Hi, I have a working test install of Shorewall 2.0.7 on a 32 bit install of Gentoo, it''s working like a champ, so i am making an install on a nice new Opteron server, using 64bit Gentoo. I have run into a problem which going by your FAQ might be due to a missing module, but after a couple of hours of fiddling I''m stumpted - I can''t see any options in the 2.6.8 kernel that apply to this problem... Shorewall check gives me:>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>test64 root # shorewall check Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Notice: The ''check'' command is unsupported and problem reports complaining about errors that it didn''t catch will not be accepted Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Not available Multi-port Match: Not available Connection Tracking Match: Not available Verifying Configuration... Determining Zones... Zones: net Validating interfaces file... Validating hosts file... Determining Hosts in Zones... Net Zone: eth0:0.0.0.0/0 Validating policy file... Policy for fw to net is ACCEPT using chain fw2net Policy for net to fw is DROP using chain net2all Pre-validating Actions... Pre-processing /usr/share/shorewall/action.DropSMB... Pre-processing /usr/share/shorewall/action.RejectSMB... Pre-processing /usr/share/shorewall/action.DropUPnP... Pre-processing /usr/share/shorewall/action.RejectAuth... Pre-processing /usr/share/shorewall/action.DropPing... Pre-processing /usr/share/shorewall/action.DropDNSrep... Pre-processing /usr/share/shorewall/action.AllowPing... Pre-processing /usr/share/shorewall/action.AllowFTP... Pre-processing /usr/share/shorewall/action.AllowDNS... Pre-processing /usr/share/shorewall/action.AllowSSH... Pre-processing /usr/share/shorewall/action.AllowWeb... Pre-processing /usr/share/shorewall/action.AllowSMB... Pre-processing /usr/share/shorewall/action.AllowAuth... Pre-processing /usr/share/shorewall/action.AllowSMTP... Pre-processing /usr/share/shorewall/action.AllowPOP3... Pre-processing /usr/share/shorewall/action.AllowIMAP... Pre-processing /usr/share/shorewall/action.AllowTelnet... Pre-processing /usr/share/shorewall/action.AllowVNC... Pre-processing /usr/share/shorewall/action.AllowVNCL... Pre-processing /usr/share/shorewall/action.AllowNTP... Pre-processing /usr/share/shorewall/action.AllowRdate... Pre-processing /usr/share/shorewall/action.AllowNNTP... Pre-processing /usr/share/shorewall/action.AllowTrcrt... Pre-processing /usr/share/shorewall/action.AllowSNMP... Pre-processing /usr/share/shorewall/action.AllowPCA... Pre-processing /usr/share/shorewall/action.Drop... Pre-processing /usr/share/shorewall/action.Reject... Validating rules file... Rule "ACCEPT net fw tcp 22" checked. Rule "ACCEPT net fw tcp 80" checked. Rule "ACCEPT net fw tcp 8080" checked. Rule "ACCEPT net fw tcp 10000" checked. Validating Actions... Processing /usr/share/shorewall/action.Drop... Rule "RejectAuth" checked. Rule "dropBcast" checked. Rule "dropInvalid" checked. Rule "DropSMB" checked. Rule "DropUPnP" checked. Rule "dropNotSyn" checked. Rule "DropDNSrep" checked. Processing /usr/share/shorewall/action.Reject... Rule "RejectAuth" checked. Rule "dropBcast" checked. Rule "dropInvalid" checked. Rule "RejectSMB" checked. Rule "DropUPnP" checked. Rule "dropNotSyn" checked. Rule "DropDNSrep" checked. Processing /usr/share/shorewall/action.RejectAuth... Rule "REJECT - - tcp 113" checked. Processing /usr/share/shorewall/action.DropSMB... Rule "DROP - - udp 135" checked. Rule "DROP - - udp 137:139" checked. Rule "DROP - - udp 445" checked. Rule "DROP - - tcp 135" checked. Rule "DROP - - tcp 139" checked. Rule "DROP - - tcp 445" checked. Processing /usr/share/shorewall/action.DropUPnP... Rule "DROP - - udp 1900" checked. Processing /usr/share/shorewall/action.DropDNSrep... Rule "DROP - - udp - 53" checked. Processing /usr/share/shorewall/action.RejectSMB... Rule "REJECT - - udp 135" checked. Rule "REJECT - - udp 137:139" checked. Rule "REJECT - - udp 445" checked. Rule "REJECT - - tcp 135" checked. Rule "REJECT - - tcp 139" checked. Rule "REJECT - - tcp 445" checked. Configuration Validated <<<<<<<<<<<<<<<<<<<<<<< So that looks ok. But starting fails, and a trace gives me:>>>>>>>>>>>>>>>>>>>>>>>>+ setcontinue FORWARD + run_iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT + ''['' -n '''' '']'' + iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables: No chain/target/match by that name <<<<<<<<<<<<<<<<<<<<<<<<< The example in the FAQ makes sense to me, there is a REJECT module, and it could be left out. But what on earth could cause this? The bit that has me concerned is that Shorewall is listed as Unstable on amd64 on Gentoo...:( TIA daniel ___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! uk.messenger.yahoo.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 daniel Griffith wrote: | | But starting fails, and a trace gives me: | | + setcontinue FORWARD | + run_iptables -A FORWARD -m state --state | ESTABLISHED,RELATED -j ACCEPT | + ''['' -n '''' '']'' | + iptables -A FORWARD -m state --state | ESTABLISHED,RELATED -j ACCEPT | iptables: No chain/target/match by that name | <<<<<<<<<<<<<<<<<<<<<<<<< | | The example in the FAQ makes sense to me, there is a | REJECT module, and it could be left out. But what on | earth could cause this? There is a ''state'' match module and it has been left out. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - enigmail.mozdev.org iD8DBQFBRfMXO/MAbZfjDLIRAuGxAKCm5wtlAjvopQFyfX1M9drrnW1CYwCdGEOz p3KTxlWW10xBv3ykcph3LB4=fyNK -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | daniel Griffith wrote: | | | | | But starting fails, and a trace gives me: | | | | + setcontinue FORWARD | | + run_iptables -A FORWARD -m state --state | | ESTABLISHED,RELATED -j ACCEPT | | + ''['' -n '''' '']'' | | + iptables -A FORWARD -m state --state | | ESTABLISHED,RELATED -j ACCEPT | | iptables: No chain/target/match by that name | | <<<<<<<<<<<<<<<<<<<<<<<<< | | | | The example in the FAQ makes sense to me, there is a | | REJECT module, and it could be left out. But what on | | earth could cause this? | | There is a ''state'' match module and it has been left out. | As in CONFIG_IP_NF_MATCH_STATE. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - enigmail.mozdev.org iD8DBQFBRfTmO/MAbZfjDLIRAgKRAKCYSzCWTaq3dwRZKHlGASMPKRWyfgCgwxhi O/wePrjqhNun6p4biypgwJI=jBOO -----END PGP SIGNATURE-----
>| The example in the FAQ makes sense to me, there isa>| REJECT module, and it could be left out. But whaton>| earth could cause this?>There is a ''state'' match module and it has been leftout.>- -TomAha. Thanks for that! Ok... with a bit of digging it seems that though I have ipt_state.ko, ipt_LOG.ko and ipt_REJECT.ko they are not being loaded... Using modprobe has got me up and running - shouldn''t they be loaded by shorewall? TIA daniel ___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! uk.messenger.yahoo.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 daniel Griffith wrote: |>| The example in the FAQ makes sense to me, there is | | a | |>| REJECT module, and it could be left out. But what | | on | |>| earth could cause this? | | |>There is a ''state'' match module and it has been left | | out. | | |>- -Tom | | | Aha. Thanks for that! | Ok... with a bit of digging it seems that though I | have ipt_state.ko, ipt_LOG.ko and ipt_REJECT.ko they | are not being loaded... Using modprobe has got me up | and running - shouldn''t they be loaded by shorewall? It is my expectation that users will build their kernel to include mdoule auto-load support. Failing in that, you can always add commands to /etc/shorewall/modules to load everything manually. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - enigmail.mozdev.org iD8DBQFBRgvWO/MAbZfjDLIRAnopAJ43eG7wg0YRE/qaT8NsmkjEgKCw0QCgyRg2 fyjVKGWfdxJITadPCZ/bPd4=wPRD -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | | Ok... with a bit of digging it seems that though I | | have ipt_state.ko, ipt_LOG.ko and ipt_REJECT.ko they | | are not being loaded... Using modprobe has got me up | | and running - shouldn''t they be loaded by shorewall? | | It is my expectation that users will build their kernel to include | mdoule auto-load support. Failing in that, you can always add commands | to /etc/shorewall/modules to load everything manually. You may be wondering "then why are there entries in the default /etc/shorewall/modules file?" The reason is that the protocol "helper" modules are not auto-loaded and must be loaded manually. The entries in the standard /etc/shorewall/modules allow loading of these helpers via "insmod" (i.e., if ''modprobe'' is not available such as on certain embedded distributions). - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - enigmail.mozdev.org iD8DBQFBRhLqO/MAbZfjDLIRAvjFAKDGRfsD52JC6+K4AuW1/9T+j80rVQCcCFsj vgqnhyBTGwFyBbhQOJcUTeI=VQEs -----END PGP SIGNATURE-----