Shorewall users - Jun 2004 - iptables v1.2.7a: Couldn''t load match `physdev'':/lib/iptables/libipt_physdev.so: cannot open shared object file: No such file or directory

Hi, I''m running RH9 Linux and I''m having a slight problem with
shorewall, i originally set it up as a two card configuration, but i have now
bridged the connections in an attempt to get my WiFi network communicating with
the wired network (eth0 and wlan0). I have followed the instructions for
bridging from http://www.shorewall.net/bridge.html but when I activate shorewall
i get the following message :

iptables v1.2.7a: Couldn''t load match
`physdev'':/lib/iptables/libipt_physdev.so: cannot open shared object
file: No such file or directory

I''d be grateful for any suggestions that you may offer, I''m
considering disabling the firewall element of shorewall and just use the program
for routing purposes only... can this been done?

Regards
Dave

NOTE: Not subscribed to any of the mailing lists

David Lander wrote:
> Hi, I''m running RH9 Linux and I''m having a slight problem
with shorewall, i originally set it up as a two card configuration, but i have
now bridged the connections in an attempt to get my WiFi network communicating
with the wired network (eth0 and wlan0). I have followed the instructions for
bridging from http://www.shorewall.net/bridge.html but when I activate shorewall
i get the following message :
> 
> iptables v1.2.7a: Couldn''t load match
`physdev'':/lib/iptables/libipt_physdev.so: cannot open shared object
file: No such file or directory
> 
> I''d be grateful for any suggestions that you may offer,
I''m considering disabling the firewall element of shorewall and just
use the program for routing purposes only... can this been done?
> 
If you use Shorewall''s brige/firewall support, your kernel and iptables
must support the physdev match extension. This restriction is clearly 
spelled out in the Shorewall Bridging documentation.

If you don''t need to firewall traffic through the bridge, you can 
configure Shorewall as described at 
http://shorewall.net/two-interface.htm under the section "Adding a 
Wireless Segment to your Two-interface Firewall". That configuration 
does not require the physdev match extension.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:

> 
> If you don''t need to firewall traffic through the bridge, you can 
> configure Shorewall as described at 
> http://shorewall.net/two-interface.htm under the section "Adding a 
> Wireless Segment to your Two-interface Firewall". That configuration 
> does not require the physdev match extension.
Duh -- sorry; that article describes a routed Wireless Segment rather 
than a bridged one. To configure a non-firewalled bridge, all you need 
to do is set the ''routeback'' option on the bridge device entry
in
/etc/shorewall/interfaces (Shorewall FAQ #35).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Thanks for the reply I''ve found out that I need to download the Patch
for kernel 2.4.20-8 in order to resolve the ''physdev'' issue I
was directed to the http://ebtables.sourceforge.net/download.html site but
I''m unsure what I need to download from the list
(http://sourceforge.net/project/showfiles.php?group_id=39571)

I''m new to Linux please be patient with me

Regards
Dave

NOTE: Not subscribed to any of the mailing lists

On Sun, 6 Jun 2004, David Lander wrote:
> Thanks for the reply I''ve found out that I need to download the
Patch
> for kernel 2.4.20-8 in order to resolve the ''physdev''
issue I was
> directed to the http://ebtables.sourceforge.net/download.html site but
> I''m unsure what I need to download from the list
> (http://sourceforge.net/project/showfiles.php?group_id=39571)
> 
You might consider upgrading to Fedora core 2 -- you''ll get everything
you
need for a bridge/firewall as part of the upgrade.

You said in your original post that you are willing to give up firwalling
the bridge so why don''t you just do that? Just associate the bridge
device
with your local zone and don''t mention either of the brided interfaces
in
your Shorewall configuration. Be sure to specify the
''routeback'' option
for the bridge:

/etc/shorewall/interfaces:

loc	br0	detect	routeback

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net