Tried 2.0 - Fairly painless installation - as usual, Tom. Startup does NOT run smoothly: I get an error message about not having a recent version of iptables or not having IPv6 rpm -qa | grep iptables iptables-1.2.7a-174 In shorewall.conf file I see the blurb about DISABLE_IPV6 and left it at "Yes" - I''m NOT running IPv6 so it looks like that setting will "protect" me from IPv6 attacks.... (I could be reading it wrong) I read and re-read the iptables documents in the errata - seems to be mostly Red Hat. Environment SuSE 8.2 Professional with all the latest patches. I have gone back to 1.4.10c. Do I try on a SuSE 9.0 box ? (or, without IPv6 support - will it screw me up also) ? - Bill
On Monday 15 March 2004 09:24 am, Bill.Light@kp.org wrote:> Tried 2.0 - Fairly painless installation - as usual, Tom. > > Startup does NOT run smoothly: > > I get an error message about not having a recent version of iptables or > not having IPv6Is this the message you get? WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system has no ip6tables -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Am Montag, 15. März 2004 18:24 schrieb Bill.Light@kp.org:> Tried 2.0 - Fairly painless installation - as usual, Tom. > > Startup does NOT run smoothly: > > I get an error message about not having a recent version of iptables or > not having IPv6 > > rpm -qa | grep iptables > > iptables-1.2.7a-174 > > In shorewall.conf file I see the blurb about DISABLE_IPV6 and left it at > "Yes" - I''m NOT running IPv6 so it looks like that setting will "protect" > me from IPv6 attacks.... (I could be reading it wrong)IMHO; if you don''t run ipv6 you you can set it to NO, because it''s senseless to DROP packages on interfaces you''ll never receive anything. There is a firewall tool like shorewall for ipv6, 6wall by Eric de Thouars, which looks to me a better solution than just dropping all ipv6 traffic. Unfortunately the author only packaged it for LEAF Bering-uClibc and none offered him a rpm or packaging. Anyway it should be easy to install on a router other than a LEAF-based one, the .lrp is only a tra.gz archive. You''ll find it here: http://cvs.sourceforge.net/viewcvs.py/leaf/bin/bering-uclibc/packages/6wall.lrp kp
On Monday 15 March 2004 10:10 am, K.-P. Kirchdörfer wrote:> Am Montag, 15. März 2004 18:24 schrieb Bill.Light@kp.org: > > Tried 2.0 - Fairly painless installation - as usual, Tom. > > > > Startup does NOT run smoothly: > > > > I get an error message about not having a recent version of iptables or > > not having IPv6 > > > > rpm -qa | grep iptables > > > > iptables-1.2.7a-174 > > > > In shorewall.conf file I see the blurb about DISABLE_IPV6 and left it at > > "Yes" - I''m NOT running IPv6 so it looks like that setting will "protect" > > me from IPv6 attacks.... (I could be reading it wrong) > > IMHO; if you don''t run ipv6 you you can set it to NO, because it''s > senseless to DROP packages on interfaces you''ll never receive anything.And if ip6tables isn''t installed then Shorewall can''t use that utility to disable IPV6 so setting the variable to Yes is nonsensical. I don''t understand how Bill upgraded to 2.0 -- his existing shorewall.conf file shouldn''t have had DISABLE_IPV6 specified at all; if that file is retained (which is the default behavior of rpm) then the message that I posted earlier should not be issued at all. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Monday 15 March 2004 10:10 am, K.-P. Kirchdörfer wrote:> Am Montag, 15. März 2004 18:24 schrieb Bill.Light@kp.org: > > Tried 2.0 - Fairly painless installation - as usual, Tom. > > > > Startup does NOT run smoothly: > > > > I get an error message about not having a recent version of iptablesor> > not having IPv6 > > > > rpm -qa | grep iptables > > > > iptables-1.2.7a-174 > > > > In shorewall.conf file I see the blurb about DISABLE_IPV6 and left itat> > "Yes" - I''m NOT running IPv6 so it looks like that setting will"protect"> > me from IPv6 attacks.... (I could be reading it wrong) > > IMHO; if you don''t run ipv6 you you can set it to NO, because it''s > senseless to DROP packages on interfaces you''ll never receive anything.And if ip6tables isn''t installed then Shorewall can''t use that utility to disable IPV6 so setting the variable to Yes is nonsensical. I don''t understand how Bill upgraded to 2.0 -- his existing shorewall.conf file shouldn''t have had DISABLE_IPV6 specified at all; if that file is retained (which is the default behavior of rpm) then the message that I posted earlier should not be issued at all. -Tom =============================== I think you nailed it... I have been "cleaning" my installations so I DO NOT worry about changing several files... With 1.4.10x I had finally gotten to not needing any changes to shorewall.conf, so I take the "stock" file and just propogate my changes to files that I change...i.e. rules, interfaces, and zones... Bottom line, I am/was using the "new" 2.0 shorewall.conf and the switch looked OK as the comment states. And, no, ip6tables is not installed. - Mr. sufficiently talented fool