--0-678762025-1039733086=:58212
Content-Type: multipart/alternative;
boundary="0-2114681017-1039733086=:58212"
--0-2114681017-1039733086=:58212
Content-Type: text/plain; charset=us-ascii
The system is a Redhat 8.0 system with dual ethernet cards. I am running the two
interface script. I get a error when it checking the policy file then it stops
and the firewall doesn''t start. I attached a dumb of my trace file.
Below is my policy file. Thanks for the help :)
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE
---------------------------------
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now
---------------------------------
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now
--0-2114681017-1039733086=:58212
Content-Type: text/html; charset=us-ascii
<P>The system is a Redhat 8.0 system with dual ethernet cards. I am
running the two interface script. I get a error when it checking the policy file
then it stops and the firewall doesn''t start. I attached a dumb of my
trace file. Below is my policy file. Thanks for the help :) </P>
<P>#SOURCE DEST POLICY LOG
LEVEL LIMIT:BURST<BR>loc net ACCEPT<BR>net all DROP info<BR>all
all REJECT info<BR>#LAST LINE -- ADD
YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE</P>
<P><BR>
<HR SIZE=1>
Do you Yahoo!?<BR><A
href="http://rd.yahoo.com/mail/mailsig/*http://mailplus.yahoo.com">Yahoo!
Mail Plus</A> - Powerful. Affordable. <A
href="http://rd.yahoo.com/mail/mailsig/*http://mailplus.yahoo.com">Sign
up now</A><p><br><hr size=1>Do you Yahoo!?<br>
<a
href="http://rd.yahoo.com/mail/mailsig/*http://mailplus.yahoo.com">Yahoo!
Mail Plus</a> - Powerful. Affordable. <a
href="http://rd.yahoo.com/mail/mailsig/*http://mailplus.yahoo.com">Sign
up now</a>
--0-2114681017-1039733086=:58212--
--0-678762025-1039733086=:58212
Content-Type: text/plain; name=trace
Content-Description: trace
Content-Disposition: inline; filename=trace
+ shift
+ nolock+ ''['' 1 -gt 1 '']''
+ trap ''my_mutex_off; exit 2'' 1 2 3 4 5 6 9
+ command=start
+ ''['' 1 -ne 1 '']''
+ do_initialize
+ export LC_ALL=C
+ LC_ALL=C
+ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+ version+ FW+ SUBSYSLOCK+ STATEDIR+ ALLOWRELATED+ LOGRATE+ LOGBURST+ LOGPARMS+
NAT_ENABLED+ MANGLE_ENABLED+ ADD_IP_ALIASES+ ADD_SNAT_ALIASES+ TC_ENABLED+
LOGUNCLEAN+ BLACKLIST_DISPOSITION+ BLACKLIST_LOGLEVEL+ CLAMPMSS+ ROUTE_FILTER+
NAT_BEFORE_RULES+ MULTIPORT+ DETECT_DNAT_IPADDRS+ MERGE_HOSTS+ MUTEX_TIMEOUT+
NEWNOTSYN+ LOGNEWNOTSYN+ FORWARDPING+ MACLIST_DISPOSITION+ MACLIST_LOG_LEVEL+
TCP_FLAGS_DISPOSITION+ TCP_FLAGS_LOG_LEVEL+ stopping+ have_mutex+ masq_seq=1
+ nonat_seq=1
+ aliases_to_add+ TMP_DIR=/tmp/shorewall-978
+ rm -rf /tmp/shorewall-978
+ mkdir -p /tmp/shorewall-978
+ chmod 700 /tmp/shorewall-978
+ trap ''rm -rf /tmp/shorewall-978; my_mutex_off; exit 2'' 1 2 3
4 5 6 9
+ functions=/usr/lib/shorewall/functions
+ ''['' -f /usr/lib/shorewall/functions '']''
+ . /usr/lib/shorewall/functions
+ version_file=/usr/lib/shorewall/version
+ ''['' -f /usr/lib/shorewall/version '']''
++ cat /usr/lib/shorewall/version
+ version=1.3.11
+ strip_file interfaces
+ local fname
+ ''['' 1 = 1 '']''
++ find_file interfaces
++ ''['' -n '''' -a -f /interfaces
'']''
++ echo /etc/shorewall/interfaces
+ fname=/etc/shorewall/interfaces
+ ''['' -f /etc/shorewall/interfaces '']''
+ cut -d# -f1 /etc/shorewall/interfaces
+ grep -v ''^[[:space:]]*$''
+ strip_file hosts
+ local fname
+ ''['' 1 = 1 '']''
++ find_file hosts
++ ''['' -n '''' -a -f /hosts
'']''
++ echo /etc/shorewall/hosts
+ fname=/etc/shorewall/hosts
+ ''['' -f /etc/shorewall/hosts '']''
+ cut -d# -f1 /etc/shorewall/hosts
+ grep -v ''^[[:space:]]*$''
+ run_user_exit shorewall.conf
++ find_file shorewall.conf
++ ''['' -n '''' -a -f /shorewall.conf
'']''
++ echo /etc/shorewall/shorewall.conf
+ local user_exit=/etc/shorewall/shorewall.conf
+ ''['' -f /etc/shorewall/shorewall.conf '']''
+ echo ''Processing /etc/shorewall/shorewall.conf ...''
+ . /etc/shorewall/shorewall.conf
++ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
++ FW=fw
++ SUBSYSLOCK=/var/lock/subsys/shorewall
++ STATEDIR=/var/lib/shorewall
++ ALLOWRELATED=yes
++ MODULESDIR++ LOGRATE++ LOGBURST++ LOGUNCLEAN=info
++ LOGFILE=/var/log/messages
++ NAT_ENABLED=Yes
++ MANGLE_ENABLED=Yes
++ IP_FORWARDING=On
++ ADD_IP_ALIASES=Yes
++ ADD_SNAT_ALIASES=No
++ TC_ENABLED=No
++ BLACKLIST_DISPOSITION=DROP
++ BLACKLIST_LOGLEVEL++ CLAMPMSS=No
++ ROUTE_FILTER=No
++ NAT_BEFORE_RULES=Yes
++ MULTIPORT=No
++ DETECT_DNAT_IPADDRS=No
++ MERGE_HOSTS=Yes
++ MUTEX_TIMEOUT=60
++ LOGNEWNOTSYN++ FORWARDPING=Yes
++ NEWNOTSYN=No
++ MACLIST_DISPOSITION=REJECT
++ MACLIST_LOG_LEVEL=info
++ TCP_FLAGS_DISPOSITION=DROP
++ TCP_FLAGS_LOG_LEVEL=info
+ run_user_exit params
++ find_file params
++ ''['' -n '''' -a -f /params
'']''
++ echo /etc/shorewall/params
+ local user_exit=/etc/shorewall/params
+ ''['' -f /etc/shorewall/params '']''
+ echo ''Processing /etc/shorewall/params ...''
+ . /etc/shorewall/params
+ ''['' -z /var/lib/shorewall '']''
+ ''['' -d /var/lib/shorewall '']''
+ ''['' -z fw '']''
++ added_param_value_yes ALLOWRELATED yes
++ local val=yes
++ ''['' -z yes '']''
++ echo Yes
+ ALLOWRELATED=Yes
++ added_param_value_yes NAT_ENABLED Yes
++ local val=Yes
++ ''['' -z Yes '']''
++ echo Yes
+ NAT_ENABLED=Yes
++ added_param_value_yes MANGLE_ENABLED Yes
++ local val=Yes
++ ''['' -z Yes '']''
++ echo Yes
+ MANGLE_ENABLED=Yes
++ added_param_value_yes ADD_IP_ALIASES Yes
++ local val=Yes
++ ''['' -z Yes '']''
++ echo Yes
+ ADD_IP_ALIASES=Yes
++ added_param_value_yes TC_ENABLED No
++ local val=No
++ ''['' -z No '']''
++ echo ''''
+ TC_ENABLED+ ''['' -n ''''
'']''
+ ''['' -n On '']''
+ ''['' -n '''' -a -z Yes '']''
+ ''['' -z DROP '']''
++ added_param_value_no CLAMPMSS No
++ local val=No
++ ''['' -z No '']''
++ echo ''''
+ CLAMPMSS++ added_param_value_no ADD_SNAT_ALIASES No
++ local val=No
++ ''['' -z No '']''
++ echo ''''
+ ADD_SNAT_ALIASES++ added_param_value_no ROUTE_FILTER No
++ local val=No
++ ''['' -z No '']''
++ echo ''''
+ ROUTE_FILTER++ added_param_value_yes NAT_BEFORE_RULES Yes
++ local val=Yes
++ ''['' -z Yes '']''
++ echo Yes
+ NAT_BEFORE_RULES=Yes
++ added_param_value_no MULTIPORT No
++ local val=No
++ ''['' -z No '']''
++ echo ''''
+ MULTIPORT++ added_param_value_no DETECT_DNAT_IPADDRS No
++ local val=No
++ ''['' -z No '']''
++ echo ''''
+ DETECT_DNAT_IPADDRS++ added_param_value_no MERGE_HOSTS Yes
++ local val=Yes
++ ''['' -z Yes '']''
++ echo Yes
+ MERGE_HOSTS=Yes
++ added_param_value_no FORWARDPING Yes
++ local val=Yes
++ ''['' -z Yes '']''
++ echo Yes
+ FORWARDPING=Yes
++ added_param_value_yes NEWNOTSYN No
++ local val=No
++ ''['' -z No '']''
++ echo ''''
+ NEWNOTSYN+ maclist_target=reject
+ ''['' -n REJECT '']''
+ ''['' -n DROP '']''
+ my_mutex_on
+ ''['' -n '''' '']''
+ mutex_on
+ local try=0
+ local lockf=/var/lib/shorewall/lock
+ MUTEX_TIMEOUT=60
+ ''['' 60 -gt 0 '']''
+ ''['' -d /var/lib/shorewall '']''
+ qt which lockfile
+ which lockfile
+ lockfile -60 -r1 /var/lib/shorewall/lock
+ have_mutex=Yes
+ qt iptables -L shorewall -n
+ iptables -L shorewall -n
+ define_firewall Start
+ ''['' -f /etc/shorewall/startup_disabled '']''
+ echo ''Starting Shorewall...''
+ verify_os_version
++ uname -r
+ osversion=2.4.18-14
+ load_kernel_modules
+ ''['' -z '''' '']''
+ MODULESDIR=/lib/modules/2.4.18-14/kernel/net/ipv4/netfilter
++ find_file modules
++ ''['' -n '''' -a -f /modules
'']''
++ echo /etc/shorewall/modules
+ modules=/etc/shorewall/modules
+ ''['' -f /etc/shorewall/modules -a -d
/lib/modules/2.4.18-14/kernel/net/ipv4/netfilter '']''
+ echo ''Loading Modules...''
+ . /etc/shorewall/modules
++ loadmodule ip_tables
++ local modulename=ip_tables
++ local modulefile
+++ lsmod
+++ grep ip_tables
++ ''['' -z ''ip_tables 14936 5
[iptable_mangle iptable_nat iptable_filter]'' '']''
++ loadmodule iptable_filter
++ local modulename=iptable_filter
++ local modulefile
+++ lsmod
+++ grep iptable_filter
++ ''['' -z ''iptable_filter 2412 1
(autoclean)
ip_tables 14936 5 [iptable_mangle iptable_nat
iptable_filter]'' '']''
++ loadmodule ip_conntrack
++ local modulename=ip_conntrack
++ local modulefile
+++ lsmod
+++ grep ip_conntrack
++ ''['' -z ''ip_conntrack_irc 3520 0 (unused)
ip_conntrack_ftp 5088 0 (unused)
ip_conntrack 21244 3 [ip_nat_irc ip_nat_ftp iptable_nat
ip_conntrack_irc ip_conntrack_ftp]'' '']''
++ loadmodule ip_conntrack_ftp
++ local modulename=ip_conntrack_ftp
++ local modulefile
+++ lsmod
+++ grep ip_conntrack_ftp
++ ''['' -z ''ip_conntrack_ftp 5088 0 (unused)
ip_conntrack 21244 3 [ip_nat_irc ip_nat_ftp iptable_nat
ip_conntrack_irc ip_conntrack_ftp]'' '']''
++ loadmodule ip_conntrack_irc
++ local modulename=ip_conntrack_irc
++ local modulefile
+++ lsmod
+++ grep ip_conntrack_irc
++ ''['' -z ''ip_conntrack_irc 3520 0 (unused)
ip_conntrack 21244 3 [ip_nat_irc ip_nat_ftp iptable_nat
ip_conntrack_irc ip_conntrack_ftp]'' '']''
++ loadmodule iptable_nat
++ local modulename=iptable_nat
++ local modulefile
+++ lsmod
+++ grep iptable_nat
++ ''['' -z ''iptable_nat 19960 2
[ip_nat_irc ip_nat_ftp]
ip_conntrack 21244 3 [ip_nat_irc ip_nat_ftp iptable_nat
ip_conntrack_irc ip_conntrack_ftp]
ip_tables 14936 5 [iptable_mangle iptable_nat
iptable_filter]'' '']''
++ loadmodule ip_nat_ftp
++ local modulename=ip_nat_ftp
++ local modulefile
+++ lsmod
+++ grep ip_nat_ftp
++ ''['' -z ''ip_nat_ftp 4240 0 (unused)
iptable_nat 19960 2 [ip_nat_irc ip_nat_ftp]
ip_conntrack 21244 3 [ip_nat_irc ip_nat_ftp iptable_nat
ip_conntrack_irc ip_conntrack_ftp]'' '']''
++ loadmodule ip_nat_irc
++ local modulename=ip_nat_irc
++ local modulefile
+++ lsmod
+++ grep ip_nat_irc
++ ''['' -z ''ip_nat_irc 3504 0 (unused)
iptable_nat 19960 2 [ip_nat_irc ip_nat_ftp]
ip_conntrack 21244 3 [ip_nat_irc ip_nat_ftp iptable_nat
ip_conntrack_irc ip_conntrack_ftp]'' '']''
+ echo Initializing...
+ initialize_netfilter
+ echo ''Determining Zones...''
+ determine_zones
++ find_file zones
++ ''['' -n '''' -a -f /zones
'']''
++ echo /etc/shorewall/zones
+ local zonefile=/etc/shorewall/zones
+ multi_display=Multi-zone
+ ''['' -f /etc/shorewall/zones '']''
++ find_zones /etc/shorewall/zones
++ read zone display comments
++ ''['' -n ''#
'' '']''
++ read zone display comments
++ ''['' -n ''#'' '']''
++ read zone display comments
++ ''['' -n ''#
'' '']''
++ read zone display comments
++ ''['' -n ''#'' '']''
++ read zone display comments
++ ''['' -n ''#
'' '']''
++ read zone display comments
++ ''['' -n ''#'' '']''
++ read zone display comments
++ ''['' -n ''#'' '']''
++ read zone display comments
++ ''['' -n ''#'' '']''
++ read zone display comments
++ ''['' -n ''#
'' '']''
++ read zone display comments
++ ''['' -n ''#ZONE'' '']''
++ read zone display comments
++ ''['' -n net '']''
++ echo net
++ read zone display comments
++ ''['' -n loc '']''
++ echo loc
++ read zone display comments
++ ''['' -n ''#LAST'' '']''
++ read zone display comments
+ zones=net
loc
++ echo net loc
+ zones=net loc
++ find_display net /etc/shorewall/zones
++ grep ''^net'' /etc/shorewall/zones
++ read z display comments
++ ''['' xnet = xnet '']''
++ echo Net
++ read z display comments
+ dsply=Net
+ eval ''net_display=$dsply''
++ net_display=Net
++ find_display loc /etc/shorewall/zones
++ grep ''^loc'' /etc/shorewall/zones
++ read z display comments
++ ''['' xloc = xloc '']''
++ echo Local
++ read z display comments
+ dsply=Local
+ eval ''loc_display=$dsply''
++ loc_display=Local
+ ''['' -z ''net loc'' '']''
+ display_list Zones: net loc
+ ''['' 3 -gt 1 '']''
+ echo '' Zones: net loc''
+ echo ''Validating interfaces file...''
+ validate_interfaces_file
+ read z interface subnet options
+ expandv z interface subnet options
+ local varval
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$z''
++ varval=net
+ eval ''z="net"''
++ z=net
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$interface''
++ varval=eth0
+ eval ''interface="eth0"''
++ interface=eth0
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$subnet''
++ varval=detect
+ eval ''subnet="detect"''
++ subnet=detect
+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$options''
++ varval=dhcp,routefilter,norfc1918
+ eval ''options="dhcp,routefilter,norfc1918
"''
++ options=dhcp,routefilter,norfc1918
+ shift
+ ''['' 0 -gt 0 '']''
+ r=net eth0 detect dhcp,routefilter,norfc1918
+ ''['' xnet = x- '']''
+ validate_zone net
+ list_search net net loc fw
+ local e=net
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xnet = xnet '']''
+ return 0
+ list_search eth0
+ local e=eth0
+ ''['' 1 -gt 1 '']''
+ return 1
+ all_interfaces= eth0
++ separate_list $''dhcp,routefilter,norfc1918\r''
++ echo $''dhcp,routefilter,norfc1918\r''
++ sed ''s/,/ /g''
+ error_message ''Warning: Invalid option (norfc1918
) in record "net eth0 detect dhcp,routefilter,norfc1918
"''
+ echo '' Warning: Invalid option (norfc1918
) in record "net eth0 detect dhcp,routefilter,norfc1918
"''
Warning: Invalid option (norfc1918
) in record "net eth0 detect dhcp,routefilter,norfc1918
"
+ ''['' -z '' eth0'' '']''
+ read z interface subnet options
+ expandv z interface subnet options
+ local varval
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$z''
++ varval=loc
+ eval ''z="loc"''
++ z=loc
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$interface''
++ varval=eth1
+ eval ''interface="eth1"''
++ interface=eth1
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$subnet''
++ varval=detect
+ eval ''subnet="detect"''
++ subnet=detect
+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$options''
++ varval=routestopped
+ eval ''options="routestopped
"''
++ options=routestopped
+ shift
+ ''['' 0 -gt 0 '']''
+ r=loc eth1 detect routestopped
+ ''['' xloc = x- '']''
+ validate_zone loc
+ list_search loc net loc fw
+ local e=loc
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xloc = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xloc = xloc '']''
+ return 0
+ list_search eth1 eth0
+ local e=eth1
+ ''['' 2 -gt 1 '']''
+ shift
+ ''['' xeth1 = xeth0 '']''
+ ''['' 1 -gt 1 '']''
+ return 1
+ all_interfaces= eth0 eth1
++ separate_list $''routestopped\r''
++ echo $''routestopped\r''
++ sed ''s/,/ /g''
+ error_message ''Warning: Invalid option (routestopped
) in record "loc eth1 detect routestopped
"''
+ echo '' Warning: Invalid option (routestopped
) in record "loc eth1 detect routestopped
"''
Warning: Invalid option (routestopped
) in record "loc eth1 detect routestopped
"
+ ''['' -z '' eth0 eth1'' '']''
+ read z interface subnet options
+ echo ''Validating hosts file...''
+ validate_hosts_file
+ read z hosts options
+ echo ''Validating Policy file...''
+ validate_policy
+ strip_file policy
+ local fname
+ ''['' 1 = 1 '']''
++ find_file policy
++ ''['' -n '''' -a -f /policy
'']''
++ echo /etc/shorewall/policy
+ fname=/etc/shorewall/policy
+ ''['' -f /etc/shorewall/policy '']''
+ cut -d# -f1 /etc/shorewall/policy
+ grep -v ''^[[:space:]]*$''
+ read client server policy loglevel synparams
+ expandv client server policy loglevel synparams
+ local varval
+ ''['' 5 -gt 0 '']''
+ eval ''varval=$client''
++ varval=loc
+ eval ''client="loc"''
++ client=loc
+ shift
+ ''['' 4 -gt 0 '']''
+ eval ''varval=$server''
++ varval=net
+ eval ''server="net"''
++ server=net
+ shift
+ ''['' 3 -gt 0 '']''
+ eval ''varval=$policy''
++ varval=ACCEPT
+ eval ''policy="ACCEPT
"''
++ policy=ACCEPT
+ shift
+ ''['' 2 -gt 0 '']''
+ eval ''varval=$loglevel''
++ varval+ eval ''loglevel=""''
++ loglevel+ shift
+ ''['' 1 -gt 0 '']''
+ eval ''varval=$synparams''
++ varval+ eval ''synparams=""''
++ synparams+ shift
+ ''['' 0 -gt 0 '']''
+ validate_zone loc
+ list_search loc net loc fw
+ local e=loc
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xloc = xnet '']''
+ ''['' 3 -gt 1 '']''
+ shift
+ ''['' xloc = xloc '']''
+ return 0
+ validate_zone net
+ list_search net net loc fw
+ local e=net
+ ''['' 4 -gt 1 '']''
+ shift
+ ''['' xnet = xnet '']''
+ return 0
+ startup_error ''Error: Invalid policy ACCEPT
''
+ echo '' Error: Invalid policy ACCEPT
''
Error: Invalid policy ACCEPT
+ my_mutex_off
+ ''['' -n Yes '']''
+ mutex_off
+ rm -f /var/lib/shorewall/lock
+ have_mutex+ ''['' -n /tmp/shorewall-978 '']''
+ rm -rf /tmp/shorewall-978
+ kill 978
--0-678762025-1039733086=:58212--