Shorewall users - Jan 2004 - Getting shorewall to run on a zaurus 5600 with 2.4.18-rmk7-pxa3-embedix kernel

I am trying to run shorewall in this little machine. So far I managed to
put in all the shorewall install files in the corresponding
directories.  Iptables has been installed and seems to be working.
I found out that REJECT may not be compiled in the kernel so I changed
every REJECT line in my policy file to DROP.

When running shorewall restart, it stops after

"Deleting user chains"

when I did a step by step running of iptables following the
/usr/share/shorewall firewall script , I found that it fails on 


setcontinue FORWARD
setcontinue INPUT
setcontinue OUTPUT

with an error "no chain target match by that name"

commenting these out makes shorewall initialization progress to 

Adding Common Rules

Q1.  Do I need the setcontinue commands?

Q2. In the section that runs Adding Common Rules, there are a bunch of
REJECT policies, do I just change these to DROP?

Q3.I have installed ip but not tc or arp.  Do  I really need tc or arp?

Q4. How much memory will shorewall consume on the zaurus? Is it
practical for a handheld?

Thanks for any help you can provide.

On Sat, 17 Jan 2004, cmisip wrote:
> I am trying to run shorewall in this little machine. So far I managed to
> put in all the shorewall install files in the corresponding
> directories.  Iptables has been installed and seems to be working.
> I found out that REJECT may not be compiled in the kernel so I changed
> every REJECT line in my policy file to DROP.
>
Then you need a kernel compiled with REJECT target support.
> When running shorewall restart, it stops after
>
> "Deleting user chains"
>
> when I did a step by step running of iptables following the
> /usr/share/shorewall firewall script , I found that it fails on
>
>
> setcontinue FORWARD
> setcontinue INPUT
> setcontinue OUTPUT
>
> with an error "no chain target match by that name"
Then you need a kernel compiled with REJECT target
support.
>
> commenting these out makes shorewall initialization progress to
>
> Adding Common Rules
>
> Q1.  Do I need the setcontinue commands?
You need a kernel compiled with REJECT target support.
>
> Q2. In the section that runs Adding Common Rules, there are a bunch of
> REJECT policies, do I just change these to DROP?
>
You need a kernel compiled with REJECT target support.
> Q3.I have installed ip but not tc or arp.  Do  I really need tc or arp?
>
Not if you don''t need traffic shaping and you don''t want to do
Proxy ARP.
> Q4. How much memory will shorewall consume on the zaurus?
Shorewall itself only comsumes memory during start and stop.
> Is it practical for a handheld?
If you can find a kernel compiled with REJECT target support... :-)

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Sat, 17 Jan 2004, Tom Eastep wrote:
> On Sat, 17 Jan 2004, cmisip wrote:
>
> > I am trying to run shorewall in this little machine. So far I managed
to
> > put in all the shorewall install files in the corresponding
> > directories.  Iptables has been installed and seems to be working.
> > I found out that REJECT may not be compiled in the kernel so I changed
> > every REJECT line in my policy file to DROP.
> >
>
> If you can find a kernel compiled with REJECT target support... :-)
>
Seriously -- if you hack up Shorewall so as to replace all occurences of
REJECT with DROP, it should more or less work. Clearly, things like auth
will be a problem so you may encounter connection timeouts.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

I guess, I lied.  I found out that there was a module called
ipt_REJECT.o in the netfilter directory.  I insmoded this along with a
bunch of other modules and got shorewall to complete its
initialization.  

I wonder why the rest of the modules in the netfilter directory are not
automatically loaded though




On Sat, 2004-01-17 at 16:25, Tom Eastep wrote:
> On Sat, 17 Jan 2004, Tom Eastep wrote:
> 
> > On Sat, 17 Jan 2004, cmisip wrote:
> >
> > > I am trying to run shorewall in this little machine. So far I
managed to
> > > put in all the shorewall install files in the corresponding
> > > directories.  Iptables has been installed and seems to be
working.
> > > I found out that REJECT may not be compiled in the kernel so I
changed
> > > every REJECT line in my policy file to DROP.
> > >
> >
> > If you can find a kernel compiled with REJECT target support... :-)
> >
> 
> Seriously -- if you hack up Shorewall so as to replace all occurences of
> REJECT with DROP, it should more or less work. Clearly, things like auth
> will be a problem so you may encounter connection timeouts.
> 
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

On Sat, 17 Jan 2004, cmisip wrote:
> I guess, I lied.  I found out that there was a module called
> ipt_REJECT.o in the netfilter directory.  I insmoded this along with a
> bunch of other modules and got shorewall to complete its
> initialization.
>
> I wonder why the rest of the modules in the netfilter directory are not
> automatically loaded though
>
Does the kernel support automatic module loading (is there a
''modprobe''
utility?).

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Yes,

it loads some modules via the /usr/share/shorewall/firewall script but
fails to load these:

iptable_mangle
ipt_REJECT
ipt_state
ipt_TOS

when insmoded manually, shorewall completes its init.



On Sat, 2004-01-17 at 22:59, Tom Eastep wrote:
> On Sat, 17 Jan 2004, cmisip wrote:
> 
> > I guess, I lied.  I found out that there was a module called
> > ipt_REJECT.o in the netfilter directory.  I insmoded this along with a
> > bunch of other modules and got shorewall to complete its
> > initialization.
> >
> > I wonder why the rest of the modules in the netfilter directory are
not
> > automatically loaded though
> >
> 
> Does the kernel support automatic module loading (is there a
''modprobe''
> utility?).
> 
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

On Sat, 17 Jan 2004, cmisip wrote:
> Yes,
>
> it loads some modules via the /usr/share/shorewall/firewall script but
> fails to load these:
>
> iptable_mangle
> ipt_REJECT
> ipt_state
> ipt_TOS
>
> when insmoded manually, shorewall completes its init.
>
Then simply add those to /etc/shorewall/modules.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thanks a lot! That did the trick.  Now I have shorewall and freeswan up
and running in my zaurus 5600.




On Sat, 2004-01-17 at 23:18, Tom Eastep wrote:
> On Sat, 17 Jan 2004, cmisip wrote:
> 
> > Yes,
> >
> > it loads some modules via the /usr/share/shorewall/firewall script but
> > fails to load these:
> >
> > iptable_mangle
> > ipt_REJECT
> > ipt_state
> > ipt_TOS
> >
> > when insmoded manually, shorewall completes its init.
> >
> 
> Then simply add those to /etc/shorewall/modules.
> 
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

Hiya,

> Thanks a lot! That did the trick.  Now I have shorewall and freeswan
> up
> and running in my zaurus 5600.
Ok .. That does it .. This has replaced the blackberry on my want want
want list .. :-)

And Here I Go To Linux World .. And I Don''t Have Time To Buy Me One Of
These ... (Ok Money Also :-) )

Francesca

I put up the howto and ipk on this site:

http://cmisip.home.insightbb.com/zaurus.htm



On Sat, 2004-01-17 at 23:55, Francesca C. Smith wrote:
> Hiya,
> 
> 
> > Thanks a lot! That did the trick.  Now I have shorewall and freeswan
> > up
> > and running in my zaurus 5600.
> 
> Ok .. That does it .. This has replaced the blackberry on my want want
> want list .. :-)
> 
> And Here I Go To Linux World .. And I Don''t Have Time To Buy Me
One Of
> These ... (Ok Money Also :-) )
> 
> Francesca
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

On Sun, 2004-01-18 at 15:22, cmisip wrote:
> I put up the howto and ipk on this site:
> 
> http://cmisip.home.insightbb.com/zaurus.htm
Please consider adding your Shorewall section content to the new Wiki.
Thanks.

http://wiki.rettc.com/wiki.phtml?title=Wiki_Shorewall_FAQ

-- 
Mike Noyes <mhnoyes at users.sourceforge.net>
http://sourceforge.net/users/mhnoyes/
SF.net Projects: ffl, leaf, phpwebsite, phpwebsite-comm, sitedocs