Hi all, I''ve completed the upgrade of the first of five shorewall firewalls in my shop. Although everything works fine, I''ve have some minor issues: a) in my NAT table, I used NO and YES in my ALL INTERFACES column. Version 2.0.1 does not run this way. Had to change them to Yes and No. b) in my shorewall.conf, the variable DISABLE_IPV6=Yes. But, when I start shorewall, I got some errors when shorewall tryes to delete previous user chains. Here is a part of the trace (shorewall trace restart > ~/xxx 2>&1): + echo ''Deleting user chains...'' Deleting user chains... + setpolicy INPUT DROP + run_iptables -P INPUT DROP + ''['' -n '''' '']'' + iptables -P INPUT DROP + setpolicy OUTPUT DROP + run_iptables -P OUTPUT DROP + ''['' -n '''' '']'' + iptables -P OUTPUT DROP + setpolicy FORWARD DROP + run_iptables -P FORWARD DROP + ''['' -n '''' '']'' + iptables -P FORWARD DROP + deleteallchains + run_iptables -F + ''['' -n '''' '']'' + iptables -F + run_iptables -X + ''['' -n '''' '']'' + iptables -X + setcontinue FORWARD + run_iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT + ''['' -n '''' '']'' + iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT + setcontinue INPUT + run_iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + ''['' -n '''' '']'' + iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + setcontinue OUTPUT + run_iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + ''['' -n '''' '']'' + iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + ''['' -n Yes '']'' + disable_ipv6 + qt which ip6tables + which ip6tables + ip6tables -P FORWARD DROP ip6tables v1.2.9: can''t initialize ip6tables table `filter'': Address family not supported by protocol Perhaps iptables or your kernel needs to be upgraded. + ip6tables -P INPUT DROP ip6tables v1.2.9: can''t initialize ip6tables table `filter'': Address family not supported by protocol Perhaps iptables or your kernel needs to be upgraded. + ip6tables -P OUTPUT DROP ip6tables v1.2.9: can''t initialize ip6tables table `filter'': Address family not supported by protocol Perhaps iptables or your kernel needs to be upgraded. + run_iptables -A INPUT -i lo -j ACCEPT Any way, shorewall starts. But is there any way I could get rid of these messages? thanks, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
Eduardo Ferreira wrote:> Hi all, > > I''ve completed the upgrade of the first of five shorewall firewalls in my > shop. Although everything works fine, I''ve have some minor issues: >This is becoming a FAQ -- set DISABLE_IPV6=No in shorewall.conf. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Eduardo Ferreira wrote:> Hi all, > > I''ve completed the upgrade of the first of five shorewall firewalls in my > shop. Although everything works fine, I''ve have some minor issues: > > a) in my NAT table, I used NO and YES in my ALL INTERFACES column. Version > 2.0.1 does not run this way. Had to change them to Yes and No. >This is described in the 2.0.0 Upgrade Issues. When you upgrade, *you must read and follow the Upgrade Issues for all of the releases after the one you are running up to and including the one that you are installing*. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Eduardo Ferreira wrote: > >> Hi all, >> >> I''ve completed the upgrade of the first of five shorewall firewalls in >> my shop. Although everything works fine, I''ve have some minor issues: >> >> a) in my NAT table, I used NO and YES in my ALL INTERFACES column. >> Version 2.0.1 does not run this way. Had to change them to Yes and No. > > > This is described in the 2.0.0 Upgrade Issues. When you upgrade, *you > must read and follow the Upgrade Issues for all of the releases after > the one you are running up to and including the one that you are > installing*.If you actually had "NO" (both letters capitalized) then the new code would have given you an error whereas it didn''t previously (you could have placed your mother''s maiden name in that column previously and Shorewall 1.4 wouldn''t have given you an error). To achieve the same effect as before under 2.0, you should now have "No" and "No". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thursday 08 April 2004 16:14, Tom Eastep wrote:> Eduardo Ferreira wrote: > > Hi all, > > > > I''ve completed the upgrade of the first of five shorewall firewalls in my > > shop. Although everything works fine, I''ve have some minor issues: > > This is becoming a FAQ -- set DISABLE_IPV6=No in shorewall.conf. > > -TomTom, This seems a lil unclear to me .. It seems like if its set to Yes .. Which would make sense ... its looking for IPV6 support in the Kernel ?? Francesca -- "No Problems Only Solutions" Lady Linux Internet Services Baltimore Maryland 21217
Tom Eastep wrote on 08/04/2004 17:29:53:> Tom Eastep wrote: > > Eduardo Ferreira wrote: > > > > If you actually had "NO" (both letters capitalized) then the new code > would have given you an error whereas it didn''t previously (you could > have placed your mother''s maiden name in that column previously and > Shorewall 1.4 wouldn''t have given you an error). To achieve the same > effect as before under 2.0, you should now have "No" and "No". >I''m a very talented fool. sorry. I''ve READ the documentation from 1.4.8 upwards. Didn''t saw it. ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
shorewall-users-bounces@lists.shorewall.net wrote on 08/04/2004 17:44:35:> On Thursday 08 April 2004 16:14, Tom Eastep wrote: > > Eduardo Ferreira wrote: > > > Hi all, > > > > > > I''ve completed the upgrade of the first of five shorewall firewallsin my> > > shop. Although everything works fine, I''ve have some minor issues: > > > > This is becoming a FAQ -- set DISABLE_IPV6=No in shorewall.conf. > > > > -Tom > > Tom, > > This seems a lil unclear to me .. It seems like if its set to Yes ..Which> would make sense ... its looking for IPV6 support in the Kernel ?? >As I said in my previous post, I''m a very talented fool. But this one wins me... cheers, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
On Thursday 08 April 2004 16:52, Eduardo Ferreira wrote:> As I said in my previous post, I''m a very talented fool. But this one > wins me...Well ... absentmindedadmin .. Was Created for another talented fool :-) Moi :-) Happy And Blessed Easter And Passover Everyone!!! Francesca -- "No Problems Only Solutions" Lady Linux Internet Services Baltimore Maryland 21217
Eduardo Ferreira wrote:> shorewall-users-bounces@lists.shorewall.net wrote on 08/04/2004 17:44:35: > > >>On Thursday 08 April 2004 16:14, Tom Eastep wrote: >> >>>Eduardo Ferreira wrote: >>> >>>>Hi all, >>>> >>>>I''ve completed the upgrade of the first of five shorewall firewalls > > in my > >>>>shop. Although everything works fine, I''ve have some minor issues: >>> >>>This is becoming a FAQ -- set DISABLE_IPV6=No in shorewall.conf. >>> >>>-Tom >> >>Tom, >> >>This seems a lil unclear to me .. It seems like if its set to Yes .. > > Which > >>would make sense ... its looking for IPV6 support in the Kernel ?? >> > > > As I said in my previous post, I''m a very talented fool. But this one > wins me... >Setting DISABLE_IPV6=Yes only makes sense if: a) Your kernel contains IPV6 support. b) You don''t want to use IPV6. Folks running late versions of SuSE generally fall into this class. I notice also that Debian 2.6 kernels are being built with IPV6 support. My understanding of the situation is this: 1. The IPV6 stack in the Linux kernel has it''s own implementation of Netfilter that is controlled by the ipv6tables utility. So when your kernel is built with IPV6, IPV6 traffic is controlled by that implementation rather than the one in the IPV4 stack (I haven''t confirmed this last part personally but a SuSE user has reported that it appears to be the case). 2. So if your kernel has IPV6 support, *you can''t control IPV6 traffic with iptables*; you must use ipv6tables. 3. Since the policy of the INPUT, FORWARD and OUTPUT chains in the IPV6 Netfilter is ACCEPT, a system with IPV6 kernel support is wide open to IPV6 traffic unless special measures are taken. Shorewall has implemented the DISABLE_IPV6 mechanism in order to take those measures (DISABLE_IPV6=Yes). Since the way to control the IPV6 Netfilter is ipv6tables, that utility must be present. Hope this clarifies things, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Setting DISABLE_IPV6=Yes only makes sense if: > > a) Your kernel contains IPV6 support. > b) You don''t want to use IPV6.FWIW, the Redhat Enterprise 3.0 kernel has IPv6 support and ships with ip6tables, but it looks like the ipv6 kernel module isn''t loaded unless you''ve got an interface configured with v6. Any use of ip6tables without ipv6.o loaded fails. (As opposed to auto-loading ipv6 which is what I would have expected.) -Jason
Jason Kirtland wrote:> Tom Eastep wrote: > >> Setting DISABLE_IPV6=Yes only makes sense if: >> >> a) Your kernel contains IPV6 support. >> b) You don''t want to use IPV6. > > > FWIW, the Redhat Enterprise 3.0 kernel has IPv6 support and ships with > ip6tables, but it looks like the ipv6 kernel module isn''t loaded unless > you''ve got an interface configured with v6. Any use of ip6tables > without ipv6.o loaded fails. (As opposed to auto-loading ipv6 which is > what I would have expected.)Do you have this in /etc/modules.conf? alias net-pf-10 ipv6 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Jason Kirtland wrote: > >> FWIW, the Redhat Enterprise 3.0 kernel has IPv6 support and ships with >> ip6tables, but it looks like the ipv6 kernel module isn''t loaded >> unless you''ve got an interface configured with v6. Any use of >> ip6tables without ipv6.o loaded fails. (As opposed to auto-loading >> ipv6 which is what I would have expected.) > > Do you have this in /etc/modules.conf? > > alias net-pf-10 ipv6Nope. That does do the trick, but it''s not present in the standard RHEL install. Cheers, Jason
Tom Eastep wrote:> Eduardo Ferreira wrote: > >> Hi all, >> >> I''ve completed the upgrade of the first of five shorewall firewalls in >> my shop. Although everything works fine, I''ve have some minor issues: >> > > This is becoming a FAQ -- set DISABLE_IPV6=No in shorewall.conf. >I can offer one more piece of advice/information here. I design changes to Shorewall such that *unless documented otherwise in the release notes*, if you upgrade from one release to another then the behavior won''t change. But ''upgrade'' here means that you actually upgrade as opposed to reinstall. By ''reinstall'', I include cases where a user installs the new shorewall.conf file then transfers settings from the old file. The 2.0.0 and 2.0.1 shorewall.conf files contain ''DISABLE_IPV6=Yes''. If the shorewall.conf file doesn''t set DISABLE_IPV6 (which pre-2.0.0 files don''t) then Shorewall assumes DISABLE_IPV6=No. And all of the documented upgrade methods retain existing config files that have been modified (and using the install.sh retains unmodified files also). So if you ''upgrade'' to 2.0.0 or 2.0.1, you don''t get the IPV6 messages; if you ''reinstall'', you will get them if you don''t have ip6tables and/or you don''t have ipv6 kernel support. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thursday 08 April 2004 20:00, Tom Eastep wrote:> I design changes to Shorewall such that *unless documented otherwise in > the release notes*, if you upgrade from one release to another then the > behavior won''t change. But ''upgrade'' here means that you actually > upgrade as opposed to reinstall.Tom, I run RH ES all over the place .. so this thread and this design .. well exactly why you and this list exists .. My Life is made easier .. and Thank YOU!!! Francesca -- "No Problems Only Solutions" Lady Linux Internet Services Baltimore Maryland 21217
Tom Eastep wrote on 08/04/2004 21:00:58:> Tom Eastep wrote: > > > Eduardo Ferreira wrote: > > > >> Hi all, > >> > >> I''ve completed the upgrade of the first of five shorewall firewallsin> >> my shop. Although everything works fine, I''ve have some minorissues:> >> > > > > This is becoming a FAQ -- set DISABLE_IPV6=No in shorewall.conf. > > > > I can offer one more piece of advice/information here. > > I design changes to Shorewall such that *unless documented otherwise in > the release notes*, if you upgrade from one release to another then the > behavior won''t change. But ''upgrade'' here means that you actually > upgrade as opposed to reinstall. > > By ''reinstall'', I include cases where a user installs the new > shorewall.conf file then transfers settings from the old file. The 2.0.0> and 2.0.1 shorewall.conf files contain ''DISABLE_IPV6=Yes''. If the > shorewall.conf file doesn''t set DISABLE_IPV6 (which pre-2.0.0 files > don''t) then Shorewall assumes DISABLE_IPV6=No. And all of the documented> upgrade methods retain existing config files that have been modified > (and using the install.sh retains unmodified files also). > > So if you ''upgrade'' to 2.0.0 or 2.0.1, you don''t get the IPV6 messages; > if you ''reinstall'', you will get them if you don''t have ip6tables and/or> you don''t have ipv6 kernel support. >That was my problem. I made the reinstall line. I thought it would be cleaner if I removed old files, transferred comments from one version to the other and substituted shorewall.conf. Well I still have four more to go. Guess now I''ve got the trick. Thanks for your help, Tom. Much apreciated. ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606