I installed Shorewall 2.2.2 on a vanilla install of Fedora FC3 I have not udated the kernel yet. After some fault finding I went back to the 2 interface example configuration files for 2.2.2. In shorewall.conf I have to specify the path for IPTABLES="/sbin". If I leave this commented out then shorewall reports that it cannot find iptables. When I have this line in shorewall will start however there are errors on startup and I am not sure that all the rules are being processed as I cannot access the net from any PC on the 192.168.1.0/24 network. Some of the startup errors are not in the trace files This is the error. [root@Server1 tmp]# shorewall start > /tmp/startup.txt /usr/share/shorewall/firewall: line 159: /sbin: is a directory ERROR: Command "/sbin -P INPUT DROP" Failed WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables /usr/share/shorewall/firewall: line 159: /sbin: is a directory /usr/share/shorewall/firewall: line 159: /sbin: is a directory /usr/share/shorewall/firewall: line 159: /sbin: is a directory /usr/share/shorewall/firewall: line 159: /sbin: is a directory /usr/share/shorewall/firewall: line 159: /sbin: is a directory /usr/share/shorewall/firewall: line 159: /sbin: is a directory /usr/share/shorewall/firewall: line 159: /sbin: is a directory /usr/share/shorewall/firewall: line 1504: /sbin: is a directory /usr/share/shorewall/firewall: line 1513: /sbin: is a directory /usr/share/shorewall/firewall: line 1518: /sbin: is a directory /usr/share/shorewall/firewall: line 1524: /sbin: is a directory Looking through the debug files I can see why it does not work as NAT is not available. Have I done something wrong in the install of FC3? Thanks for your help. This problem is of no urgency as I am doing all this configuration on a spare hard drive in my firewall laptop. The original working shorewall 1.4 install on RH9 is working still working fine. All required files are in the attached zip file. (I followed the reporting guidelines)
Stephen Gloor wrote:> I installed Shorewall 2.2.2 on a vanilla install of Fedora FC3 I have not > udated the kernel yet. After some fault finding I went back to the 2 > interface example configuration files for 2.2.2. > > In shorewall.conf I have to specify the path for IPTABLES="/sbin"./sbin is NOT YOUR iptables binary!!!!! from the shorewall.conf description of the IPTABLES variable: # IPTABLES # # Full path to iptables executable Shorewall uses to build the firewall. If # not specified or if specified with an empty value (e.g., IPTABLES="") then # the iptables executable located via the PATH setting below is used. # So if your iptables binary is in /sbin then you want: IPTABLES=/sbin/iptables -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I tried this and put /sbin/iptables in the path statement. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Sunday, 3 April 2005 1:54 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Problems with Shorewall 2.2 on Fedora FC3 Stephen Gloor wrote:> I installed Shorewall 2.2.2 on a vanilla install of Fedora FC3 I have > not udated the kernel yet. After some fault finding I went back to > the 2 interface example configuration files for 2.2.2. > > In shorewall.conf I have to specify the path for IPTABLES="/sbin"./sbin is NOT YOUR iptables binary!!!!! from the shorewall.conf description of the IPTABLES variable: # IPTABLES # # Full path to iptables executable Shorewall uses to build the firewall. If # not specified or if specified with an empty value (e.g., IPTABLES="") then # the iptables executable located via the PATH setting below is used. # So if your iptables binary is in /sbin then you want: IPTABLES=/sbin/iptables -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Stephen Gloor wrote:> I tried this and put /sbin/iptables in the path statement. >and? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Stephen Gloor wrote:> I tried this and put /sbin/iptables in the path statement. >You *have* installed iptables in this computer, right? Try this: [root@lists ~]# rpm -q iptables iptables-1.2.11-3.1.FC3 [root@lists ~]# Do you see something similar in response to that ''rpm'' command? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
FYI - I am using Fedora Core 3, updated to the latest released updates, without issues of any kind. I did not change any of the default settings, except to define my interfaces, rules, etc, for my configuration. I have used Shorewall with all of the releases of Fedora, without issue. On Apr 3, 2005, at 4:09 AM, Stephen Gloor wrote:> I tried this and put /sbin/iptables in the path statement. > > -----Original Message----- > From: shorewall-users-bounces@lists.shorewall.net > [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom > Eastep > Sent: Sunday, 3 April 2005 1:54 PM > To: Mailing List for Shorewall Users > Subject: Re: [Shorewall-users] Problems with Shorewall 2.2 on Fedora > FC3 > > > Stephen Gloor wrote: >> I installed Shorewall 2.2.2 on a vanilla install of Fedora FC3 I have >> not udated the kernel yet. After some fault finding I went back to >> the 2 interface example configuration files for 2.2.2. >> >> In shorewall.conf I have to specify the path for IPTABLES="/sbin". > > /sbin is NOT YOUR iptables binary!!!!! > > from the shorewall.conf description of the IPTABLES variable: > > # IPTABLES > # > # Full path to iptables executable Shorewall uses to build the > firewall. If > # not specified or if specified with an empty value (e.g., > IPTABLES="") then > # the iptables executable located via the PATH setting below is used. # > > So if your iptables binary is in /sbin then you want: > > IPTABLES=/sbin/iptables > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Yeah I know - I have used Shorewall for years a well without issues. It is only when I did this install I had problems. Did you install FC3 as default - I did the custom install and selected packaged that I needed. I am using a IBM 380XD as my firewall and 2 PCMCIA cards. I am wondering if this has anything to do with it? -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of TGS Sent: Monday, 4 April 2005 10:34 AM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Problems with Shorewall 2.2 on Fedora FC3 FYI - I am using Fedora Core 3, updated to the latest released updates, without issues of any kind. I did not change any of the default settings, except to define my interfaces, rules, etc, for my configuration. I have used Shorewall with all of the releases of Fedora, without issue. On Apr 3, 2005, at 4:09 AM, Stephen Gloor wrote:> I tried this and put /sbin/iptables in the path statement. > > -----Original Message----- > From: shorewall-users-bounces@lists.shorewall.net > [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom > Eastep > Sent: Sunday, 3 April 2005 1:54 PM > To: Mailing List for Shorewall Users > Subject: Re: [Shorewall-users] Problems with Shorewall 2.2 on Fedora > FC3 > > > Stephen Gloor wrote: >> I installed Shorewall 2.2.2 on a vanilla install of Fedora FC3 I have >> not udated the kernel yet. After some fault finding I went back to >> the 2 interface example configuration files for 2.2.2. >> >> In shorewall.conf I have to specify the path for IPTABLES="/sbin". > > /sbin is NOT YOUR iptables binary!!!!! > > from the shorewall.conf description of the IPTABLES variable: > > # IPTABLES > # > # Full path to iptables executable Shorewall uses to build the > firewall. If > # not specified or if specified with an empty value (e.g., > IPTABLES="") then > # the iptables executable located via the PATH setting below is used. # > > So if your iptables binary is in /sbin then you want: > > IPTABLES=/sbin/iptables > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >_______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Yes I checked I have iptables installed -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Sunday, 3 April 2005 10:53 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Problems with Shorewall 2.2 on Fedora FC3 Stephen Gloor wrote:> I tried this and put /sbin/iptables in the path statement. >You *have* installed iptables in this computer, right? Try this: [root@lists ~]# rpm -q iptables iptables-1.2.11-3.1.FC3 [root@lists ~]# Do you see something similar in response to that ''rpm'' command? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Stephen Gloor wrote:> Yeah I know - I have used Shorewall for years a well without issues. It is > only when I did this install I had problems. > > Did you install FC3 as default - I did the custom install and selected > packaged that I needed. I am using a IBM 380XD as my firewall and 2 PCMCIA > cards. I am wondering if this has anything to do with it? >Stephen -- as things currently stand, *we have no idea whatsoever what problem you are reporting*. You sent us a report that said that if you set IPTABLES="/sbin" that it didn''t work and we reported back "Of course it didn''t work -- you want IPTABLES=/sbin/iptables" whereupon you said, "I tried that and it didn''t work". I''m sorry but "it didn''t work" as the sum total of a problem report gets ignored here.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Sorry - I will have another look and try to report a bit better. I must have missed something. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Monday, 4 April 2005 10:22 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Problems with Shorewall 2.2 on Fedora FC3 Stephen Gloor wrote:> Yeah I know - I have used Shorewall for years a well without issues. > It is only when I did this install I had problems. > > Did you install FC3 as default - I did the custom install and selected > packaged that I needed. I am using a IBM 380XD as my firewall and 2 > PCMCIA cards. I am wondering if this has anything to do with it? >Stephen -- as things currently stand, *we have no idea whatsoever what problem you are reporting*. You sent us a report that said that if you set IPTABLES="/sbin" that it didn''t work and we reported back "Of course it didn''t work -- you want IPTABLES=/sbin/iptables" whereupon you said, "I tried that and it didn''t work". I''m sorry but "it didn''t work" as the sum total of a problem report gets ignored here.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
OK I am officially a dickhead. I put in the suggested line and it worked. Must have missed a fault-finding step. Slinking off in shame :-( -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of Tom Eastep Sent: Monday, 4 April 2005 10:22 PM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Problems with Shorewall 2.2 on Fedora FC3 Stephen Gloor wrote:> Yeah I know - I have used Shorewall for years a well without issues. > It is only when I did this install I had problems. > > Did you install FC3 as default - I did the custom install and selected > packaged that I needed. I am using a IBM 380XD as my firewall and 2 > PCMCIA cards. I am wondering if this has anything to do with it? >Stephen -- as things currently stand, *we have no idea whatsoever what problem you are reporting*. You sent us a report that said that if you set IPTABLES="/sbin" that it didn''t work and we reported back "Of course it didn''t work -- you want IPTABLES=/sbin/iptables" whereupon you said, "I tried that and it didn''t work". I''m sorry but "it didn''t work" as the sum total of a problem report gets ignored here.... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm