent.so /usr/local/lib/iptables/libipt_recent.so /lib64/iptables/libipt_recent.so /lib64/iptables/libipt_recent.so is from vendor supplied iptables (iptables-1.2.11-3.1.RHEL4). /usr/local/lib/iptables/libipt_recent.so I would assume from version 1.3.5 which I compiled some time back. Obviously, neither of them in the location where iptables is looking. ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
Tom Eastep
2007-Nov-28 23:39 UTC
Re: Limit Rule, Recent Match support, & shorewall upgrade
Scott Ruckh wrote:> > $ sudo iptables -N foo > $ sudo iptables -A foo -m recent --update -j ACCEPT > > iptables v1.3.5: Couldn''t load match > `recent'':/usr/lib/iptables/libipt_recent.so: cannot open shared object > file: No such file or directory > > Try `iptables -h'' or ''iptables --help'' for more information. > > $ sudo locate libipt_recent.so > /usr/local/lib/iptables/libipt_recent.so > /lib64/iptables/libipt_recent.so > > /lib64/iptables/libipt_recent.so is from vendor supplied iptables > (iptables-1.2.11-3.1.RHEL4). > > /usr/local/lib/iptables/libipt_recent.so I would assume from version 1.3.5 > which I compiled some time back. > > Obviously, neither of them in the location where iptables is looking.Looks like you need to clean up such that you have a single consistent copy of iptables and its libraries installed. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
Hello: CentOS Shorewall 4.0.5 dnsdjb (DNS) I am trying to setup a very simple network with (1) firewall server (2) dmz with two DNS name servers. I have IP: 65.103.190.104/28 mask: 255.255.255.248 (8 IP addresses available from Qwest). Network is as below: 65.103.190.104: Network 65.103.190.105: FW 65.103.190.106: NS1 65.103.190.108: NS2 65.103.190.110: Gateway 65.103.190.111: Broadcast SETUP: I am using djbdns (http://cr.yp.to/djbdns.html) software to setup the DNS servers. This software requires that the authoritative DNS server, known as "tinydns" must run on a separate IP address (see http://cr.yp.to/djbdns/run-server.html). This is accomplished as follows: eth0: 65.103.190.106 (NS1 Server) eth0:1 65.103.190.107 (authoritative server "tinydns" running on NS1 Server listening on 65.103.190.107 ) PROBLEM: I setup proxyarp (Shorewall), as follows: #ADDRESS INTERFACE External Haveroute 65.103.190.106 eth1 eth0 no 65.103.190.107 eth1 eth0:1 no When I issue the "shorewall start" command, I get the following error: ..... setting up Proxy ARP... SIOCSARP: no such device ERROR: command ''arp -I eth0:1 -Ds 65.103.190.107 eth0:1 Pub'' failed Any suggestion? PS: If my explanation is not clear, please, let me know, I will try to explain it better. Kirt ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
kbajwa wrote:> Hello: > > CentOS > Shorewall 4.0.5 > dnsdjb (DNS) > > I am trying to setup a very simple network with (1) firewall server (2) dmz > with two DNS name servers. > > I have IP: 65.103.190.104/28 mask: 255.255.255.248 (8 IP addresses available > from Qwest). > > Network is as below: > > 65.103.190.104: Network > 65.103.190.105: FW > 65.103.190.106: NS1 > 65.103.190.108: NS2 > 65.103.190.110: Gateway > 65.103.190.111: Broadcast > > SETUP: > > I am using djbdns (http://cr.yp.to/djbdns.html) software to setup the DNS > servers. This software requires that the authoritative DNS server, known as > "tinydns" must run on a separate IP address (see > http://cr.yp.to/djbdns/run-server.html). This is accomplished as follows: > > eth0: 65.103.190.106 (NS1 Server) > eth0:1 65.103.190.107 (authoritative server "tinydns" running on NS1 > Server listening on 65.103.190.107 ) > > > PROBLEM: > > I setup proxyarp (Shorewall), as follows: > > #ADDRESS INTERFACE External Haveroute > 65.103.190.106 eth1 eth0 no > 65.103.190.107 eth1 eth0:1 no > > When I issue the "shorewall start" command, I get the following error: > > ..... > setting up Proxy ARP... > SIOCSARP: no such device ERROR: command ''arp -I eth0:1 -Ds 65.103.190.107 > eth0:1 Pub'' failed > > Any suggestion?Yes -- eth0:1 is not an interface. See http://www1.shorewall.net/Shorewall_and_Aliased_Interfaces.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
Tom Eastep wrote:> kbajwa wrote: >> Hello: >> >> CentOS >> Shorewall 4.0.5 >> dnsdjb (DNS) >> >> I am trying to setup a very simple network with (1) firewall server (2) dmz >> with two DNS name servers. >> >> I have IP: 65.103.190.104/28 mask: 255.255.255.248 (8 IP addresses available >> from Qwest). >> >> Network is as below: >> >> 65.103.190.104: Network >> 65.103.190.105: FW >> 65.103.190.106: NS1 >> 65.103.190.108: NS2 >> 65.103.190.110: Gateway >> 65.103.190.111: Broadcast >> >> SETUP: >> >> I am using djbdns (http://cr.yp.to/djbdns.html) software to setup the DNS >> servers. This software requires that the authoritative DNS server, known as >> "tinydns" must run on a separate IP address (see >> http://cr.yp.to/djbdns/run-server.html). This is accomplished as follows: >> >> eth0: 65.103.190.106 (NS1 Server) >> eth0:1 65.103.190.107 (authoritative server "tinydns" running on NS1 >> Server listening on 65.103.190.107 ) >> >> >> PROBLEM: >> >> I setup proxyarp (Shorewall), as follows: >> >> #ADDRESS INTERFACE External Haveroute >> 65.103.190.106 eth1 eth0 no >> 65.103.190.107 eth1 eth0:1 no >> >> When I issue the "shorewall start" command, I get the following error: >> >> ..... >> setting up Proxy ARP... >> SIOCSARP: no such device ERROR: command ''arp -I eth0:1 -Ds 65.103.190.107 >> eth0:1 Pub'' failed >> >> Any suggestion? > > Yes -- eth0:1 is not an interface. See > http://www1.shorewall.net/Shorewall_and_Aliased_Interfaces.html >And I''m not at all sure that you are configuring IP correctly. http://www.shorewall.net/ProxyARP.htm specifically says: Warning Do not add the Proxy ARP''ed address(es) (130.252.100.18 and 130.252.100.19 in the above example) to the external interface (eth0 in this example) of the firewall. Sounds like you may have missed that. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4