I have been on the side now for a long, long time. After all of these years, last month I rebuilt my firewall. Today I hit a snag. I have 2 ipset lists Blacklistnets and Blacklisthosts. I have a portmap, BLOCKPORTS from 1 to 1024. I have port 25, 110 and 143 added to BLOCKPORTS and bound to both lists. All works in 4.4.11.2. I was just trying to keep the versions up. Now when I install 4.4.12 and start it, it is says that ipset match and iprange must be in the kernel and IPtables. Version 4.4.11.2 works fine. I found the instructions for creating a capabilities file, I have never purposefully done that before? I did just create one with 4.4.11.2 and it lists both of these requirements as yes. Do I need to create this in 4.4.12 before I run it? If so is the /etc/shorewall directory ok? Debian lenny Kernel 2.6.26-2amd64 Iptables 1.4.2 ipset 2.3.3. Ipset for Debian kernel was hard to come by, and it is old. Thanks --john <http://www.columbuscontainer.com/> John R. Hill Director Of Technologies 812-314-8920 option #3 ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
On 8/24/10 12:03 PM, Hill, John wrote:> I have been on the side now for a long, long time. After all of these > years, last month I rebuilt my firewall. Today I hit a snag. > > > > I have 2 ipset lists Blacklistnets and Blacklisthosts. I have a portmap, > BLOCKPORTS from 1 to 1024. I have port 25, 110 and 143 added to > BLOCKPORTS and bound to both lists. > > All works in 4.4.11.2. I was just trying to keep the versions up. > > > > Now when I install 4.4.12 and start it, it is says that ipset match and > iprange must be in the kernel and IPtables. Version 4.4.11.2 works fine. > > > > I found the instructions for creating a capabilities file, I have never > purposefully done that before? I did just create one with 4.4.11.2 and > it lists both of these requirements as yes.And 4.4.12 does not?> > > > Do I need to create this in 4.4.12 before I run it? If so is the > /etc/shorewall directory ok? > > > > Debian lenny Kernel 2.6.26-2amd64 Iptables 1.4.2 ipset 2.3.3. Ipset for > Debian kernel was hard to come by, and it is old.I run ipsets fine with shorewall 4.4.12 and the 2.6.26 Debian kernel (although I use xtables-addons-1.24 to install ipsets and the netfilter module that goes with it). Please try the following from a root shell prompt: iptables -N foo iptables -A foo -m set --set Blacklistnets src -j ACCEPT iptables -A foo -m set --match-set Blacklistnets src -j ACCEPT What is the result? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
On 8/24/10 12:51 PM, Tom Eastep wrote:> On 8/24/10 12:03 PM, Hill, John wrote: >> I have been on the side now for a long, long time. After all of these >> years, last month I rebuilt my firewall. Today I hit a snag. >> >> >> >> I have 2 ipset lists Blacklistnets and Blacklisthosts. I have a portmap, >> BLOCKPORTS from 1 to 1024. I have port 25, 110 and 143 added to >> BLOCKPORTS and bound to both lists. >> >> All works in 4.4.11.2. I was just trying to keep the versions up. >> >> >> >> Now when I install 4.4.12 and start it, it is says that ipset match and >> iprange must be in the kernel and IPtables. Version 4.4.11.2 works fine. >> >> >> >> I found the instructions for creating a capabilities file, I have never >> purposefully done that before? I did just create one with 4.4.11.2 and >> it lists both of these requirements as yes. > > And 4.4.12 does not? > >> >> >> >> Do I need to create this in 4.4.12 before I run it? If so is the >> /etc/shorewall directory ok? >> >> >> >> Debian lenny Kernel 2.6.26-2amd64 Iptables 1.4.2 ipset 2.3.3. Ipset for >> Debian kernel was hard to come by, and it is old. > > I run ipsets fine with shorewall 4.4.12 and the 2.6.26 Debian kernel > (although I use xtables-addons-1.24 to install ipsets and the netfilter > module that goes with it). > > Please try the following from a root shell prompt: > > iptables -N foo > iptables -A foo -m set --set Blacklistnets src -j ACCEPT > iptables -A foo -m set --match-set Blacklistnets src -j ACCEPT > > What is the result?I just noticed something in the 4.4.12 code; please try the attached patch: patch /usr/share/shorewall/Shorewall/Config.pm < ipset.diff -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
I was very careful to check it. I get Bad argument ''iptables'' I added a ; before the second iptables. The first command entered the second says Unknown arg ''(null)'' John R. Hill Director Of Technologies 812-314-8920 option #3 -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Tuesday, August 24, 2010 3:52 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall-4.4.12 ipset issue On 8/24/10 12:03 PM, Hill, John wrote:> I have been on the side now for a long, long time. After all of these > years, last month I rebuilt my firewall. Today I hit a snag. > > > > I have 2 ipset lists Blacklistnets and Blacklisthosts. I have a > portmap, BLOCKPORTS from 1 to 1024. I have port 25, 110 and 143 added > to BLOCKPORTS and bound to both lists. > > All works in 4.4.11.2. I was just trying to keep the versions up. > > > > Now when I install 4.4.12 and start it, it is says that ipset match > and iprange must be in the kernel and IPtables. Version 4.4.11.2 worksfine.> > > > I found the instructions for creating a capabilities file, I have > never purposefully done that before? I did just create one with > 4.4.11.2 and it lists both of these requirements as yes.And 4.4.12 does not?> > > > Do I need to create this in 4.4.12 before I run it? If so is the > /etc/shorewall directory ok? > > > > Debian lenny Kernel 2.6.26-2amd64 Iptables 1.4.2 ipset 2.3.3. Ipset > for Debian kernel was hard to come by, and it is old.I run ipsets fine with shorewall 4.4.12 and the 2.6.26 Debian kernel (although I use xtables-addons-1.24 to install ipsets and the netfilter module that goes with it). Please try the following from a root shell prompt: iptables -N foo iptables -A foo -m set --set Blacklistnets src -j ACCEPT iptables -A foo -m set --match-set Blacklistnets src -j ACCEPT What is the result? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
This is a production machine today. I''ll need to switch it out to do much more than a quick install. --john John R. Hill Director Of Technologies 812-314-8920 option #3 -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Tuesday, August 24, 2010 4:05 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall-4.4.12 ipset issue On 8/24/10 12:51 PM, Tom Eastep wrote:> On 8/24/10 12:03 PM, Hill, John wrote: >> I have been on the side now for a long, long time. After all of these>> years, last month I rebuilt my firewall. Today I hit a snag. >> >> >> >> I have 2 ipset lists Blacklistnets and Blacklisthosts. I have a >> portmap, BLOCKPORTS from 1 to 1024. I have port 25, 110 and 143 added>> to BLOCKPORTS and bound to both lists. >> >> All works in 4.4.11.2. I was just trying to keep the versions up. >> >> >> >> Now when I install 4.4.12 and start it, it is says that ipset match >> and iprange must be in the kernel and IPtables. Version 4.4.11.2works fine.>> >> >> >> I found the instructions for creating a capabilities file, I have >> never purposefully done that before? I did just create one with >> 4.4.11.2 and it lists both of these requirements as yes. > > And 4.4.12 does not? > >> >> >> >> Do I need to create this in 4.4.12 before I run it? If so is the >> /etc/shorewall directory ok? >> >> >> >> Debian lenny Kernel 2.6.26-2amd64 Iptables 1.4.2 ipset 2.3.3. Ipset >> for Debian kernel was hard to come by, and it is old. > > I run ipsets fine with shorewall 4.4.12 and the 2.6.26 Debian kernel > (although I use xtables-addons-1.24 to install ipsets and the > netfilter module that goes with it). > > Please try the following from a root shell prompt: > > iptables -N foo > iptables -A foo -m set --set Blacklistnets src -j ACCEPT iptables -A > foo -m set --match-set Blacklistnets src -j ACCEPT > > What is the result?I just noticed something in the 4.4.12 code; please try the attached patch: patch /usr/share/shorewall/Shorewall/Config.pm < ipset.diff -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
On 8/24/10 1:16 PM, Hill, John wrote:> I was very careful to check it. I get Bad argument ''iptables'' > I added a ; before the second iptables. The first command entered the > second says Unknown arg ''(null)''Your email client folded, spindled and mutilated the commands. What I posted was (extra newlines are added to try to outwit your mail software): iptables -N foo iptables -A foo -m set --set Blacklistnets src -j ACCEPT iptables -A foo -m set --match-set Blacklistnets src -j ACCEPT At any rate, please try the patch I sent in a follow-on post. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
On 8/24/10 1:22 PM, Hill, John wrote:> This is a production machine today. I''ll need to switch it out to do > much more than a quick install.Running one patch command is much faster than doing an install. But whatever... -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
I may have misunderstood. Did you mean against the running version or the new 4.4.12? John R. Hill Director Of Technologies 812-314-8920 option #3 -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Tuesday, August 24, 2010 4:28 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall-4.4.12 ipset issue On 8/24/10 1:22 PM, Hill, John wrote:> This is a production machine today. I''ll need to switch it out to do > much more than a quick install.Running one patch command is much faster than doing an install. But whatever... -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
On 8/24/10 1:28 PM, Tom Eastep wrote:> On 8/24/10 1:22 PM, Hill, John wrote: >> This is a production machine today. I''ll need to switch it out to do >> much more than a quick install. > > Running one patch command is much faster than doing an install. But > whatever...You can test this without touching your running config. 1) Install the patch 2) Temporarily rename your capabilities file so that the compiler must detect the capabilities itself. 2) shorewall check 3) If that works, then ''shorewall check -r | less'' and search for "m set"; following that should be " --set" (and not " --match-set"). If those all look okay, the patch was correct. If not, then change the renamed capabilities file back to it''s correct name. One thing I''m still unclear about; under 4.4.12, does "shorewall show -f capabilities" correctly show IPSET_MATCH=Yes and OLD_IPSET_MATCH=Yes? Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
On 8/24/10 1:35 PM, Hill, John wrote:> I may have misunderstood. Did you mean against the running version or > the new 4.4.12?And I may have misunderstood also. I thought that you were running 4.4.12 with a capabilities file. If not, then the patch cannot be applied and tested. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
I can''t run 4.4.12 it terminates about the ipset issue. John R. Hill Director Of Technologies 812-314-8920 option #3 -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Tuesday, August 24, 2010 4:39 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall-4.4.12 ipset issue On 8/24/10 1:28 PM, Tom Eastep wrote:> On 8/24/10 1:22 PM, Hill, John wrote: >> This is a production machine today. I''ll need to switch it out to do >> much more than a quick install. > > Running one patch command is much faster than doing an install. But > whatever...You can test this without touching your running config. 1) Install the patch 2) Temporarily rename your capabilities file so that the compiler must detect the capabilities itself. 2) shorewall check 3) If that works, then ''shorewall check -r | less'' and search for "m set"; following that should be " --set" (and not " --match-set"). If those all look okay, the patch was correct. If not, then change the renamed capabilities file back to it''s correct name. One thing I''m still unclear about; under 4.4.12, does "shorewall show -f capabilities" correctly show IPSET_MATCH=Yes and OLD_IPSET_MATCH=Yes? Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
I reread my post I was a enormously vague about it. Sorry. John R. Hill Director Of Technologies 812-314-8920 option #3 -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Tuesday, August 24, 2010 4:40 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall-4.4.12 ipset issue On 8/24/10 1:35 PM, Hill, John wrote:> I may have misunderstood. Did you mean against the running version or > the new 4.4.12?And I may have misunderstood also. I thought that you were running 4.4.12 with a capabilities file. If not, then the patch cannot be applied and tested. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
On 8/24/10 1:45 PM, Hill, John wrote:> I can''t run 4.4.12 it terminates about the ipset issue.Then we appear to be deadlocked. I can''t reproduce the problem and you can''t test the fix. Where did you get this ancient ipsets package for Lenny? Maybe I can install it on one of my crash and burn systems. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
On 8/24/10 2:15 PM, Tom Eastep wrote:> On 8/24/10 1:45 PM, Hill, John wrote: >> I can''t run 4.4.12 it terminates about the ipset issue. > > Then we appear to be deadlocked. I can''t reproduce the problem and you > can''t test the fix. > > Where did you get this ancient ipsets package for Lenny? Maybe I can > install it on one of my crash and burn systems.Okay -- I hacked up the iptables ipt_set module to accept only the deprecated syntax supported by iptables 1.4.2 and my patch works. I will release 4.4.12.1 later this evening. FWIW, if you simply create a capabilities file under 4.4.12, that also works: shorewall show -f capabilities > /etc/shorewall/capabilities -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
I looked high and low for a kernel module set for the amd64 bit. This is what I found. I am somewhat green with Debian I have always used Slackware. Sent from a mobile device. On Aug 24, 2010, at 5:18 PM, "Tom Eastep" <teastep@shorewall.net> wrote:> On 8/24/10 1:45 PM, Hill, John wrote: >> I can''t run 4.4.12 it terminates about the ipset issue. > > Then we appear to be deadlocked. I can''t reproduce the problem and you > can''t test the fix. > > Where did you get this ancient ipsets package for Lenny? Maybe I can > install it on one of my crash and burn systems. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > ------------------------------------------------------------------------------ > Sell apps to millions through the Intel(R) Atom(Tm) Developer Program > Be part of this innovative community and reach millions of netbook users > worldwide. Take advantage of special opportunities to increase revenue and > speed time-to-market. Join now, and jumpstart your future. > http://p.sf.net/sfu/intel-atom-d2d > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
netfilter-extensions-modules-2.6.26-2-amd64_20080719+debian-1+2.6.26-24_ amd64 I can send it. This is off topic. But can I not compile a new ipset and install in this Debian system? I need to do some homework on Debian kernel compiling. John R. Hill Director Of Technologies 812-314-8920 option #3 -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Tuesday, August 24, 2010 5:16 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall-4.4.12 ipset issue On 8/24/10 1:45 PM, Hill, John wrote:> I can''t run 4.4.12 it terminates about the ipset issue.Then we appear to be deadlocked. I can''t reproduce the problem and you can''t test the fix. Where did you get this ancient ipsets package for Lenny? Maybe I can install it on one of my crash and burn systems. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
On 8/25/10 5:25 AM, Hill, John wrote:> netfilter-extensions-modules-2.6.26-2-amd64_20080719+debian-1+2.6.26-24_ > amd64 > I can send it. > This is off topic. But can I not compile a new ipset and install in this > Debian system? > I need to do some homework on Debian kernel compiling.You can install xtables-addons which doesn''t require that you compile the entire kernel. See http://www.shorewall.net/Dynamic.html#xtables-addons. For Lenny, the latest version that I''ve found to work correctly is 1.24. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
On 8/25/10 6:34 AM, Tom Eastep wrote:> On 8/25/10 5:25 AM, Hill, John wrote: >> netfilter-extensions-modules-2.6.26-2-amd64_20080719+debian-1+2.6.26-24_ >> amd64 >> I can send it. >> This is off topic. But can I not compile a new ipset and install in this >> Debian system? >> I need to do some homework on Debian kernel compiling. > > You can install xtables-addons which doesn''t require that you compile > the entire kernel. See > http://www.shorewall.net/Dynamic.html#xtables-addons. For Lenny, the > latest version that I''ve found to work correctly is 1.24.Note, however, that you will STILL need 4.4.12.1 for ipsets to work correctly (or you must use the capabilities file workaround). It is your iptables that is tripping up the shorewall 4.4.12 compiler, not ipsets. You could also build and install iptables 1.4.4 or later and update your shorewall config to point to that binary (by default, it is installed in /usr/local/sbin/). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
I updated iptables and ipset and xtables. It works but I get this error when I do an ipset -L ipset v4.3 kernel ip_set module is of protocol 2 John R. Hill Director Of Technologies 812-314-8920 option #3 -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Wednesday, August 25, 2010 9:35 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall-4.4.12 ipset issue On 8/25/10 5:25 AM, Hill, John wrote:> netfilter-extensions-modules-2.6.26-2-amd64_20080719+debian-1+2.6.26-2 > 4_ > amd64 > I can send it. > This is off topic. But can I not compile a new ipset and install in > this Debian system? > I need to do some homework on Debian kernel compiling.You can install xtables-addons which doesn''t require that you compile the entire kernel. See http://www.shorewall.net/Dynamic.html#xtables-addons. For Lenny, the latest version that I''ve found to work correctly is 1.24. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
On 8/25/10 9:29 AM, Hill, John wrote:> I updated iptables and ipset and xtables. > It works but I get this error when I do an ipset -L > ipset v4.3 kernel ip_set module is of protocol 2Which version of xtables-addons did you install? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
On 8/25/10 9:42 AM, Tom Eastep wrote:> On 8/25/10 9:29 AM, Hill, John wrote: >> I updated iptables and ipset and xtables. >> It works but I get this error when I do an ipset -L >> ipset v4.3 kernel ip_set module is of protocol 2 > > Which version of xtables-addons did you install?Also, did you reboot after the upgrades? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
On 8/25/10 9:42 AM, Tom Eastep wrote:> On 8/25/10 9:29 AM, Hill, John wrote: >> I updated iptables and ipset and xtables. >> It works but I get this error when I do an ipset -L >> ipset v4.3 kernel ip_set module is of protocol 2 > > Which version of xtables-addons did you install?One more thing -- by default, xtables-addons installs the ipset binary in /usr/local/sbin/. So if you still have the Debian ipset package installed, you''re probably running the old ipset with the new kernel modules. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
1.24 I think I have a module issue. Ipset is working or at least the blacklist is dropping connections as it should. Ipset 4.3 iptables 1.4.9.1 shrewall 4.4.12.1 If I enter ipset -L I get this in return. ipset v4.3 kernel ip_set module is of protocol 2 John R. Hill Director Of Technologies 812-314-8920 option #3 -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Wednesday, August 25, 2010 12:43 PM To: Shorewall Users Subject: Re: [Shorewall-users] Shorewall-4.4.12 ipset issue On 8/25/10 9:29 AM, Hill, John wrote:> I updated iptables and ipset and xtables. > It works but I get this error when I do an ipset -L ipset v4.3 kernel > ip_set module is of protocol 2Which version of xtables-addons did you install? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
Yes sir did a reboot hoping to load the modules. I noticed in the etc/modules file that ip_set was listed. John R. Hill Director Of Technologies 812-314-8920 option #3 -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Wednesday, August 25, 2010 12:49 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall-4.4.12 ipset issue On 8/25/10 9:42 AM, Tom Eastep wrote:> On 8/25/10 9:29 AM, Hill, John wrote: >> I updated iptables and ipset and xtables. >> It works but I get this error when I do an ipset -L ipset v4.3 kernel>> ip_set module is of protocol 2 > > Which version of xtables-addons did you install?Also, did you reboot after the upgrades? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
After the reboot. Ipset from anywhere returns 4.3 and the protocol version complaint. John R. Hill Director Of Technologies 812-314-8920 option #3 -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Wednesday, August 25, 2010 12:52 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall-4.4.12 ipset issue On 8/25/10 9:42 AM, Tom Eastep wrote:> On 8/25/10 9:29 AM, Hill, John wrote: >> I updated iptables and ipset and xtables. >> It works but I get this error when I do an ipset -L ipset v4.3 kernel>> ip_set module is of protocol 2 > > Which version of xtables-addons did you install?One more thing -- by default, xtables-addons installs the ipset binary in /usr/local/sbin/. So if you still have the Debian ipset package installed, you''re probably running the old ipset with the new kernel modules. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
Have it fixed. Too many netfilter installs. Cleaned it up. I have ipset 4.2 iptables 1.4.9.1 The instructions I followed to create the set lists now fails, as ipset no longer supports it -B xxx.xxx.xxx.xxx -b command. Reading the docs that I can find now. I am trying to block 25 110 and 143 from sub networks and single ip addresses. I have lists of numbers I process and automatically create and load the set according to the netmask. That is broken now. But Shorewall is running like a clock. --john John R. Hill Director Of Technologies 812-314-8920 option #3 -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Wednesday, August 25, 2010 12:26 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Shorewall-4.4.12 ipset issue On 8/25/10 6:34 AM, Tom Eastep wrote:> On 8/25/10 5:25 AM, Hill, John wrote: >> netfilter-extensions-modules-2.6.26-2-amd64_20080719+debian-1+2.6.26- >> 24_ >> amd64 >> I can send it. >> This is off topic. But can I not compile a new ipset and install in >> this Debian system? >> I need to do some homework on Debian kernel compiling. > > You can install xtables-addons which doesn''t require that you compile > the entire kernel. See > http://www.shorewall.net/Dynamic.html#xtables-addons. For Lenny, the > latest version that I''ve found to work correctly is 1.24.Note, however, that you will STILL need 4.4.12.1 for ipsets to work correctly (or you must use the capabilities file workaround). It is your iptables that is tripping up the shorewall 4.4.12 compiler, not ipsets. You could also build and install iptables 1.4.4 or later and update your shorewall config to point to that binary (by default, it is installed in /usr/local/sbin/). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
I have the new iptables and the 1.24 xtables-addons working. (Any reason not to upgrade this version?) The new ipset 4.2 does not support binding. I have dug all over and tried different ideas, nothing works. I am trying to block certain port traffic, only, on some networks and some individual hosts. I was able to do it using the previous Shorewall instructions, that no longer works without binding support. Can anyone point me to a tutorial. It looks like the ipporthash and netporthash might work. The man pages are as vague as my emails. Thanks --john ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
On 8/26/10 4:55 AM, Hill, John wrote:> I have the new iptables and the 1.24 xtables-addons working. (Any > reason not to upgrade this version?)As I mentioned in an earlier post, I''ve been unable to make iptables play with ipset on Lenny with any later xtables-addons release.> The new ipset 4.2 does not support binding. I have dug all over and > tried different ideas, nothing works.It was announced at least two years ago that binding was being de-implemented in ipsets.> > I am trying to block certain port traffic, only, on some networks and > some individual hosts. I was able to do it using the previous > Shorewall instructions, that no longer works without binding > support. Can anyone point me to a tutorial.man ipset> It looks like the ipporthash and netporthash might work. The man > pages are as vague as my emails.Those will work. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
I think I have found my solution. I set up ipset lists Blacklisthosts iphash Blacklistnets ipnethash I populated them. In the blacklist file: +Blacklistnet[src] tcp 25 +Blacklisthosts[src] tcp 25 Restarted Shorewall now it drops dst port 25 in these sets. John R. Hill Director Of Technologies 812-314-8920 option #3 -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Thursday, August 26, 2010 9:45 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] ipset help On 8/26/10 4:55 AM, Hill, John wrote:> I have the new iptables and the 1.24 xtables-addons working. (Any > reason not to upgrade this version?)As I mentioned in an earlier post, I''ve been unable to make iptables play with ipset on Lenny with any later xtables-addons release.> The new ipset 4.2 does not support binding. I have dug all over and > tried different ideas, nothing works.It was announced at least two years ago that binding was being de-implemented in ipsets.> > I am trying to block certain port traffic, only, on some networks and > some individual hosts. I was able to do it using the previous > Shorewall instructions, that no longer works without binding support. > Can anyone point me to a tutorial.man ipset> It looks like the ipporthash and netporthash might work. The man pages> are as vague as my emails.Those will work. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d
Make that src not dst. John R. Hill Director Of Technologies 812-314-8920 option #3 -----Original Message----- From: Hill, John [mailto:jhill@columbuscontainer.com] Sent: Thursday, August 26, 2010 12:58 PM To: Shorewall Users Subject: Re: [Shorewall-users] ipset help I think I have found my solution. I set up ipset lists Blacklisthosts iphash Blacklistnets ipnethash I populated them. In the blacklist file: +Blacklistnet[src] tcp 25 +Blacklisthosts[src] tcp 25 Restarted Shorewall now it drops dst port 25 in these sets. John R. Hill Director Of Technologies 812-314-8920 option #3 -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Thursday, August 26, 2010 9:45 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] ipset help On 8/26/10 4:55 AM, Hill, John wrote:> I have the new iptables and the 1.24 xtables-addons working. (Any > reason not to upgrade this version?)As I mentioned in an earlier post, I''ve been unable to make iptables play with ipset on Lenny with any later xtables-addons release.> The new ipset 4.2 does not support binding. I have dug all over and > tried different ideas, nothing works.It was announced at least two years ago that binding was being de-implemented in ipsets.> > I am trying to block certain port traffic, only, on some networks and > some individual hosts. I was able to do it using the previous > Shorewall instructions, that no longer works without binding support. > Can anyone point me to a tutorial.man ipset> It looks like the ipporthash and netporthash might work. The man pages> are as vague as my emails.Those will work. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------ ------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d