Hello, I have the 2 nic shorewall running over here. On the firewall is also a ftp server running. On my webserver is a link that directly point to a file on the ftp server like ftp://user:password@ftp.lindeman.org/file This has worked for months but recently people sarted complaining that the link does not work. I tried for my self and this is what I see in the syslog : Sep 4 21:51:13 server kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:50:bf:e1:08:47:00:10:67:00:56:53:08:00 SRC=62.58.0.226 DST=62.216.10.18 LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=7079 DF PROTO=TCP SPT=1050 DPT=35962 WINDOW=64240 RES=0x00 SYN URGP=0 (3 times, just another ID) I must have configured something wrong but I can''t find it. Does anybody recognize this problem ? Btw If someone logs in with a "normal" ftp client he can download normally. -- Groeten, Peter -- If at first you DO succeed, try not to look astonished! --- --- Heb je een Sony Digital video camera ? --- Kijk eens op http://www.dvin.org --- Kijk ook op http://www.lindeman.org --- ICQ 22383596 --- Uptime lindeman.org - 11 days, 22 hours and 50 minutes, 0 users logged in.
Peter Lindeman wrote:> I have the 2 nic shorewall running over here. On the firewall is also a > ftp server running. On my webserver is a link that directly point to a > file on the ftp server like ftp://user:password@ftp.lindeman.org/file > > This has worked for months but recently people sarted complaining that > the link does not work. I tried for my self and this is what I see in > the syslog : > > Sep 4 21:51:13 server kernel: Shorewall:net2all:DROP:IN=eth0 OUT= > MAC=00:50:bf:e1:08:47:00:10:67:00:56:53:08:00 SRC=62.58.0.226 > DST=62.216.10.18 LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=7079 DF PROTO=TCP > SPT=1050 DPT=35962 WINDOW=64240 RES=0x00 SYN URGP=0 > (3 times, just another ID) > > I must have configured something wrong but I can''t find it. Does anybody > recognize this problem ? > > Btw If someone logs in with a "normal" ftp client he can download normally.Strange, when I do a lsmod I do not see ip_nat_ftp and not ip_conntrack_ftp Don''t they both have to be there ? I checked the ''modules'' files and there they should be loaded. Btw. I am using 1.4.6b -- Groeten, Peter -- The line is busy. --- --- Heb je een Sony Digital video camera ? --- Kijk eens op http://www.dvin.org --- Kijk ook op http://www.lindeman.org --- ICQ 22383596 --- Uptime lindeman.org - 11 days, 23 hours and 6 minutes, 1 user logged in.
Peter Lindeman wrote:>> I have the 2 nic shorewall running over here. On the firewall is also >> a ftp server running. On my webserver is a link that directly point to >> a file on the ftp server like ftp://user:password@ftp.lindeman.org/file >> >> This has worked for months but recently people sarted complaining that >> the link does not work. I tried for my self and this is what I see in >> the syslog : >> >> Sep 4 21:51:13 server kernel: Shorewall:net2all:DROP:IN=eth0 OUT= >> MAC=00:50:bf:e1:08:47:00:10:67:00:56:53:08:00 SRC=62.58.0.226 >> DST=62.216.10.18 LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=7079 DF >> PROTO=TCP SPT=1050 DPT=35962 WINDOW=64240 RES=0x00 SYN URGP=0 >> (3 times, just another ID) >> >> I must have configured something wrong but I can''t find it. Does >> anybody recognize this problem ? >> >> Btw If someone logs in with a "normal" ftp client he can download >> normally. > > Strange, when I do a lsmod I do not see ip_nat_ftp and not ip_conntrack_ftp > > Don''t they both have to be there ? I checked the ''modules'' files and > there they should be loaded. > > Btw. I am using 1.4.6b >After I insmod ip_conntrack_ftp and insmod ip_nat_ftp it works again. Shouldn''t Shorewall start/restart do this job ? -- Groeten, Peter -- Device response received when none expected. --- --- Heb je een Sony Digital video camera ? --- Kijk eens op http://www.dvin.org --- Kijk ook op http://www.lindeman.org --- ICQ 22383596 --- Uptime lindeman.org - 11 days, 23 hours and 34 minutes, 1 user logged in.
take a look at your /etc/shorewall/modules file. If they are there, they should have been loaded. Peter Lindeman <peter@lindeman.nl> Sent by: shorewall-users-bounces@lists.shorewall.net 04/09/2003 17:38 Please respond to Shorewall Users Mailing List <shorewall-users@lists.shorewall.net> To Shorewall Users Mailing List <shorewall-users@lists.shorewall.net> cc Subject Re: [Shorewall-users] FTP problem Peter Lindeman wrote:>> I have the 2 nic shorewall running over here. On the firewall is also >> a ftp server running. On my webserver is a link that directly point to >> a file on the ftp server like ftp://user:password@ftp.lindeman.org/file >> >> This has worked for months but recently people sarted complaining that >> the link does not work. I tried for my self and this is what I see in >> the syslog : >> >> Sep 4 21:51:13 server kernel: Shorewall:net2all:DROP:IN=eth0 OUT= >> MAC=00:50:bf:e1:08:47:00:10:67:00:56:53:08:00 SRC=62.58.0.226 >> DST=62.216.10.18 LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=7079 DF >> PROTO=TCP SPT=1050 DPT=35962 WINDOW=64240 RES=0x00 SYN URGP=0 >> (3 times, just another ID) >> >> I must have configured something wrong but I can''t find it. Does >> anybody recognize this problem ? >> >> Btw If someone logs in with a "normal" ftp client he can download >> normally. > > Strange, when I do a lsmod I do not see ip_nat_ftp and notip_conntrack_ftp> > Don''t they both have to be there ? I checked the ''modules'' files and > there they should be loaded. > > Btw. I am using 1.4.6b >After I insmod ip_conntrack_ftp and insmod ip_nat_ftp it works again. Shouldn''t Shorewall start/restart do this job ? -- Groeten, Peter -- Device response received when none expected. --- --- Heb je een Sony Digital video camera ? --- Kijk eens op http://www.dvin.org --- Kijk ook op http://www.lindeman.org --- ICQ 22383596 --- Uptime lindeman.org - 11 days, 23 hours and 34 minutes, 1 user logged in. _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Eduardo Ferreira wrote:> take a look at your /etc/shorewall/modules file. If they are there, they > should have been loaded.They are there but are not loaded by shorewall. This is how the modules files looks : ############################################################################## # Shorewall 1.4 /etc/shorewall/modules # # This file loads the modules needed by the firewall. # # THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in # dependency order. i.e., if M2 depends on M1 then you must load M1 before # you load M2. # loadmodule ip_tables loadmodule iptable_filter loadmodule ip_conntrack loadmodule ip_conntrack_ftp loadmodule ip_conntrack_irc loadmodule iptable_nat loadmodule ip_nat_ftp loadmodule ip_nat_irc -- Groeten, Peter -- What''s this switch for anyways...? --- --- Heb je een Sony Digital video camera ? --- Kijk eens op http://www.dvin.org --- Kijk ook op http://www.lindeman.org --- ICQ 22383596 --- Uptime lindeman.org - 12 days, 0 hours and 05 minutes, 0 users logged in.
Peter Lindeman wrote:>> take a look at your /etc/shorewall/modules file. If they are there, >> they should have been loaded.Strange that nobody else have this problem, I have noticed it on a system of a friend also. Today I jumped into the Shorewall script and changed one line : Line 2697 from for suffix in o gz ko ; do to for suffix in o gz ko o.gz ; do Now it also searches for o.gz files and now all modules from /etc/shorewall/modules are loaded. Perhaps you use this change so after an upgrade it stays working. Thanks. -- Groeten, Peter -- Maak me niet kwaad, ik heb niet veel plaats meer om het lijk te verbergen. --- --- Heb je een Sony Digital video camera ? --- Kijk eens op http://www.dvin.org --- Kijk ook op http://www.lindeman.org --- ICQ 22383596 --- Uptime lindeman.org - 0 days, 0 hours and 4 minutes, 0 users logged in.
On Sat, 6 Sep 2003, Peter Lindeman wrote:> Peter Lindeman wrote: > > >> take a look at your /etc/shorewall/modules file. If they are there, > >> they should have been loaded. > > Strange that nobody else have this problem, I have noticed it on a > system of a friend also. Today I jumped into the Shorewall script and > changed one line : > > Line 2697 from > > for suffix in o gz ko ; do > to > > for suffix in o gz ko o.gz ; do > > Now it also searches for o.gz files and now all modules from > /etc/shorewall/modules are loaded. Perhaps you use this change so after > an upgrade it stays working. Thanks. >The next beta will include this change -- thanks. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Steve Ledwith
2003-Sep-14 21:55 UTC
[Shorewall-users] Connection Tracking Match: Not available
When are start Shorewall I get the following messages: Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Starting Shorewall... Loading Modules... Initializing... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Connection Tracking Match: Not available When I check for loaded modules: [root@localhost shorewall]# /sbin/lsmod Module Size Used by Not tainted ide-cd 33608 0 (autoclean) cdrom 33728 0 (autoclean) [ide-cd] soundcore 6532 0 (autoclean) agpgart 43072 0 (autoclean) autofs 13348 0 (autoclean) (unused) ipt_TOS 1656 12 (autoclean) ipt_MASQUERADE 2200 372 (autoclean) ipt_REJECT 3736 4 (autoclean) ipt_LOG 4184 16 (autoclean) ipt_state 1080 100 (autoclean) ip_nat_ftp 4272 0 (unused) ip_conntrack_ftp 5120 0 (unused) ipt_multiport 1176 8 (autoclean) iptable_mangle 2776 1 (autoclean) iptable_nat 19992 4 (autoclean) [ipt_MASQUERADE ip_nat_ftp] ip_conntrack 21244 5 (autoclean) [ipt_MASQUERADE ipt_state ip_nat_ftp ip_conntrack_ftp iptable_n at] 8139too 17704 1 mii 2172 0 [8139too] e1000 55916 2 iptable_filter 2444 1 (autoclean) ip_tables 14968 11 [ipt_TOS ipt_MASQUERADE ipt_REJECT ipt_LOG ipt_state ipt_multiport iptable_ mangle iptable_nat iptable_filter] mousedev 5524 0 keybdev 2976 0 (unused) hid 22276 0 (unused) input 5920 0 [mousedev keybdev hid] usb-uhci 26188 0 (unused) ehci-hcd 17480 0 (unused) usbcore 77056 1 [hid usb-uhci ehci-hcd] ext3 70368 2 jbd 52212 2 [ext3] Is ip_conntrack the same as Connection Tracking Match? Am I missing anything? My firewall apears to be working correctly. Steve Ledwith San Jose Web (408) 226-5155 steve@sanjoseweb.com www.sanjoseweb.com
Tom Eastep
2003-Sep-15 01:32 UTC
[Shorewall-users] Connection Tracking Match: Not available
On Sun, 14 Sep 2003, Steve Ledwith wrote:> When are start Shorewall I get the following messages: > > Loading /usr/share/shorewall/functions... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Starting Shorewall... > Loading Modules... > Initializing... > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Connection Tracking Match: Not available >The connection state tracking match extension was added to the Linux kernel in 2.4.21 -- Shorewall works fine without it. See the Shorewall 1.4.6 release notes at http://shorewall.net/News.htm. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Utpal Desai
2003-Sep-15 01:48 UTC
[Shorewall-users] Connection Tracking Match: Not available
upgrade to iptables-1.2.7a-2 -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Tom Eastep Sent: Monday, September 15, 2003 2:02 PM To: Shorewall Users Mailing List Subject: Re: [Shorewall-users] Connection Tracking Match: Not available On Sun, 14 Sep 2003, Steve Ledwith wrote:> When are start Shorewall I get the following messages: > > Loading /usr/share/shorewall/functions... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > Starting Shorewall... > Loading Modules... > Initializing... > Shorewall has detected the following iptables/netfilter capabilities: > NAT: Available > Packet Mangling: Available > Multi-port Match: Available > Connection Tracking Match: Not available >The connection state tracking match extension was added to the Linux kernel in 2.4.21 -- Shorewall works fine without it. See the Shorewall 1.4.6 release notes at http://shorewall.net/News.htm. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Tom Eastep
2003-Sep-15 07:24 UTC
[Shorewall-users] Connection Tracking Match: Not available
On Mon, 2003-09-15 at 01:44, Utpal Desai wrote:> upgrade to iptables-1.2.7a-2 >You still need the corresponding kernel facility. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net