Shorewall users - May 2003 - Getting Confused - to "reject" or "REJECT"?

Hi all,

  I am a newbie to shorewall and just got 1.4.3a installed on a Redhat 9
using iptables 1.2.7a and came across a strange problem - I suppose that
REJECT in shorewall is to send a TCP reset. However, somehow it behaves
the same way as DROP. This behavior occurs in many places, including a
rule in common, policy, as well as rules.

  I am actually not too familiar with the internals of netfilter or
shorewall. But out of curioristy playing detective, I changed some
occurrances of "reject" to "REJECT" and it suddenly works as
I expected.
For example, the AUTH rule in /etc/shorewall/common.def and the
"target=reject" lines in /usr/share/shorewall/firewall.

  Can someone kindly tell me if I got something wrong with my
configuration or something wrong with my software/OS installation or
something wrong with the shorewall distribution? I am getting confused
with what went wrong.

  Thanks.

  Best wishes,
  Percy

On Sat, 31 May 2003 02:03:52 +0800 (CST), <percy@duo.dhs.org> wrote:
> Hi all,
>
> I am a newbie to shorewall and just got 1.4.3a installed on a Redhat 9
> using iptables 1.2.7a and came across a strange problem - I suppose that
> REJECT in shorewall is to send a TCP reset. However, somehow it behaves
> the same way as DROP. This behavior occurs in many places, including a
> rule in common, policy, as well as rules.
>
> I am actually not too familiar with the internals of netfilter or
> shorewall. But out of curioristy playing detective, I changed some
> occurrances of "reject" to "REJECT" and it suddenly
works as I expected.
> For example, the AUTH rule in /etc/shorewall/common.def and the
> "target=reject" lines in /usr/share/shorewall/firewall.
>
REJECT (with no modifier) does NOT send an RST -- it returns an ICMP "port 
unreachable" packet. The ''reject'' chain (which is created
by Shorewall)
returns a response based on the type of request. What does "shorewall show 
reject" return on your system?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Hi Tom,

  Thanks for your reply.

  After seriously digging into the problem, it seems to me that the latest
Redhat linux kernel 2.40.20-13.9 from Redhat updates was the one to be
blamed.

  Somehow it managed to swap an icmp-port-unreachable with a tcp-reset and
tcp-reset with something else that I cannot determine as I am using the
most primitive way of testing connectivity: telnet.

  So that explains why I changed the "reject" of common.def to
"REJECT",
it suddenly works because a "REJECT" target without modifier means an
icmp-port-unreachable, which my crazy Redhat kernel interprets as a
tcp-reset.

  This problem seems to be introduced into Redhat only in this kernel
update. Previous update 2.40.20-9, and the vanilla 2.40.20-8 that is
distributed through Internet doesn''t seem to be affected.

  If anyone is using Redhat linux kernel 2.40.20-13.9, watch out!

  Percy


On Fri, 30 May 2003, Tom Eastep wrote:
> On Sat, 31 May 2003 02:03:52 +0800 (CST), <percy@duo.dhs.org> wrote:
>
> > Hi all,
> >
> > I am a newbie to shorewall and just got 1.4.3a installed on a Redhat 9
> > using iptables 1.2.7a and came across a strange problem - I suppose
that
> > REJECT in shorewall is to send a TCP reset. However, somehow it
behaves
> > the same way as DROP. This behavior occurs in many places, including a
> > rule in common, policy, as well as rules.
> >
> > I am actually not too familiar with the internals of netfilter or
> > shorewall. But out of curioristy playing detective, I changed some
> > occurrances of "reject" to "REJECT" and it
suddenly works as I expected.
> > For example, the AUTH rule in /etc/shorewall/common.def and the
> > "target=reject" lines in /usr/share/shorewall/firewall.
> >
>
> REJECT (with no modifier) does NOT send an RST -- it returns an ICMP
"port
> unreachable" packet. The ''reject'' chain (which is
created by Shorewall)
> returns a response based on the type of request. What does "shorewall
show
> reject" return on your system?
>
> -Tom
>

On Tue, 3 Jun 2003 03:27:39 +0800 (CST), <percy@duo.dhs.org> wrote:

>
> If anyone is using Redhat linux kernel 2.40.20-13.9, watch out!
>
I suspect something else is going on in your case. Here''s a tcpdump
taken
when I tried to connect to tcp port 144 on my firewall which runs that 
kernel:

[root@gateway root]# tcpdump -ni eth2 port 144
tcpdump: listening on eth2
12:38:28.900710 192.168.1.3.44777 > 192.168.1.254.144: S 
3173218588:3173218588(0) win 5840 <mss 1460,sackOK,timestamp 162032258 
0,nop,wscale 0> (DF) [tos 0x10]
12:38:28.900941 192.168.1.254.144 > 192.168.1.3.44777: R 0:0(0) ack 
3173218589 win 0 (DF) [tos 0x10]

[root@gateway root]# cat /proc/version
Linux version 2.4.20-13.9 (bhcompile@porky.devel.redhat.com) (gcc version 
3.2.2 20030222 (Red Hat Linux 3.2.2-5)) #1 Mon May 12 10:55:37 EDT 2003
[root@gateway root]#

This clearly shows that an RST is being returned to the connection request.

[root@gateway root]# shorewall show reject
Shorewall-1.4.4b Chain reject at gateway.shorewall.net - Mon Jun  2 
12:41:42 PDT 2003
 Counters reset Sun Jun  1 12:15:02 PDT 2003
 Chain reject (19 references)
 pkts bytes target     prot opt in     out     source               
destination
 3699  208K REJECT     tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          reject-with tcp-reset
 1785  235K REJECT     udp  --  *      *       0.0.0.0/0            
0.0.0.0/0          reject-with icmp-port-unreachable
    4   224 REJECT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0          reject-with icmp-host-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0          reject-with icmp-host-prohibited
[root@gateway root]#

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Dear Tom,

  I have done some experiments learned from you. Below are my results
against 2 different kernels using the same configurations. It''s really
strange and the only thing that I can think of is there is something wrong
with 2.4.20-13.9.

  Thanks.

  Percy


CONFIG FILES
===========interface
---------
net     eth0            detect
loc     eth1            detect
dmz     eth2            detect

policy
------
all		all		ACCEPT

rules
-----
REJECT          net     loc:137.189.95.237      tcp     22

common
------
. /etc/shorewall/common.def

TESTS
====Test 1
------
Using 2.40.20-13.9 from net to loc:137.189.95.237 22

[root@fire shorewall]# cat /proc/version
Linux version 2.4.20-13.9 (bhcompile@porky.devel.redhat.com) (gcc version
3.2.2 20030222 (Red Hat Linux 3.2.2-5)) #1 Mon May 12 10:55:37 EDT 2003

[root@fire shorewall]# /usr/sbin/tcpdump -ni eth0 port 22
tcpdump: listening on eth0
17:55:24.905271 137.189.59.13.33333 > 137.189.95.237.ssh: S
4101648517:4101648517(0) win 24820 <nop,nop,sackOK,mss 1460> (DF)
17:55:28.269267 137.189.59.13.33333 > 137.189.95.237.ssh: S
4101648517:4101648517(0) win 24820 <nop,nop,sackOK,mss 1460> (DF)
17:55:35.020522 137.189.59.13.33333 > 137.189.95.237.ssh: S
4101648517:4101648517(0) win 24820 <nop,nop,sackOK,mss 1460> (DF)
17:55:48.523152 137.189.59.13.33333 > 137.189.95.237.ssh: S
4101648517:4101648517(0) win 24820 <nop,nop,sackOK,mss 1460> (DF)
17:56:14.103795 137.189.59.13.33333 > 137.189.95.237.ssh: R
4101648518:4101648518(0) win 24820 (DF)

5 packets received by filter
0 packets dropped by kernel

[root@fire shorewall]# /sbin/shorewall show reject
Shorewall-1.4.3a Chain reject at fire - Tue Jun  3 17:56:29 HKT 2003

Counters reset Tue Jun  3 17:54:30 HKT 2003

Chain reject (9 references)
 pkts bytes target     prot opt in     out     source
destination
    4   192 REJECT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-port-unreachable
    0     0 REJECT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-host-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-host-prohibited

Test 2
------
[root@fire shorewall]# cat /proc/version
Linux version 2.4.20-9 (bhcompile@stripples.devel.redhat.com) (gcc version
3.2.2 20030313 (Red Hat Linux 3.2.2-10)) #1 Wed Apr 2 13:42:50 EST 2003

[root@fire shorewall]# /usr/sbin/tcpdump -ni eth0 port 22
tcpdump: listening on eth0
17:50:48.902879 137.189.59.13.33331 > 137.189.95.237.ssh: S
1496072698:1496072698(0) win 24820 <nop,nop,sackOK,mss 1460> (DF)
17:50:48.902987 137.189.95.237.ssh > 137.189.59.13.33331: R 0:0(0) ack
1496072699 win 0 (DF) [tos 0x10]

2 packets received by filter
0 packets dropped by kernel

[root@fire shorewall]# /sbin/shorewall show reject
Shorewall-1.4.3a Chain reject at fire - Tue Jun  3 17:51:28 HKT 2003

Counters reset Tue Jun  3 17:37:34 HKT 2003

Chain reject (9 references)
 pkts bytes target     prot opt in     out     source
destination
    1    48 REJECT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-port-unreachable
    0     0 REJECT     icmp --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-host-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          reject-with icmp-host-prohibited



On Mon, 2 Jun 2003, Tom Eastep wrote:
> On Tue, 3 Jun 2003 03:27:39 +0800 (CST), <percy@duo.dhs.org> wrote:
>
>
> >
> > If anyone is using Redhat linux kernel 2.40.20-13.9, watch out!
> >
>
> I suspect something else is going on in your case. Here''s a
tcpdump taken
> when I tried to connect to tcp port 144 on my firewall which runs that
> kernel:
>
> [root@gateway root]# tcpdump -ni eth2 port 144
> tcpdump: listening on eth2
> 12:38:28.900710 192.168.1.3.44777 > 192.168.1.254.144: S
> 3173218588:3173218588(0) win 5840 <mss 1460,sackOK,timestamp 162032258
> 0,nop,wscale 0> (DF) [tos 0x10]
> 12:38:28.900941 192.168.1.254.144 > 192.168.1.3.44777: R 0:0(0) ack
> 3173218589 win 0 (DF) [tos 0x10]
>
> [root@gateway root]# cat /proc/version
> Linux version 2.4.20-13.9 (bhcompile@porky.devel.redhat.com) (gcc version
> 3.2.2 20030222 (Red Hat Linux 3.2.2-5)) #1 Mon May 12 10:55:37 EDT 2003
> [root@gateway root]#
>
> This clearly shows that an RST is being returned to the connection request.
>
> [root@gateway root]# shorewall show reject
> Shorewall-1.4.4b Chain reject at gateway.shorewall.net - Mon Jun  2
> 12:41:42 PDT 2003
>  Counters reset Sun Jun  1 12:15:02 PDT 2003
>  Chain reject (19 references)
>  pkts bytes target     prot opt in     out     source
> destination
>  3699  208K REJECT     tcp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          reject-with tcp-reset
>  1785  235K REJECT     udp  --  *      *       0.0.0.0/0
> 0.0.0.0/0          reject-with icmp-port-unreachable
>     4   224 REJECT     icmp --  *      *       0.0.0.0/0
> 0.0.0.0/0          reject-with icmp-host-unreachable
>     0     0 REJECT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0          reject-with icmp-host-prohibited
> [root@gateway root]#
>
> -Tom
>

On Tue, 2003-06-03 at 02:56, percy@duo.dhs.org wrote:
>   I have done some experiments learned from you. Below are my results
> against 2 different kernels using the same configurations. It''s
really
> strange and the only thing that I can think of is there is something wrong
> with 2.4.20-13.9.
> 
Percy,

I have just encountered this error on one of my systems running
2.4.20-18.9. The differences between this system and my firewall (where
I don''t see the problem) are:

a) Firewall is arch=i686 while failing system is arch=i586
b) NICs on Firewall are Tulips while NIC on the failing system is an
eepro100.

Does any this track with what you are seeing?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Tue, 2003-06-10 at 12:52, Tom Eastep wrote:
> On Tue, 2003-06-03 at 02:56, percy@duo.dhs.org wrote:
> 
> >   I have done some experiments learned from you. Below are my results
> > against 2 different kernels using the same configurations.
It''s really
> > strange and the only thing that I can think of is there is something
wrong
> > with 2.4.20-13.9.
> > 
> 
> Percy,
> 
> I have just encountered this error on one of my systems running
> 2.4.20-18.9. The differences between this system and my firewall (where
> I don''t see the problem) are:
> 
> a) Firewall is arch=i686 while failing system is arch=i586
> b) NICs on Firewall are Tulips while NIC on the failing system is an
> eepro100.
> 
Correction -- on further checking, it is happening unconditionally on
2.4.20-18.9 :-(

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> Correction -- on further checking, it is happening unconditionally on
> 2.4.20-18.9 :-(
I had impression from netfilter documentation that rule names are case 
sensitive in iptables. So REJECT is different than reject.


-- 
Tuomo Soini <tis@foobar.fi>
Linux and network services
Foobar Oy <http://foobar.fi/>

On Tue, 2003-06-10 at 13:59, Tuomo Soini wrote:
> Tom Eastep wrote:
> 
> > Correction -- on further checking, it is happening unconditionally on
> > 2.4.20-18.9 :-(
> 
> I had impression from netfilter documentation that rule names are case 
> sensitive in iptables. So REJECT is different than reject.
Since this is an old thread resurrected I''ll summarize:

a) ''REJECT'' is a builtin chain.
b) ''reject'' is a chain created by Shorewall.
c) ''reject'' attempts to reject the current connection request
based on
the type of the request.
d) For TCP connections, a RST is returned ("-j REJECT --reject with
tcp-reset").
e) On RedHat 9.0, this quit working beginning with kernel-2.4.20-9; no
RST is returned (in fact NOTHING is returned).

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:

> e) On RedHat 9.0, this quit working beginning with kernel-2.4.20-9; no
> RST is returned (in fact NOTHING is returned).
> 
> -Tom
Yes. Problem is with 2.4.20-18.8 too. REJCT --reject-with tcp-reset 
doesn''t work. Other values I tested do work.

-- 
Tuomo Soini <tis@foobar.fi>
Linux and network services
Foobar Oy <http://foobar.fi/>

On Wed, 11 Jun 2003 01:04:47 +0300, Tuomo Soini <tis@foobar.fi> wrote:
> Tom Eastep wrote:
>
>
>> e) On RedHat 9.0, this quit working beginning with kernel-2.4.20-9; no
>> RST is returned (in fact NOTHING is returned).
>>
>> -Tom
>
> Yes. Problem is with 2.4.20-18.8 too. REJCT --reject-with tcp-reset 
> doesn''t work. Other values I tested do work.
>
Bug is #91448. I provided a one-line demonstration of the problem and it 
has now been assigned to Dave Miller. According to Alan Cox, the bug is 
also present in 2.4.21rc1 so it looks like it it came from the Netfilter 
developers themselves.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Hi Tom,

  I spent a day last week trying to dig up what''s going on in the
Redhat
kernel. Your guess about netfilter is correct.

  I have been playing around with the diff of 2.4.20-13.9 and 2.4.20-20.9.
I am no kernel hacker, I just tried to copy files from various parts of
13.9 to 20.9 until the problem went away. After some trials and errors, it
turned out that arch and NIC driver are not the source of the problem. The
only thing left is the netfilter itself. But I just lacked the time and
knowledge to hack it further into the netfilter internals myself.

  Hope that they fix it soon and BTW, thanks for reporting to AC.

  Percy

On Tue, 10 Jun 2003, Tom Eastep wrote:
> On Wed, 11 Jun 2003 01:04:47 +0300, Tuomo Soini <tis@foobar.fi>
wrote:
>
> > Tom Eastep wrote:
> >
> >
> >> e) On RedHat 9.0, this quit working beginning with
kernel-2.4.20-9; no
> >> RST is returned (in fact NOTHING is returned).
> >>
> >> -Tom
> >
> > Yes. Problem is with 2.4.20-18.8 too. REJCT --reject-with tcp-reset
> > doesn''t work. Other values I tested do work.
> >
>
> Bug is #91448. I provided a one-line demonstration of the problem and it
> has now been assigned to Dave Miller. According to Alan Cox, the bug is
> also present in 2.4.21rc1 so it looks like it it came from the Netfilter
> developers themselves.
>
> -Tom
>

On Wed, 2003-06-11 at 09:17, percy@duo.dhs.org wrote:
> Hi Tom,
> 
>   I spent a day last week trying to dig up what''s going on in the
Redhat
> kernel. Your guess about netfilter is correct.
> 
>   I have been playing around with the diff of 2.4.20-13.9 and 2.4.20-20.9.
> I am no kernel hacker, I just tried to copy files from various parts of
> 13.9 to 20.9 until the problem went away. After some trials and errors, it
> turned out that arch and NIC driver are not the source of the problem. The
> only thing left is the netfilter itself. But I just lacked the time and
> knowledge to hack it further into the netfilter internals myself.
> 
>   Hope that they fix it soon and BTW, thanks for reporting to AC.
> 
The offending code is in ipt_REJECT.c and appears to be intentional. The
net result of the change is that "REJECT --reject-with tcp-reset" will
only work from the INPUT chain and not from the FORWARD or OUTPUT chains
(although it does work in OUTPUT for the loopback case).

I''m currently running some Shorewall code here that creates two
rejection chains: reject and rejecti. The former is used in rules that
might get invoked from the FORWARD or OUTPUT chains while the latter is
used in cases that are known to be associated with the INPUT chain.

This code should work ok regardless of the final resolution of the
bug/feature and is available from the Shorewall/ project in CVS.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> The offending code is in ipt_REJECT.c and appears to be intentional. The
> net result of the change is that "REJECT --reject-with tcp-reset"
will
> only work from the INPUT chain and not from the FORWARD or OUTPUT chains
> (although it does work in OUTPUT for the loopback case).
Funny. This style of systems won''t work any more:

http://www.lowth.com/cutter/
> I''m currently running some Shorewall code here that creates two
> rejection chains: reject and rejecti. The former is used in rules that
> might get invoked from the FORWARD or OUTPUT chains while the latter is
> used in cases that are known to be associated with the INPUT chain.
Does that work? or was it so that REJECT --with tcp-reset didn''t work
on
reject chain because there was references to it (reject) from other than 
INPUT chain?
> This code should work ok regardless of the final resolution of the
> bug/feature and is available from the Shorewall/ project in CVS.
I could check that out.

-- 
Tuomo Soini <tis@foobar.fi>
Linux and network services
Foobar Oy <http://foobar.fi/>

On Wed, 2003-06-11 at 13:22, Tuomo Soini wrote:
> > This code should work ok regardless of the final resolution of the
> > bug/feature and is available from the Shorewall/ project in CVS.
> 
> I could check that out.
I''m seeing some problems with it :-(

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On 11 Jun 2003 13:27:41 -0700, Tom Eastep <teastep@shorewall.net> wrote:
> On Wed, 2003-06-11 at 13:22, Tuomo Soini wrote:
>
>> > This code should work ok regardless of the final resolution of the
>> > bug/feature and is available from the Shorewall/ project in CVS.
>>
>> I could check that out.
>
> I''m seeing some problems with it :-(
>
OK -- I''ve looked again at the changes from 2.4.20->2.4.20-13.9 and
now
believe that this is just a plain old bug. I''ll back out the changes
that I
made to the firewall script and wait for a solution.

The ipt_REJECT.c module has been reordered slightly and something is 
broken; I''ve made a couple of quick hack attempts at fixing the problem
but
so far all it''s gotten me is a couple of crashes :-)

In the mean time, those of you who are experiencing problems with this can 
add the following to /etc/shorewall/start (create the file if it
doesn''t
already exist):

run_iptables -R reject 1 -p tcp -j REJECT

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 11 Jun 2003 16:50:51 -0700, Tom Eastep <teastep@shorewall.net> 
wrote:
>
>
> The ipt_REJECT.c module has been reordered slightly and something is 
> broken; I''ve made a couple of quick hack attempts at fixing the
problem
> but so far all it''s gotten me is a couple of crashes :-)
>
The attached kernel patch seems to work for me.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rejectfix.patch
Type: application/octet-stream
Size: 811 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030611/49062501/rejectfix.obj

On Wed, 2003-06-11 at 18:05, Tom Eastep wrote:
> On Wed, 11 Jun 2003 16:50:51 -0700, Tom Eastep
<teastep@shorewall.net>
> wrote:
> 
> >
> >
> > The ipt_REJECT.c module has been reordered slightly and something is 
> > broken; I''ve made a couple of quick hack attempts at fixing
the problem
> > but so far all it''s gotten me is a couple of crashes :-)
> >
> 
> The attached kernel patch seems to work for me.
I''ve posted 2.4.20-18.9 corrected ipt_REJECT.o modules for both i586
and
i686 at ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel.

To install the module:

cd /lib/modules/2.4.20-18.9/kernel/net/ipv4/netfilter
mv ipt_REJECT.o ipt_REJECT.o.old
cp <path-to-patched-module>/ipt_REJECT.o .
shorewall clear
rmmod ipt_REJECT
shorewall start

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep schrieb:
> 
> On Wed, 2003-06-11 at 18:05, Tom Eastep wrote:
> > On Wed, 11 Jun 2003 16:50:51 -0700, Tom Eastep
<teastep@shorewall.net>
> > wrote:
> >
> > >
> > >
> > > The ipt_REJECT.c module has been reordered slightly and something
is
> > > broken; I''ve made a couple of quick hack attempts at
fixing the problem
> > > but so far all it''s gotten me is a couple of crashes :-)
> > >
> >
> > The attached kernel patch seems to work for me.
> 
> I''ve posted 2.4.20-18.9 corrected ipt_REJECT.o modules for both
i586 and
> i686 at ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel.
I have created the same for RedHat 7.x (built on 7.3). Find the files
here http://home.teleport.ch/simix/rh-7.x.tar.gz
Sorry, I forgot to build for athlon.
BTW, I have not tested those modules yet :)

Simon
> 
> To install the module:
> 
> cd /lib/modules/2.4.20-18.9/kernel/net/ipv4/netfilter
> mv ipt_REJECT.o ipt_REJECT.o.old
> cp <path-to-patched-module>/ipt_REJECT.o .
> shorewall clear
> rmmod ipt_REJECT
> shorewall start
> 
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
-- 
Simon Matter              Tel:  +41 61 695 57 35
Fr.Sauter AG / CIT        Fax:  +41 61 695 53 30
Im Surinam 55
CH-4016 Basel             [mailto:simon.matter@ch.sauter-bc.com]

On Thu, 2003-06-12 at 23:11, Simon Matter wrote:
> 
> I have created the same for RedHat 7.x (built on 7.3). Find the files
> here http://home.teleport.ch/simix/rh-7.x.tar.gz
> Sorry, I forgot to build for athlon.
> BTW, I have not tested those modules yet :)
> 
Thanks, Simon.

I''ve just downloaded the 2.4.21 final patch and the problem is
corrected
there as well.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net